As promised, here is the first case study regarding the events surrounding the Lulzsec group. If you are reading that and wondering what we mean take a look at our blog entry titled “Awareness Pains: How the LulzSec hacks influence security awareness.” That entry will give you a foundation as to what approach we are taking concerning the LulzSec group. The attack that we will focus on specifically was the attack on the Public Broadcasting Service or PBS. Today we will focus on the specifics of the attack, the preparedness of the corporation attacked, and finally their response to the attack along with the prevention of future attacks.
On May 30, 2011, the LulzSec group attacked and hacked into the PBS website. They claimed that the motive behind their attack was in retaliation to a documentary that PBS published called “Wikisecrets.” The hack included putting a nyan cat on the website along with publishing a story about the deceased rapper, Tupac Shakur. PBS worked diligently to right the false stories published on their website, but that the fake stories remained live on their website for hours. In addition to the fake stories, LulzSec also exposed the information and passwords of many officials within the PBS Corporation. David Fanning, executive producer at Frontline, considered the attack a “disappointing and irresponsible act” but little has been said on how PBS is addressing the methods used by LulzSec to infiltrate the site. PBS has a section of its site dedicated to hackers. The irony is that the information about hackers and the culture of hacking titled “Frontline” is dated to 2001, and when PBS attempted to post a response to the attack, LulzSec prevented them from making the post.
Unfortunately, what should have been an eye-opener for the company appears to have had little effect. Instead, PBS and other corporations should look at maintaining their security systems to the highest spec available or hiring an outside firm to assure themselves and their investors that nothing like this will happen again. LulzSec obtained access to PBS’s servers because the usernames and passwords used for administration of the web servers were also used for other activities in less secure areas. Attackers gathered usernames and passwords from home directories on other network computers and used those usernames and passwords to gain access to the web server. We can all learn from this. Administrative usernames and passwords should be different from standard user credentials to minimize the potential threat a compromised user account presents to the company, and personal and business credentials should not use the same password. Review your password policy, educate employees, and consider an audit to verify compliance with the policy.
In this case study, we focused on the perils afflicted to the Public Broadcasting Service by LulzSecurity. We talked about what happened to the corporation and the response to the attack. Finally, we discussed the specifics of the attacks, but more importantly, the lack of a new security plan put in place by PBS due to the attacks to prevent the attacks from happening again by LulzSec or another hacking group.
Thank you for reading through this case study. Stay tuned to our blog to get our next case study regarding the hack of the Federal Bureau of Investigation Infraguard group and Unveillence.