Slashdot Mirror

← Back to Stories (view on slashdot.org)

35 Million SK Telecom Accounts Stolen By Chinese Hackers

Posted by timothy on from the where's-that-great-firewall-when-needed? dept.

eldavojohn writes "South Korea's SK Telecom has revealed that earlier this week hackers stole 35 million account details from two sites. A portal called Nate Portal that provided e-mail services and a social networking site called CyWorld were the two targets by hackers who, SK Telecom claims, used IP addresses originating from China. From the article, 'The stolen data included user IDs, passwords, social security numbers, names, mobile phone numbers and email addresses. Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use.'"

36 of 51 comments (clear)

  1. Squirrel Master by bhcompy · · Score: 1

    Nasty Nate needs to secure his portal, apparently.

  2. Riiiigggghhhht by Anonymous Coward · · Score: 1

    Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use

    Encryption! Bwahahahahahahahahahahahaha!

    *shits in pants with tears in eyes - breathes*

    Ahahahahahahahahahahahahahahahaha!

    Oh God! That was FUNNY!

    Yeah, yeah, yeah, the check is in the mail; I'll call you in the Morning; I won't cum in your mouth, blah blah blah ......

  3. Accounts being stolen left and right by Compaqt · · Score: 1

    Some questions:

    1. Anybody still using the same username at multiple websites?

    2. Anybody work at a place that has been affected? Citibank, whatever? Or their webdev firm? Are there wholesale firings? Of development, IT, or the business side?

    3. Anybody work at a company that actually has some kind of decent security and cares about protecting customer data?

    --
    I'm not a lawyer, but I play one on the Internet. Blog
    1. Re:Accounts being stolen left and right by pixelpusher220 · · Score: 1, Offtopic

      4. can we get an accurate summary?

      *Nothing* was stolen. It was illegally obtained, but not stolen. The accounts still exist and are usable by the rightful owners baring any disabling by the telecom itself.

      --
      People in cars cause accidents....accidents in cars cause people :-D
    2. Re:Accounts being stolen left and right by flyingsquid · · Score: 4, Interesting

      One thing the summary gets wrong: the original article, at NPR, does not say that these are "Chinese hackers". The article only says that the attack "originated in China". The reason you can't actually pin this on the Chinese is that there are are actually two countries that conduct offensive cyberwarfare operations out of China. One being China, obviously. The other is North Korea. Believe it or not, North Korea is thought to have one of the most advanced offensive cyberwarfare capabilities out there (apparently when North Korea puts its mind to something, like hacking or making nuclear bombs and ballistic missiles, they're actually not that bad at it, which makes you wonder why there still isn't enough rice to go around). Given the effectiveness with which China manages to police its internet, however, it's damn hard to believe that the North Koreans aren't operating without their approval, or even active assistance.

    3. Re:Accounts being stolen left and right by tehcyder · · Score: 1

      4. can we get an accurate summary?

      *Nothing* was stolen. It was illegally obtained, but not stolen. The accounts still exist and are usable by the rightful owners baring any disabling by the telecom itself.

      You are doing the usual slashdot splitting of hairs. Yes, we all know that if you copy information the original is still there, and therefore it is not analogous to ptheft of physical property.
      I suppose if I electronically transfer the contents of your savings account to mine (after I have illegally copied your bank details and passwords) then there is no therft involved, since I am merely electronically moving 1s and 0s around, and they cannot in themselves belong to anyone.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  4. PII is bad, m'kay. by poodlehat · · Score: 1

    From what I've heard about many websites based in S. Korea, you need to provide a resident registration number (like the US SSN) in order to register. This hack should be proof that websites shouldn't demand such personally identifing information.

    1. Re:PII is bad, m'kay. by mlts · · Score: 1

      From what I know, it is the law in SK for sites to demand the registration number.

