Only a day after they leaked the details of over one million user accounts and various databases of Sony Pictures and some of its regional sites, LulzSec announced a successful attack against the Atlanta chapter of InfraGard, a non-profit organization that has ties with the FBI.
They defaced its website, and stole a list of 180 logins from its user database. The list contained the users’ email address, their username, their real name and the hashed passwords. But, the hashing didn’t help, since the hackers have managed to decrypt most of the passwords and reveal them.
“Considering LulzSec was able to decrypt them it would imply that the hashes were not salted, or that the salt used was stored in an insecure manner,” comments Sophos’ Chester Wisniewski. “One interesting point to note is that not all of the users passwords were cracked… Why? Because these users likely used passwords of reasonable complexity and length. This makes brute forcing far more difficult and LulzSec couldn’t be bothered to crack them.”
An additional problem for those users is that some of them use the same password for other online services – including web-based email.
Among those is Karim Hijazi, CEO of Unveillance, a private botnet monitoring service. His password gave LulzSec access to his personal Gmail accounts and that of his company, which they used to steal the stored emails and briefly take over some of their assets.
According to LulzSec, after that they contacted Hijazi and told them what they did. “After a few discussions, he offered to pay us to eliminate his competitors through illegal hacking means in return for our silence,” claim the hackers.
“We call upon journalists and other writers to delve through the emails carefully, as we have uncovered an operation orchestrated by Unveillance and others to control and assess Libyan cyberspace through malicious means: the U.S. government is funding the CSFI to attack Libya’s cyber infrastructure. You will find the emails of all 23 people involved in the emails,” they offer. “Unveillance was also involved in a scheme where they paid an Indian registrar $2000 to receive 100 domains a month that may be deemed as botnet C&Cs. Shameful ploys by supposed ‘whitehats’.”
Hijazi was quick to respond with an official statement on the Unveillance site. “Over the last two weeks, my company, Unveillance, has been the target of a sophisticated group of hackers now identified as ‘LulzSec’,” he said. “During this two week period, I was personally contacted by several members of this group who made threats against me and my company to try to obtain money as well as to force me into revealing sensitive data about my botnet intelligence that would have put many other businesses, government agencies and individuals at risk of massive Distributed Denial of Service (DDoS) attacks.”
“In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities.”