How Lulzsec cracked

How Lulzsec cracked
Information released on how the hack took place

A military dating site attacked by hackers in March had serious security flaws, a report has found., whose users' details were dumped online by Lulzsec hacktivists, failed to prevent the upload of malicious user content and did not properly encrypt its password database, according to data security company Imperva.

The report concludes that user-generated content is not just the lifeblood of the modern internet but also its Achilles' heel.

But Rob Rachwald, the company's director of security strategy, says the methods and aims of the hackers reflect those of major firms like Google and Facebook.

As Facebook stock flows into the public market, trading on the value of users' personal details, hackers are placing their own price on the vast quantities of data that internet companies hold.

"I have a bunch of geeks working for me that like to do this kind of thing," says Rachwald, a 42-year-old Californian who got into security when he saw Intel design specifications being sold in the streets of Tai Pei for $300 apiece.

"Some people like to go to the movies, some people like to read a book, and some people like to hack."


"Enterprises are in a pre-pubescent phase when it comes to properly protecting passwords."

On March 26 this year, hackers under the banner of Lulzsec – an offshoot of the broad-church pseudo-movement known as Anonymous (Rachwald calls it a "global disorganisation") – dumped over 170,000 account details online.

The first Lulzsec was responsible for a wave of online attacks last year, but had gone quiet after a leading member, Sabu, was co-opted as an FBI informant, leading to the arrest of three comrades. Now, apparently, it's back – or someone using its name.

military singles

Rachwald's "geeks" probed the MilitarySingles website ("using fully legal means," he notes) and found a series of vulnerabilities which made it easy to sneak malware onto its servers.

Central to the hack, Rachwald claims, was a method called Remote File Inclusion. RFI involves sneaking malicious code onto a file server by disguising it as or attaching it to legitimate content.

In Web 2.0 applications, Rachwald says, users uploading content can't be avoided. "Imagine a Facebook where you couldn't send photos, or email where you couldn't exchange attachments," he says.

MilitarySingles had a filter to stop this happening. In theory, only picture files like jpegs, gifs and pngs would be accepted. But the filter looked at file extension, not the file itself, meaning 'malware.php.jpg' would get through.

The filter was also programmed to check metadata submitted by users' browsers about the type of content they were uploading. But because such data is controlled from the user's own computer, the hackers were able to tamper with the upload after it left their machine by routing the file through a proxy – and trick the filter into accepting it.

Imperva were able to find records of rogue php files uploaded to the MilitarySingles file server.

Lulzsec hack

Now Lulzsec had access to sensitive details – full names, addresses, email addresses, and logged interactions – about each user. But in such databases the passwords are usually encrypted.

Unfortunately for MilitarySingles, they weren't encrypted well. The site used an outdated encryption method, MD5, that had been broken in 2004.

It didn't help that users were allowed to choose very simple passwords that would take little time or processing power to decode. The most common password, used 763 times, was '123456'. 'Password', 'iloveyou', and 'military' came afterwards, while other common passwords included 'marines', 'jennifer', and 'freedom'.

Rachwald claims RFI vulnerabilities are "particularly acute to PHP" – used in 75-77 per cent of websites online today, including Facebook, Wordpress, Wikipedia, and Chinese search engine Baidu. The language was designed in the '90s to enable the kind of dynamic webpages that social networks rely on.

Looking for exploits

Of several million cyberattacks monitored by Imperva, roughly 20 per cent exploited RFI and its close relative, Local File Inclusion.

The vulnerability is not inherent to PHP, but Rachwald believes that because the language is easy for inexperienced coders to pick up, it is often badly used. He says: "PHP is cheap, it's easy to deploy, but it's also easy to make a bunch of security mistakes.

"This is a big soft underbelly for a lot of organisations, and they're not even aware of it. Enterprises are in a pre-pubescent phase when it comes to properly protecting passwords."

But how much data is really out there to steal? In 2011, an Austrian law student, Max Schrems, used EU data protection laws to demand Facebook give him a copy of all the data they held about him. What the CD they posted to him contained was a 1,200 page file detailing every friending and de-friending, every 'like', every 'poke, every RSVP, and many details he had not actually submitted himself. Not all of it was on him; some was from his friends.


New Yorker journalist Ken Auletta, who profiled Larry Page and Sergey Brin in his 2009 book Googled: The End of the World As We Know It, doesn't believe companies are doing enough to protect their users' data.

"Most digital companies collect mountains of information about users," he says. "Advertisers crave this information because it is much more granular than the data they get from, say, print publications or broadcasting."