35 Million SK Telecom Accounts Stolen By Chinese Hackers

eldavojohn writes "South Korea's SK Telecom has revealed that earlier this week hackers stole 35 million account details from two sites. A portal called Nate Portal that provided e-mail services and a social networking site called CyWorld were the two targets by hackers who, SK Telecom claims, used IP addresses originating from China. From the article, 'The stolen data included user IDs, passwords, social security numbers, names, mobile phone numbers and email addresses. Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use.'"

Squirrel Master

[bhcompy]

Nasty Nate needs to secure his portal, apparently.

Riiiigggghhhht

Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use

Encryption! Bwahahahahahahahahahahahaha!

*shits in pants with tears in eyes - breathes*

Ahahahahahahahahahahahahahahahaha!

Oh God! That was FUNNY!

Yeah, yeah, yeah, the check is in the mail; I'll call you in the Morning; I won't cum in your mouth, blah blah blah ......

Accounts being stolen left and right

[Compaqt]

Some questions:

1. Anybody still using the same username at multiple websites?

2. Anybody work at a place that has been affected? Citibank, whatever? Or their webdev firm? Are there wholesale firings? Of development, IT, or the business side?

3. Anybody work at a company that actually has some kind of decent security and cares about protecting customer data?

Re:Accounts being stolen left and right

1. Anybody still using the same username at multiple websites?

Nothing wrong with re-using usernames; on most sites, that's open information. It's the passphrases you should never, ever use twice.

Re:Accounts being stolen left and right

[pixelpusher220]

4. can we get an accurate summary?

*Nothing* was stolen. It was illegally obtained, but not stolen. The accounts still exist and are usable by the rightful owners baring any disabling by the telecom itself.

Re:Accounts being stolen left and right

[flyingsquid]

One thing the summary gets wrong: the original article, at NPR, does not say that these are "Chinese hackers". The article only says that the attack "originated in China". The reason you can't actually pin this on the Chinese is that there are are actually two countries that conduct offensive cyberwarfare operations out of China. One being China, obviously. The other is North Korea. Believe it or not, North Korea is thought to have one of the most advanced offensive cyberwarfare capabilities out there (apparently when North Korea puts its mind to something, like hacking or making nuclear bombs and ballistic missiles, they're actually not that bad at it, which makes you wonder why there still isn't enough rice to go around). Given the effectiveness with which China manages to police its internet, however, it's damn hard to believe that the North Koreans aren't operating without their approval, or even active assistance.

Re:Accounts being stolen left and right

“The other is North Korea. Believe it or not, North Korea is thought to have one of the most advanced offensive cyberwarfare capabilities out there (apparently when North Korea puts its mind to something, like hacking or making nuclear bombs and ballistic missiles, they're actually not that bad at it, which makes you wonder why there still isn't enough rice to go around).”

I'm sure North Korea do not have the "most avanced offensive cyberwarfare capabilites" as you said, especially campared to the United States, North Korea and Japan.

The abilities and technologies of securing internet and attacking other countries of both China and North Korea are way behind of other advanced countries. Although it is repored that China has initiated many attacks, the attacking is not sophisticated. According to the latest akamai 1st quarter, 2011 report "The state of internet", China takes up 6.4% of the attack traffic and is at the position 5 in the list of top 10 countries from which attack traffic originates. So the report given by google and the United States against China may be just political manipulations. Hanking activity with IP addresses originating from China does not means it is inititated by Chinese. You never know who inititated an internet attack or crime just by IP addresses.

Re:Accounts being stolen left and right

[tehcyder]

4. can we get an accurate summary?

*Nothing* was stolen. It was illegally obtained, but not stolen. The accounts still exist and are usable by the rightful owners baring any disabling by the telecom itself.

You are doing the usual slashdot splitting of hairs. Yes, we all know that if you copy information the original is still there, and therefore it is not analogous to ptheft of physical property.
I suppose if I electronically transfer the contents of your savings account to mine (after I have illegally copied your bank details and passwords) then there is no therft involved, since I am merely electronically moving 1s and 0s around, and they cannot in themselves belong to anyone.

PII is bad, m'kay.

[poodlehat]

From what I've heard about many websites based in S. Korea, you need to provide a resident registration number (like the US SSN) in order to register. This hack should be proof that websites shouldn't demand such personally identifing information.

Re:PII is bad, m'kay.

[mlts]

From what I know, it is the law in SK for sites to demand the registration number.

If a number is needed, perhaps the best idea would be for the SK government to have a website that citizens and residents can log into, and get a one time code that can be put in other places. This way, the law still works, but there is no way an attacker who does not attack the Korean government site could be able to figure that a number entered in actually belongs to which resident.