      If a number is needed, perhaps the best idea would be for the SK government to have a website that citizens and residents can log into, and get a one time code that can be put in other places. This way, the law still works, but there is no way an attacker who does not attack the Korean government site could be able to figure that a number entered in actually belongs to which resident.

      Personally, demanding a registration number is pointless and stupid. All it takes is someone snooping over the shoulder or sniffing an unencrypted password to get a valid number, and that is what an attacker needs.

  5. "encrypted" my ass by girlintraining · · Score: 5, Informative

    Nate said the social security numbers and passwords are encrypted

    And stored in a database, which for authentication purposes would need to be able to convert said "encrypted" data into plain text for any customer service representative, the billing systems, etc. The key has to be something that's widely accessible, or goes through a proxy. Either way, it's highly unlikely the "encryption" scheme is much more sophisticated than a single XOR operation. Decrypting that field for a substantial portion of the database SELECT statements would be a huge overhead.

    No, I suspect they have the SSNs, it's just a matter of time before they get them back in plain text. Besides, the 'nice' thing about SSNs is... If you know where the person was born, and what year (not hard to find), you can predict 6 out of the 10 digits with a high degree of accuracy, thus aiding substantially in the cryptanalysis. This isn't random data being encrypted... it's highly structured, and most of the plain-text is already known.

    They're screwed.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:"encrypted" my ass by Microlith · · Score: 1

      Besides, the 'nice' thing about SSNs is... If you know where the person was born, and what year (not hard to find), you can predict 6 out of the 10 digits with a high degree of accuracy, thus aiding substantially in the cryptanalysis.

      That's assuming that South Korean SSNs are issued using similar procedures as US SSNs.

    2. Re:"encrypted" my ass by OzPeter · · Score: 1

      Besides, the 'nice' thing about SSNs is... If you know where the person was born, and what year (not hard to find), you can predict 6 out of the 10 digits with a high degree of accuracy, thus aiding substantially in the cryptanalysis.

      That's assuming that South Korean SSNs are issued using similar procedures as US SSNs.

      Assuming that SK actually even has SSNs

      --
      I am Slashdot. Are you Slashdot as well?
    3. Re:"encrypted" my ass by Firkragg14 · · Score: 1

      I was wondering about this. The fact that SSNs tend to follow a pattern would surely make them an easier target of cryptoanalysis. Even just knowing the format would cut down on the keyspace you had to search by a large margin wouldn't it?

    4. Re:"encrypted" my ass by Anonymous Coward · · Score: 1

      SSN is actually mandatory requirement for most online (and offline) registration in Korea.
      Also, its in a format YYYYMMDD - XXXXXXXX so first part of it is easy to figure out if you have the information.

    5. Re:"encrypted" my ass by nbetcher · · Score: 1

      Correction: SSN area prefixes aren't generated based on an applicant's place of birth. The area prefix is determined by the ZIP CODE that the applicant provides on his/her application to the SS office. The zip code provided does not even need to be the applicant's residence.

    6. Re:"encrypted" my ass by Mana+Mana · · Score: 1

      > social security numbers

      You know that they (SSN's) are American, right? Since we're talking about South Korea citizens and purportedly mainland China crackers WTF are we talking about?

      Korean ID numbers? Well, alright then, let's say so.

    7. Re:"encrypted" my ass by AlphaGremlin · · Score: 1

      Either way, it's highly unlikely the "encryption" scheme is much more sophisticated than a single XOR operation. Decrypting that field for a substantial portion of the database SELECT statements would be a huge overhead.

      Or you encrypt the value you want to look for before using it in your WHERE clause. Unless the key is individually salted for each person, you can do a much quicker binary comparison with encrypted value against encrypted value. If it IS individually salted, you could store a hash to compare with rather than the full value, decreasing the amount of work that needs to be done. As far as I'm aware, performing a hash operation + compare would be quicker than full decryption + compare. If you don't salt the hash, it's even faster, though an attacker would be able to use a rainbow table then.

