How Lulzsec cracked MilitarySingles.com
24th May 2012 | 14:30
And the price you and other people pay for letting go of your data…
How MilitarySingles was hacked
A military dating site attacked by hackers in March had serious security flaws, a report has found.
MilitarySingles.com, whose users' details were dumped online by Lulzsec hacktivists, failed to prevent the upload of malicious user content and did not properly encrypt its password database, according to data security company Imperva.
The report concludes that user-generated content is not just the lifeblood of the modern internet but also its Achilles' heel.
But Rob Rachwald, the company's director of security strategy, says the methods and aims of the hackers reflect those of major firms like Google and Facebook.
As Facebook stock flows into the public market, trading on the value of users' personal details, hackers are placing their own price on the vast quantities of data that internet companies hold.
"I have a bunch of geeks working for me that like to do this kind of thing," says Rachwald, a 42-year-old Californian who got into security when he saw Intel design specifications being sold in the streets of Tai Pei for $300 apiece.
"Some people like to go to the movies, some people like to read a book, and some people like to hack."
On March 26 this year, hackers under the banner of Lulzsec – an offshoot of the broad-church pseudo-movement known as Anonymous (Rachwald calls it a "global disorganisation") – dumped over 170,000 account details online.
The first Lulzsec was responsible for a wave of online attacks last year, but had gone quiet after a leading member, Sabu, was co-opted as an FBI informant, leading to the arrest of three comrades. Now, apparently, it's back – or someone using its name.
Rachwald's "geeks" probed the MilitarySingles website ("using fully legal means," he notes) and found a series of vulnerabilities which made it easy to sneak malware onto its servers.
Central to the hack, Rachwald claims, was a method called Remote File Inclusion. RFI involves sneaking malicious code onto a file server by disguising it as or attaching it to legitimate content.
In Web 2.0 applications, Rachwald says, users uploading content can't be avoided. "Imagine a Facebook where you couldn't send photos, or email where you couldn't exchange attachments," he says.
MilitarySingles had a filter to stop this happening. In theory, only picture files like jpegs, gifs and pngs would be accepted. But the filter looked at file extension, not the file itself, meaning 'malware.php.jpg' would get through.
The filter was also programmed to check metadata submitted by users' browsers about the type of content they were uploading. But because such data is controlled from the user's own computer, the hackers were able to tamper with the upload after it left their machine by routing the file through a proxy – and trick the filter into accepting it.
Imperva were able to find records of rogue php files uploaded to the MilitarySingles file server.
Now Lulzsec had access to sensitive details – full names, addresses, email addresses, and logged interactions – about each user. But in such databases the passwords are usually encrypted.
Unfortunately for MilitarySingles, they weren't encrypted well. The site used an outdated encryption method, MD5, that had been broken in 2004.
It didn't help that users were allowed to choose very simple passwords that would take little time or processing power to decode. The most common password, used 763 times, was '123456'. 'Password', 'iloveyou', and 'military' came afterwards, while other common passwords included 'marines', 'jennifer', and 'freedom'.
Rachwald claims RFI vulnerabilities are "particularly acute to PHP" – used in 75-77 per cent of websites online today, including Facebook, Wordpress, Wikipedia, and Chinese search engine Baidu. The language was designed in the '90s to enable the kind of dynamic webpages that social networks rely on.
Looking for exploits
Of several million cyberattacks monitored by Imperva, roughly 20 per cent exploited RFI and its close relative, Local File Inclusion.
The vulnerability is not inherent to PHP, but Rachwald believes that because the language is easy for inexperienced coders to pick up, it is often badly used. He says: "PHP is cheap, it's easy to deploy, but it's also easy to make a bunch of security mistakes.
"This is a big soft underbelly for a lot of organisations, and they're not even aware of it. Enterprises are in a pre-pubescent phase when it comes to properly protecting passwords."
But how much data is really out there to steal? In 2011, an Austrian law student, Max Schrems, used EU data protection laws to demand Facebook give him a copy of all the data they held about him. What the CD they posted to him contained was a 1,200 page file detailing every friending and de-friending, every 'like', every 'poke, every RSVP, and many details he had not actually submitted himself. Not all of it was on him; some was from his friends.