Personally, demanding a registration number is pointless and stupid. All it takes is someone snooping over the shoulder or sniffing an unencrypted password to get a valid number, and that is what an attacker needs.

"encrypted" my ass

[girlintraining]

Nate said the social security numbers and passwords are encrypted

And stored in a database, which for authentication purposes would need to be able to convert said "encrypted" data into plain text for any customer service representative, the billing systems, etc. The key has to be something that's widely accessible, or goes through a proxy. Either way, it's highly unlikely the "encryption" scheme is much more sophisticated than a single XOR operation. Decrypting that field for a substantial portion of the database SELECT statements would be a huge overhead.

No, I suspect they have the SSNs, it's just a matter of time before they get them back in plain text. Besides, the 'nice' thing about SSNs is... If you know where the person was born, and what year (not hard to find), you can predict 6 out of the 10 digits with a high degree of accuracy, thus aiding substantially in the cryptanalysis. This isn't random data being encrypted... it's highly structured, and most of the plain-text is already known.

They're screwed.

Re:"encrypted" my ass

Their encryption scheme was LOT-13.

Re:"encrypted" my ass

[Microlith]

Besides, the 'nice' thing about SSNs is... If you know where the person was born, and what year (not hard to find), you can predict 6 out of the 10 digits with a high degree of accuracy, thus aiding substantially in the cryptanalysis.

That's assuming that South Korean SSNs are issued using similar procedures as US SSNs.

Re:"encrypted" my ass

Korean SSNs aren't the same as American ones. Also, in Korea, you have to provide your SSN to sign up for any online service, including Nate and CyWorld.

Re:"encrypted" my ass

Besides, the 'nice' thing about SSNs is... If you know where the person was born, and what year (not hard to find), you can predict 6 out of the 10 digits with a high degree of accuracy, thus aiding substantially in the cryptanalysis.

That's assuming that South Korean SSNs are issued using similar procedures as US SSNs.

True, but it's systematic nonetheless, and if the hackers are stealing it in the first place they'll almost undoubtedly be able to decrypt it.

Re:"encrypted" my ass

[OzPeter]

Besides, the 'nice' thing about SSNs is... If you know where the person was born, and what year (not hard to find), you can predict 6 out of the 10 digits with a high degree of accuracy, thus aiding substantially in the cryptanalysis.

That's assuming that South Korean SSNs are issued using similar procedures as US SSNs.

Assuming that SK actually even has SSNs

Re:"encrypted" my ass

[Firkragg14]

I was wondering about this. The fact that SSNs tend to follow a pattern would surely make them an easier target of cryptoanalysis. Even just knowing the format would cut down on the keyspace you had to search by a large margin wouldn't it?

Re:"encrypted" my ass

SSN is actually mandatory requirement for most online (and offline) registration in Korea.
Also, its in a format YYYYMMDD - XXXXXXXX so first part of it is easy to figure out if you have the information.

Re:"encrypted" my ass

No wonder the US is having trouble funding social security. I had no idea it included the 35 million South Korean telephone subscribers!

Re:"encrypted" my ass

[nbetcher]

Correction: SSN area prefixes aren't generated based on an applicant's place of birth. The area prefix is determined by the ZIP CODE that the applicant provides on his/her application to the SS office. The zip code provided does not even need to be the applicant's residence.

Re:"encrypted" my ass

[Mana+Mana]

> social security numbers

You know that they (SSN's) are American, right? Since we're talking about South Korea citizens and purportedly mainland China crackers WTF are we talking about?

Korean ID numbers? Well, alright then, let's say so.

Re:"encrypted" my ass

[AlphaGremlin]

Either way, it's highly unlikely the "encryption" scheme is much more sophisticated than a single XOR operation. Decrypting that field for a substantial portion of the database SELECT statements would be a huge overhead.

Or you encrypt the value you want to look for before using it in your WHERE clause. Unless the key is individually salted for each person, you can do a much quicker binary comparison with encrypted value against encrypted value. If it IS individually salted, you could store a hash to compare with rather than the full value, decreasing the amount of work that needs to be done. As far as I'm aware, performing a hash operation + compare would be quicker than full decryption + compare. If you don't salt the hash, it's even faster, though an attacker would be able to use a rainbow table then.

Besides, CSRs and billing would only need the encrypted data occasionally anyway. It wouldn't be a huge overhead to decrypt if you only run billing once a month - let it go overnight. You could even split it across the month, running portions at a time depending on the billing date for each customer.

Re:"encrypted" my ass

Nate said the social security numbers and passwords are encrypted

The real question is, was the data hashed.

