Slashdot Mirror
Detailed Analysis of the SK Communications Hack
An anonymous reader writes "An Australian IT security company, Command Five Pty Ltd, has just released a detailed analysis (PDF) of the recent SK Communications hack in which the personal details of up to 35 million users were stolen. This new analysis gives details of the attackers' malicious infrastructure and contains as-yet unreported technical details of the malware used in the attack (including the fact that it has the capability to sniff raw network packets on infected machines). The report also identifies links with other malware and malicious infrastructure, demonstrating that the attack is likely to be part of a broader concerted effort by well organized attackers."
They hacked ESTsoft’s ALZip update server so when SK Communications's ALZip installations checked for updates it downloaded the hacked patch and thus led to pwnage.
When quoting about this SK Comm hacking incident, it should be noted that the "35 million users" is quite significant. There are approximately 39 million total internet users in South Korea with 48 million total population. This means nearly 90% of all S. Korean internet users' information was compromised. That, or more than 70% of total population. It's suffice to say the incident practically threw all relevant Korean people's key personal information out in the wild.
Oh, and by key personal information, I'm referring to Resident Registration Numbers that were part of the leaked info. RRN is a unique, non-transferable, non-modifiable serial number given to every Korean citizen, and thus is used as a highly convenient way of identifying the person in question. You can retrieve someone's website registration ID just by knowing the name and RRN, so it's something you yourself are only supposed to know. Since password hashes were also leaked, and since lots of folks reuse same password over and over, it would be relatively easy to pick out someone out of the leaked database and use the information to login to other websites, and by doing so, get even more personal information out.
Now the Korean websites are "encouraged" more than ever to use alternative means to identify someone, but I fear the cat's already out of the bag.
Serving time in Aristotelean prison for violating laws of physics
How is the RRN meant to be a unique number that only you know, if it is used at most websites? This sounds like the sillyness of the US SSN -- its "secret" but everyone asks for it. I can see why Australia made it illegal for anyone other than the Tax Office, Employers or Superannuation funds to ask for your tax file number.
Unique number identifiers are useful to ensure records don't get mixed up, but they are not a proof of identity. Using them as proof is moronic.
I can see why Australia made it illegal for anyone other than the Tax Office, Employers or Superannuation funds to ask for your tax file number
Actually anyone can ask for it, you can just decline to provide it and it's illegal for them to insist on it. You don't have to disclose it to an employer or financial institution, in which case they withold tax on your income at the highest rate marginal tax rate plus any other applicable taxes. If you have income that's already been taxed at maximum possible rate that leaves no chance of "avoidance".
Users and network administrators need to continually reassess who and what they trust on the Internet - so true... Can you imagine if 7Zip, WinRAR, or PKZip were hacked and used as a launchpad? If you cant trust a software update what can you trust?
Sorry to reply to my own post, but checking the legislation indeed only some people can even request it.There are a few more examples than above of institutions that can request it, but still you aren't obliged to provide it.
I would hope that they would have used salt.(Cue kimchi joke here)
Monstar L
How is the RRN meant to be a unique number that only you know, if it is used at most websites? This sounds like the sillyness of the US SSN -- its "secret" but everyone asks for it. I can see why Australia made it illegal for anyone other than the Tax Office, Employers or Superannuation funds to ask for your tax file number.
Unique number identifiers are useful to ensure records don't get mixed up, but they are not a proof of identity. Using them as proof is moronic.
Yes, it's crazy, but that's what's been happening for so long in Korea. When you register for a Korean website to create an ID, you almost always must enter your name and RRN, and it's checked with a third-party identification service that makes sure the information is legitimate (i.e. name matches recorded RRN), and that the RRN is not already associated with an existing ID. If you've passed this, the website regards that, pretty much legally, that the person registering for the site is the person with that RRN. Of course, you can masquerade as someone else by just knowing the name and RRN and make an ID on a website that the actual person has not yet bothered to register. It's true and it happens pretty often. If you do get caught doing this, you'll be liable for jail time and hefty fine, but what if this is done by some Chinese dude from mainland China, as it is often the case? Not much you can do, except send some paperwork to the company running the website and reclaim or suspend the ID in question.
The even damning aspect of the RRN leak from the SK Comm hacking is that RRN itself is permanent, with no possibility of re-issue (with possible exception of getting a sex change, because part of the number identifies your gender). At least most US websites don't ask for your SSN. At Korean websites, if you're a foreigner, you might simply be blocked off from registering, or at least ask you to provide Foreign Resident Registration Number that's analogous to RRN. Handful of websites let you go through without this. It's a very sad situation.
Serving time in Aristotelean prison for violating laws of physics
1) SK Communications was using ESTsoft's ALTools (a set of various utility programs) for their computers
2) ALTools has an automatic update mechanism that grabs stuff from ESTsoft's server
3) ESTsoft's update server gets hacked and a trojan is installed
4) upon update, a trojan is served but ONLY to SK Communications.
5) PWN3D
Anons need not reply. Questions end with a question mark.
I think the closest we have ever come to a symbol being an effective source of identity is the RSA securid and devices like it. In order to effectively spoof them required breaking into RSA itself to collect the details needed. But beyond that, using "secret shared and collected information" as proof of identity is a problem and a vulnerability.
Every time I hear "...stolen information on individuals..." and bits like that, I just get a little tweaked not at the captured/collected information, but that information is used in place of identity. I don't know a "better way" other than not making things so big that mass collection and consolidation of data is a requirement for continued operation. People are not commodities and shouldn't be treated as such.
I used to play a type of side scrolling 2D platform shooter on a Korean website. Obtaining an RRN was easier than finding a crack. 30-odd mates from another gaming site also managed to join me. It really wasn't a big issue.
:)
So yeah, it's true, and it happens pretty often
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
I'm curious- how were you planning to crack a game hosted on a website?
It was a figure of speech.
Finding cracks is not a hard task. Finding RRNs is just as easy.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.