New Yorker journalist Ken Auletta, who profiled Larry Page and Sergey Brin in his 2009 book Googled: The End of the World As We Know It, doesn't believe companies are doing enough to protect their users' data.
"Most digital companies collect mountains of information about users," he says. "Advertisers crave this information because it is much more granular than the data they get from, say, print publications or broadcasting."
The Facebook effect
There is enough, at least, that researchers at Carnegie Mellon University were able to guess social security numbers from online information with up to 90 per cent accuracy. Such troves of information are tempting targets for hackers.
"If users (or customers) feel their data is vulnerable, they will move elsewhere, which no business wants," says Auletta. "The problem is that hackers can be very inventive in finding ways to invade."
In the past, criminals would typically hold websites to ransom, taking them offline and demanding money. "But over time," Rachwald says, "companies started transacting more and more data inside their website. As a consequence, the value of data went up, and people started going after credit card numbers, personal identification numbers. The game changed dramatically because you no longer make money by taking down a website but by taking data from a website."
Sometimes the motives are political, as they appear to have been with MilitarySingles. But the real rewards are in an underground information economy that mirrors the legitimate one that sustains Google, Facebook and other web companies.
If you're a Canadian with a Visa card, your details might only be worth $3 on the black market. But those of an EU citizen with a Discover card were fetching $8 each last October.
That may not sound like much, but credit card details like those held by Apple's AppleID service, Amazon, or the infamously compromised Sony are bought and sold in blocks of thousands – ironically through black market social networks and criminal Craigslist analogues. Facebook username and passwords, meanwhile, will set you back $6, according to one advert posted on a hacker website.
Yet this pales next to the value Facebook places on the data contained in each account. On May 18, Forbes estimated that each Facebook user is worth an average of $91.44 to advertisers, going by the stock price at the time. The online privacy company Abine, meanwhile, has made a free calculator that they claim can estimate your value to Facebook.
As in the black market, prices vary; I cost over $250, but a Latin American who rarely clicks 'like' and has fewer than 100 friends is worth a mere $46. Google offers money to users for allowing the company to track their browser data – though only in the form of $5 Amazon gift cards. You could get a better price from the hackers.
According to Rachwald, the two industries are two sides of the same coin: "One could say that the hackers did it first. They were very good at collecting personal details and monetising them; Facebook just did it legally."
In fact, the industries share plenty. "There's a fair bit of overlap," says Rachwald. "If you go for hacker forums you will see that a lot of security professionals clearly participate… if you look at the approach taken by certain hackers in certain campaigns, it mimics a lot of what we call white hat hackers do in order to test a website for vulnerabilities."
Facebook even offers bounties on a special 'White Hat' visa debit card to hackers who can find and inform them of security bugs, and hired some of them as interns. Famously, the site began when Mark Zuckerberg broke into a variety of Harvard websites to download hundreds of pictures of fellow students.
Auletta says the hacker mentality runs deep in Silicon Valley. "New, disruptive companies don't ask for permission before they act. If Google had first asked for permission from newspapers or publishers, they never would have launched search in 1998."
Ultimately, Rachwald believes, social networking and the public sector do not mix. Such sites pose "a significant security threat" for government employees. "MilitarySingles wasn't even sponsored by the government, and now there's a ton of publicly available information on various military personnel."
While Imperva's report recommends militaries impose social media rules on their members, Rachwald thinks training is key: "Military and government agencies need to tell their employees how to use social networking and give them guidelines on how details can be used. I don't think they understand how much information an adversary might be able to get."
When Rachwald visits local schools to teach them about social networking, he tells them to "treat it as a game" – use a fake name, a fake data of birth, fake details, and make things difficult for anyone trying to find you. The bottom line? "Don't trust social networks, because they don't respect your privacy."
"We're living in the age of social networking. It's a big new factor that won't go away, and it needs to be treated with a great degree of respect."