Re:"encrypted" my ass

[chaostaco]

I agree with your final conclusion that they're screwed, but your understanding of encryption and software is a little off.

And stored in a database, which for authentication purposes would need to be able to convert said "encrypted" data into plain text for any customer service representative, the billing systems, etc. The key has to be something that's widely accessible, or goes through a proxy.

Assuming that they are using widespread password encryption practices (i.e. only storing a salted, hashed version of the password) then they never convert the encrypted data back into plain text for authentication. Instead, they salt/hash the password that the user has entered using cryptographically strong but publicly known algorithms (no secret keys) and compare the result to what is in the database. Brute-force or dictionary attacks can be used against this, but there is no such thing as a decryption key that can reverse a hash operation.

Either way, it's highly unlikely the "encryption" scheme is much more sophisticated than a single XOR operation. Decrypting that field for a substantial portion of the database SELECT statements would be a huge overhead.

I disagree that their encryption scheme would be unsophisticated for the reasons you provide. Applications do not typically examine the password field on a substantial portion of database calls. Applications do typically use strong cryptography during authentication calls and the overhead is not prohibitive. If they are using XOR to encrypt passwords, it is not for technical reasons.

Resident Registration Number

[MischaNix]

Decrypting the resident registration numbers in this set would not be difficult, as the number follows a systematic pattern a la pre-obfuscated SSNs. See Wikipedia for details.

The consequences of this for identity theft and how it is handled in Korea should be interesting.

Title Fail

IPs originating in chine does not automatically mean it was conducted by Chinese Hackers.

Re:Title Fail

[cyfer2000]

No to mention even the computer used to initialize the attack was located China does not mean the hacker is holding a Chinese passport. One little game I always play when I see news regarding Chinese is replacing word "Chinese" with the word "Jew" or "Jewish". If I can finish the title without feeling I am a Nazi, I proceed to read the article. Otherwise, I make myself a tinfoil hat.

Re:Title Fail

[John+Saffran]

Except for the fact that chinese hackers (some working for the chinese government) are known to be attacking the rest of the world. For example, http://en.wikipedia.org/wiki/GhostNet.

It's always possible that activity from a chinese IP may be non-chinese, but suffice to say that the chinese haven't done themselves any favours reputation-wise in the field of computer security.

Re:Title Fail

Whether or not it offends your delicate flowery view of the world, Its not racism to assume China is going to continue shitting all over the rest of the world. They've given us no indication of stopping anytime soon.

35 million?

Given that South Korea has a population estimated around 49 million... That's usernames, passwords, KSSNs, phone numbers and email addresses for nearly 71% of the population at the most generous estimate of one account per user. That is absolutely ludicrous amounts of data to have on a country: nearly all of its online population's details?!

This is an unprecedented invasion of privacy. The South Korean government had better be all over this: someone out there now has all the information they need to impersonate every two out of three of its citizens. That's worth a lot of money to the right people.

Bad CC security Visa/MC/Discover/Amex's Fault

The fine for a single data breach is $50,000 x 4 (each cc org) = $200,000. Second time, it doubles.. only on the 4th time, you _might_ lose the ability to process cards.

So for a small company with a few thousand records, a single data breach, and you're out of business.

If you're Sony, and lose millions of records, you get a $200,000 fine.. less than it would have cost to secure all of their systems.

Nat(ali)e Port(m)a(n)l?

Useless post, but I can't have been the only one misreading that?

Re:Nat(ali)e Port(m)a(n)l?

Yeah, I read that as well. "A portal called Natalie Portman". WTF?

Tea Partiers take Notice

[NEDHead]

We can balance the budget by stopping Social Security payments to South Koreans

proof of idiocy

[frovingslosh]

Just more proof that anyone who gives their S.S.# to a phone company or other business who doesn't pay into the S.S. account and isn't required by law to have it is an idiot. How much of this does it take before the sheep start refusing to use the S.S.# as some sort of public ID. Giving it to web portals? Insane!

Re:proof of idiocy

give S.S.# to portal to register is required by law in Korea

Re:proof of idiocy

[javelin682]

While I agree that these types of companies shouldn't necessarily have your SSN, in a lot of cases, they do a credit check to make sure you're the type to pay your bills. So, if you want their service, you kinda have to give them the SSN so they can do a check. Now, I'm not sure if they also report to the credit bureau(s) as well to let them know you do pay on time.

Re:proof of idiocy

[shoehornjob]

FTF article "Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use" That is until the attacker('s) find the key. One of these days someone is gonna really get pissed at these Chinese hackers and bad things will ensue.

Awwwww GRITS!

