Last night, a hacking group by the name of Lulzsecurity hacked a private company called Infragard. Infragard contracts with a bunch of government agencies like the FBI, the DoD, and multiple intelligence agencies. Supposedly the big thing that Infragard was working on was trying to take control of compromised Lybian computers, and set up a command and control interface for a botnet, for the DoD. Infragard had a lot of other contracts with government agencies, consulting on security practices.
So, was this an ultra-sophisticated hack? A company that consults with the NSA and US-CERT (US-Computer Emergency Response Team) must have had multiple redundant layers of security with eyeball scanners and a cool device that reads your handprint to grant authorization? Nope. Not at all. They were hacked with a SQL injection attack. (This sort of hack works against databases. You enter in a specific URL and a database starts dumping information … usernames/passwords, the whole shebang.) Okay okay, so SQL injection attacks happen to even the best of them. What gives?
Infragard recycled the root (administrator) password multiple times in their system. Hey, maybe they were rushed when setting up the website? The owner of the company, Karim Hijazi, used the same password for his gmail account and his own private white-hat company, Unveillance. Once they got that one password, the entire business was compromised. 700mg of emails were released by Lulz, including private correspondence between employees and government agencies.
This leak of emails gives an interesting look at how the government deals with computer security. A lot of it is outsourced, to private corporations. What’s interesting, is that Infragard/Unveillance runs a pretty large botnet. Botnet as in “what only dirty Russian hackers use to steal credit card numbers and DDOS people.” Hijazi registered 100 Indian domain names to control his botnet from seemingly outside of the USA. Evidently the DoD is very interested in bringing down the Libyan internet and cyber infrastructure. However, they don’t want to take responsibility for it, and want to pass off control of it to another country. Hey, maybe the government is learning that its a bitch to occupy foreign states!
An analogy to the way Lulz brought down Infragard is like if Infragard is the computer Tom Cruise needs to access in Mission Impossible. Instead of having to create a diversion, climb through air vents, do the ropey/gymnastics thing, and get out of there with not raising the temperature a single degree- Tom Cruise found the computer operator’s ID card with his password written on the back, walked in because the door was unlocked (the operator was taking a nap), copied the data, drank a cup of coffee, checked his gmail, and strolled out. We taxpayers are paying tons and tons of money to corporations like Infragard. If they can’t prevent someone from basically stealing all of their data because they left their back door unlocked, how are we supposed to trust them with anything sophisticated?
P.S. The owner of Infragard, a fellow by the name of Karim Hijazi, had an interesting reaction to being completely owned in the hack. When members of Lulzsecurity contacted Karim, he offered to pay $ and use his influence with the F.B.I. to bribe Lulzsecurity in to hacking his competitors in the government-contracted security scene. The members of Lulzsecurity didn’t go for it. Extortion is not a tactic of groups like this. Knowing that Hijazi has F.B.I. and DoD contacts and influence, how far do you think they’d get trying to extort him? What, they’re going to give him their addresses so he can mail them a check? Blackhat hackers just don’t do the whole extortion thing. They go after whitehats, its what they do. Karim Hijazi has a lot of privileged government info. He’s the first offer to try to partner up with Lulz, even offering freaking F.B.I. alerts if they don’t release the emails/info. This guy seems willing to turn on his fellow whitehat hackers, how much would it take for him to turn on the government himself? I guess integrity isn’t one of his virtues. Yes, Lulzsecurity did a *bad* thing, but the fact that Hijazi was even willing to talk about releasing classified government info makes me question his motives. It doesn’t really matter if Lulz tried to extort Hijazi or not, the offer to share F.B.I. info with, of all people, blackhat hackers, just sends up a whole bunch of warning flags. Be safe out there on the Interwebz!
http://twitter.com/#!/lulzsec <- Twitter feed for Lulzsec http://pastebin.com/MQG0a130 <- The original doc from Lulzsec detailing the hack, download links, etc http://www.unveillance.com/latest-news/unveillance-official-statement/ <- statement from Hijazi http://pastebin.com/AjVd0L9E <- Counter-statement from Lulz