      Besides, CSRs and billing would only need the encrypted data occasionally anyway. It wouldn't be a huge overhead to decrypt if you only run billing once a month - let it go overnight. You could even split it across the month, running portions at a time depending on the billing date for each customer.

    8. Re:"encrypted" my ass by chaostaco · · Score: 1
      I agree with your final conclusion that they're screwed, but your understanding of encryption and software is a little off.

      And stored in a database, which for authentication purposes would need to be able to convert said "encrypted" data into plain text for any customer service representative, the billing systems, etc. The key has to be something that's widely accessible, or goes through a proxy.

      Assuming that they are using widespread password encryption practices (i.e. only storing a salted, hashed version of the password) then they never convert the encrypted data back into plain text for authentication. Instead, they salt/hash the password that the user has entered using cryptographically strong but publicly known algorithms (no secret keys) and compare the result to what is in the database. Brute-force or dictionary attacks can be used against this, but there is no such thing as a decryption key that can reverse a hash operation.

      Either way, it's highly unlikely the "encryption" scheme is much more sophisticated than a single XOR operation. Decrypting that field for a substantial portion of the database SELECT statements would be a huge overhead.

      I disagree that their encryption scheme would be unsophisticated for the reasons you provide. Applications do not typically examine the password field on a substantial portion of database calls. Applications do typically use strong cryptography during authentication calls and the overhead is not prohibitive. If they are using XOR to encrypt passwords, it is not for technical reasons.

  6. Resident Registration Number by MischaNix · · Score: 1

    Decrypting the resident registration numbers in this set would not be difficult, as the number follows a systematic pattern a la pre-obfuscated SSNs. See Wikipedia for details.

    The consequences of this for identity theft and how it is handled in Korea should be interesting.

  7. Title Fail by Anonymous Coward · · Score: 4, Informative

    IPs originating in chine does not automatically mean it was conducted by Chinese Hackers.

    1. Re:Title Fail by cyfer2000 · · Score: 1

      No to mention even the computer used to initialize the attack was located China does not mean the hacker is holding a Chinese passport. One little game I always play when I see news regarding Chinese is replacing word "Chinese" with the word "Jew" or "Jewish". If I can finish the title without feeling I am a Nazi, I proceed to read the article. Otherwise, I make myself a tinfoil hat.

      --
      There is a spark in every single flame bait point.
    2. Re:Title Fail by John+Saffran · · Score: 2

      Except for the fact that chinese hackers (some working for the chinese government) are known to be attacking the rest of the world. For example, http://en.wikipedia.org/wiki/GhostNet.

      It's always possible that activity from a chinese IP may be non-chinese, but suffice to say that the chinese haven't done themselves any favours reputation-wise in the field of computer security.

    3. Re:Title Fail by Anonymous Coward · · Score: 1

      Whether or not it offends your delicate flowery view of the world, Its not racism to assume China is going to continue shitting all over the rest of the world. They've given us no indication of stopping anytime soon.

  8. 35 million? by Anonymous Coward · · Score: 1

    Given that South Korea has a population estimated around 49 million... That's usernames, passwords, KSSNs, phone numbers and email addresses for nearly 71% of the population at the most generous estimate of one account per user. That is absolutely ludicrous amounts of data to have on a country: nearly all of its online population's details?!

    This is an unprecedented invasion of privacy. The South Korean government had better be all over this: someone out there now has all the information they need to impersonate every two out of three of its citizens. That's worth a lot of money to the right people.

  9. Tea Partiers take Notice by NEDHead · · Score: 1

    We can balance the budget by stopping Social Security payments to South Koreans

  10. proof of idiocy by frovingslosh · · Score: 1

    Just more proof that anyone who gives their S.S.# to a phone company or other business who doesn't pay into the S.S. account and isn't required by law to have it is an idiot. How much of this does it take before the sheep start refusing to use the S.S.# as some sort of public ID. Giving it to web portals? Insane!