[Jeremiah+Cornelius]

I must have scanned the summary too fast... I read the WHOLE ARTICLE, and nothing at all about NATALIE PORTMAN!

Re:Awwwww GRITS!

[m2vq]

What I found stupid, even about the title, was blaming Chinese for it. Gee, I'm pretty sure every hacker stealing 35 million peoples info will connect directly to the target server! I mean, no hacker would ever think of using a Chinese proxy because they're taking so much shit for all the other things too. But of course it's chinese hackers.

Re:Awwwww GRITS!

I don't know, how many open AND anonymous Chinese proxies does the Great Firewall allow? I mean if every ISP there must have a license from the government, and every subscriber must use his government issued id when opening an account, how many rogue servers can there be in China? And if there are, how long lived can they be?

Additionally, it wouldn't make sense for them to be on top of censoring the millions of Weibo feeds every minute (so as not to blemish the public image of China) yet not be able to filter these proxy servers (which as we see here, do blemish the public image of China). Why control one aspect, but not the other, unless there is an intent?

Re:Awwwww GRITS!

[m2vq]

They aren't some dedicated proxy servers, they're personal pc's which have been infected and open proxy server has been opened on them. It's easy to find those with google.

Chinese IP

This obviously a CIA operation going through Chinese VPN.
Guess the American agents were getting denied trying to access their favorite K-pop from work.

Why is this news?

China is in a cold war with the west. We will see continuing on-line attacks until the war turns hot.

SS# is NOT for identification

[frovingslosh]

Many years ago, long before the problems of identity theft well well publicized and even before many /.ers were born, I needed to rent a car and got myself to a local rental office. Showed them my ID, there was no question about payment, but there on the rental form they wanted my SS#. I filled in the form but left the SS# blank. The clerk insisted I needed to give my SS# or they would not rent to me. I talked to the manager. I explained the issue and that I simply was not going to give him my SS#. He restated that they would not rent to me without my SS#. I told him fine, I would leave peacefully, as long as he would put in writing that he refused to rent a car to me because I would not give him my SS#. He thought about that for a minute, then decided that they really didn't need my SS# after all.

I've had similar things happen many times since then. People will often try to bully you to get the number, but if you hold your ground and make it clear that you know they have no right to it, they will usually back down (have always backed down in my case). They particularly tend to back down after you say something like "you have a business license? Please put in writing that you refused to do business with me because I would not supply you with my SS#.".

Re:SS# is NOT for identification

What the article alludes to is not a "social security number" such as the US has, but is instead a national ID number (). Every Korean citizen has one and, unlike in the US and other countries, its use is mandatory for virtually EVERY on-line action, from ordering your new kimchi fridge from the manufacturer to posting a comment on an on-line forum such as this. By ROK law, every website with over 100,000 hits daily must require real name registration using national ID numbers in order to post on the site. Because of this, Koreans have no expectation of on-line privacy whatsoever.

Uplink cables ready

[Vahokif]

No system is safe!

P(i) R(a) C(y)

[slick7]

Only in China is criminality synonymous with nationalism.

One or the other

[kakyoin01]

Well nowadays, it's either hacking or selling children, it seems. All in a day's work for those Chinese.

Seriously though, they must have done SOMETHING right, seeing as China is slowly consuming the United States. Either that, or we (the US) is doing something very wrong. I have a feeling it's at least the latter.

Here we go again...

Out of the 40 or so babble heads posting responses equivalent to "that's not hard" or "even I knew NOT to do that", I find it amazing that approximately 100% have yet to post anything representative of truly demonstrating real proficiency and technical understanding of how an attack like the one noted in this entire thread is actually carried out.

If there's anything about the IT world I truly hate with the passion found only in Christ, it's all the fucking blowhard twats that saturate it.

SSN's do "tell where you were born"

Going from east coast, to west coast, in the 1st 3 digits, iirc...

* Thus, you can get a pretty close geographical area on "birth origination point", right from the SSN itself...

(On that note? Well... "will wonders NEVER cease"!)

APK

P.S.=> There IS NO PRIVACY, get used to it (& I suspect it was actually INTENDED to be that way, & with a great many things - @ least, "by default")...

So, as much as I hate to admit or even state that, it does seem to be the case, unless you do something about it, & in an area you have direct control over (such as your PC, & perhaps not using things that "open you up" to attack, such as credit cards online etc. (but, a cashier in a store could do the same really as well, as long as you insist on being a member/part of such systems of commerce))

However: "The number of the beast", your SSN imo/in a way, or the precursor to such a thing?

Well, as it's said in Revelation:

"And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six."

Thus, it seems there's NO avoiding it really, if you're in the USA @ least!

... apk