This post is the third part of a four-part series on the LulzSec hackers. Our first entry titled “Awareness Pains: How the LulzSec hacks influence security awareness.”, Dealt with a broad overview of the group outlining their scheme and how companies and organizations were made aware of their shortcomings. Our second entry was the first of our three-part case studies, and it focused on the Public Broadcasting Service (PBS). This entry deals with the reaction of the Federal Bureau of Investigation Infraguard group and Unveillence, a security company. Our next installment will spotlight the effects of LulzSec on the Sony Corporation. Today we delve deeper into the LulzSec fiasco. Our second case study looks into Infraguard and Unveillence and their experience with the LulzSec hackers. We will look at how they operated before the attacks, what happened to them during the attacks, and what they have done since the attacks to boost their defenses against future hackers.
The website for the Atlanta chapter of Infragard, an organization that fosters information sharing between the FBI and civilian groups, was hacked, and its user base was stolen. LulzSec used known vulnerabilities to attack the web server. Patches were available that could have prevented the attack, but some of the Infragard servers did not have the latest patches in place allowing LulzSec to obtain unauthorized access to the web server and the user base of Infragard members.
A more rigorous patch management policy and adherence to the policy could have saved Infragard much grief. When vulnerabilities are discovered it is likely that hackers will try to exploit these vulnerabilities to it is crucial for organizations to keep their servers up to date with the latest patches that address these vulnerabilities.
Univeillance was compromised because the owner of the company used the same password for his Infragard account, Gmail account, and Univeillance account, so the attackers were able to take the credentials they compromised in the Infragard attack and utilize them to infiltrate Univeillance as well. According to LulzSec’s claims on how the attack took place, the owner of Univeillance could have prevented the exploitation of his company by using different passwords for his business account and personal accounts. After the PBS attack and others that have used similar techniques, it should have been clear, especially for a security company that using the same password for multiple accounts is dangerous but it appears that the lesson has still not been learned. Enact a password policy, make employees aware and ensure understanding of the policy, and perform periodic audits to measure compliance with the policy.
In our first post about LulzSec we presented a broad overview of the group and what they did, but also what was done in response to their attacks. In this case study, we took that theory and applied into a specific corporation. We looked at FBI Infraguard and Unveillence and how they dealt with the attacks made by LulzSec. We will be back with our third and final case study. We will concentrate on the Sony Corporation and show how they responded to the attack that LulzSec thrust upon them.