A hacker group has claimed it has attacked the Sony network and stolen more than one million passwords, email addresses and other information.
In April, hackers broke into Sony’s PlayStation Network and stole data from more than 77 million accounts. That attack was considered the biggest in internet history and led to Sony shutting down the PlayStation Network and other services for almost a month.
The company has estimated the data breach will result in a $170m (£104m) hit to its operating profit.
Since then, Sony’s networks have become targets for hackers and the company has confirmed at least four other break-ins prior to the claimed attack on Sony Pictures.
Lulz Security claims to be behind one of those attacks: an assault on Sony Music Japan.
The latest alleged attack will come as a blow to the Japanese firm, 24 hours after it announced the PlayStation Network would be fully restored in the US and Europe, and said it had beefed up its security systems.
‘Asking for it’
In a statement on Thursday, Lulz Security said it had hacked into a database that included unencrypted passwords as well as names, addresses and dates of birth of Sony customers.
"From a single injection, we accessed EVERYTHING," it said. "Why do you put such faith in a company that allows itself to become open to these simple attacks?"
"What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plain text, which means it’s just a matter of taking it.
"This is disgraceful and insecure: they were asking for it."
The group also recently claimed responsibility for hacking the website of the PBS network and posting a fake story in protest at a news programme about WikiLeaks.
– BBC News
Uriminzokkiri, a North Korea propaganda site, early this week blamed “South Korea’s extreme right-wingers” for a cyber attack that disrupted its website last weekend. The China-based site claimed the hackers were trying to stop its “influence from spreading.”
“They should stop acting recklessly and think carefully about a grave consequence that could be caused by their mean acts,” it warned.
On January 8, the day widely believed to be Kim Jong Eun’s birthday, pictures and messages that derided the Kim dynasty, were posted by hackers on the website as well as the related Twitter account. Meanwhile, a video clip making fun of the younger Kim was posted on YouTube.
Dcinside.com, a Seoul-based internet website, claimed responsibility.
“Some of our users did that in retaliation for a DDOS (denial of service) attack on our site on January 6,” said Kim Yoo-sik, who runs the site. “It is unclear whether it was done by North Korea or a group of North Korea sympathizers inside South Korea.”
Right after the attack disabled his site for 30 minutes, he posted a statement on the front page that said “Jong Il, Jong Eun, Come out, Let’s fight!” in order to show “a strong willingness not to back down at least in cyber world.”
The site, with daily visitors of 1.3-1.5 million, started in 1999 as a small web forum for digital camera users, but now has more than 1,400 boards for free discussion on various topics from North Korea, politics, and entertainment.
Mr. Kim said he sees a change towards North Korea among site users. “Since the Yeongpyeong attack, people have become more fearful but also furious about what happened. They wanted to show their feelings through this cyber attack” (on the North Korea site), he said.
The North Korea site denied the accusation that it attacked dcinside.com, saying that while South Korean site was misleading public opinion, Uriminzokkiri is not a “childish” group that “invades other’s websites or does hacking for fun.”
Meanwhile, the four Tweets posted by hackers from the South Korean site are strangely still available at the time of writing. One of them says “Let’s kill senile Kim Jong Il and tyrannical offspring pig Kim Jong Eun with one stroke of our sword, so that we can eat rice and meat soup and live as happily as people in the South.”
- Wall Street Journal
Attackers are constantly changing their tactics and adapting to what the security community and researchers are doing, and it’s not unusual for the bad guys to adopt techniques used by their adversaries. The latest example of this is a malware gang that has deployed what amounts to a honeypot designed to monitor the activity of researchers or other attackers who try to access a command-and-control server.
While researching a piece of malware related to the Zeus botnet, a group of researchers at The Last Line of Defense gained access to a remote server used to help control the attack. This particular attack was sending out huge amounts of spam throughout October, specifically targeting business owners who file quarterly taxes. Known as the EFTPS malware, the spam included a link that sent victims to a site that loaded the Zeus Trojan on their machines and then forwarded them to the actual site at the Treasury Department that handles these payments.
But the interesting part is what the researchers found when the accessed the back end server: a fake administrative console. Many, if not most, large-scale malware campaigns now have some kind of admin interface on a remote server that enables the attackers to login and access statistics on infections, geographic distribution of compromised PCs and other measurements. And researchers have been able to access these consoles on a number of occasions, mining them for key intelligence on the attackers behind the malware and how the attack works.
But in this case, the attack crew apparently anticipated this and set up a phony login interface, complete with weak username and password and a simple SQL-injection vulnerability. The console clearly is meant to attract researchers, and perhaps other attackers, to poke around and allow the crew behind EFTPS to observe their movements and methods.
“This admin interface acts as a ‘hacker honeypot’ that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it. The fake login system conveniently accepts default/easily guessed credentials and common SQL injection strings. After the researcher/hacker is ‘authenticated’, they are shown random exploit statistics,” the Last Line of Defense researchers said in a blog post.
The admin console also has a feature that allows remote users to upload new “bots,” a tactic evidently designed to entice other attackers to try and compromise the server so the EFTPS crew can get a read on what they’re up to.
Legitimate security researchers have been using honeypot systems for years now and they have become a key tool for gathering information on new exploits, attack techniques and botnet research. The most prominent example is The Honeynet Project, a network of volunteers around the world who maintain complex honeypots and publish a lot of research based on what they collect and observe.
(Source: Threat Post)