    --
    I'm an American. I love this country and the freedoms that we used to have.
    1. Re:proof of idiocy by Anonymous Coward · · Score: 2, Informative

      give S.S.# to portal to register is required by law in Korea

    2. Re:proof of idiocy by javelin682 · · Score: 1

      While I agree that these types of companies shouldn't necessarily have your SSN, in a lot of cases, they do a credit check to make sure you're the type to pay your bills. So, if you want their service, you kinda have to give them the SSN so they can do a check. Now, I'm not sure if they also report to the credit bureau(s) as well to let them know you do pay on time.

    3. Re:proof of idiocy by shoehornjob · · Score: 1

      FTF article "Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use" That is until the attacker('s) find the key. One of these days someone is gonna really get pissed at these Chinese hackers and bad things will ensue.

      --
      "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
  11. Awwwww GRITS! by Jeremiah+Cornelius · · Score: 2

    I must have scanned the summary too fast... I read the WHOLE ARTICLE, and nothing at all about NATALIE PORTMAN!

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
    1. Re:Awwwww GRITS! by m2vq · · Score: 2

      What I found stupid, even about the title, was blaming Chinese for it. Gee, I'm pretty sure every hacker stealing 35 million peoples info will connect directly to the target server! I mean, no hacker would ever think of using a Chinese proxy because they're taking so much shit for all the other things too. But of course it's chinese hackers.

    2. Re:Awwwww GRITS! by Anonymous Coward · · Score: 1

      I don't know, how many open AND anonymous Chinese proxies does the Great Firewall allow? I mean if every ISP there must have a license from the government, and every subscriber must use his government issued id when opening an account, how many rogue servers can there be in China? And if there are, how long lived can they be?

      Additionally, it wouldn't make sense for them to be on top of censoring the millions of Weibo feeds every minute (so as not to blemish the public image of China) yet not be able to filter these proxy servers (which as we see here, do blemish the public image of China). Why control one aspect, but not the other, unless there is an intent?

    3. Re:Awwwww GRITS! by m2vq · · Score: 2

      They aren't some dedicated proxy servers, they're personal pc's which have been infected and open proxy server has been opened on them. It's easy to find those with google.

  12. Why is this news? by Anonymous Coward · · Score: 1

    China is in a cold war with the west. We will see continuing on-line attacks until the war turns hot.

  13. SS# is NOT for identification by frovingslosh · · Score: 1

    Many years ago, long before the problems of identity theft well well publicized and even before many /.ers were born, I needed to rent a car and got myself to a local rental office. Showed them my ID, there was no question about payment, but there on the rental form they wanted my SS#. I filled in the form but left the SS# blank. The clerk insisted I needed to give my SS# or they would not rent to me. I talked to the manager. I explained the issue and that I simply was not going to give him my SS#. He restated that they would not rent to me without my SS#. I told him fine, I would leave peacefully, as long as he would put in writing that he refused to rent a car to me because I would not give him my SS#. He thought about that for a minute, then decided that they really didn't need my SS# after all.

    I've had similar things happen many times since then. People will often try to bully you to get the number, but if you hold your ground and make it clear that you know they have no right to it, they will usually back down (have always backed down in my case). They particularly tend to back down after you say something like "you have a business license? Please put in writing that you refused to do business with me because I would not supply you with my SS#.".

    --
    I'm an American. I love this country and the freedoms that we used to have.
  14. Uplink cables ready by Vahokif · · Score: 1

    No system is safe!

  15. One or the other by kakyoin01 · · Score: 1

    Well nowadays, it's either hacking or selling children, it seems. All in a day's work for those Chinese.

    Seriously though, they must have done SOMETHING right, seeing as China is slowly consuming the United States. Either that, or we (the US) is doing something very wrong. I have a feeling it's at least the latter.

    --
    The more you know, the more you have to say and the more you should listen.