That North Korean Facebook Clone Has Already Been Hacked

Remember yesterday's story about an off-the-shelf Facebook clone in North Korea? Within a few hours that site was hacked by an 18-year-old college student in Scotland. An anonymous reader writes: Using the default credentials, Andrew McKean posted "Uh, I didn't create this site just found the login" in the site's box for Sponsored links. "McKean was able to become an admin for the site just by clicking on the 'Admin' link at the bottom of the site and guessing the username and password," writes Motherboard, which adds that the password was "password". McKean says the breach "was easy enough," and granted him the ability to "delete and suspend users, change the site's name, censor certain words and manage the eventual ads, and see everyone's emails."
The teenager said he had "no plans" for the compromised site -- except possibly redirecting it to an anti-North Korean page.

That's the best you could think of?

[K.+S.+Kyosuke]

"Uh, I didn't create this site just found the login"

Why not "Kim Jong-Un is a pussy! Sincerely yours, Park Geun-hye" or something more creative like that?

Re:That's the best you could think of?

Nah, you should be able to do better than that: Public Announcement: Following up on the policy of acceptable haircuts for students that need to follow the impeccable style of our beloved leader, we've decided to extend the required complance: Please report ot the nearest hospital for cosmetic surgery if your penis measures more than 2 inches to follow our beloved leaders standard.

Re:That's the best you could think of?

[Opportunist]

How uninspired. The true gold would be:

1. Make a few insanely absurd new rules for the North Korean people. This is actually the challenging part for a people that already had mandatory haircuts, I agree.
2. Point a few western news networks at the page.
3. Watch the ensuing hilarity when they start gobbling up your insanity as reality.

Hacked? Really?

[Frosty+Piss]

The word "hacked" is overused. Making a fairly easy assumption that the default UID / PID has not been changed by some rube North Koreans who didbn't expect anyone to notice the demo site is hardly a "hack".

On the other hand, I'll bet that the REAL North Korean intel guys gathered a whole lot of data from the honeypot site.

Re:Hacked? Really?

Oh yeah?! Well honey isn't vegan and pot is illegal! What do you say about THAT?

Re:Hacked? Really?

[thegarbz]

The word "hacked" is overused.

That's only because the bar for people is set too low. Hack means to gain unauthorised access to a system. Whether that was via a SQL injection or because someone gave up the password in a phishing scam, or someone unauthorised simply guessed the password isn't part of the definition.

It was a cheap hack which required no skill what so ever, but a hack none the less.

Re:Hacked? Really?

[AmiMoJo]

Yep. It's either a honeypot trap that this guy just stumbled into, or it's some random student's university project and pretty far from the spectacular "hack" that TFA seems to think it is. How many people are actually using this site and are they posting anything interesting?

Re:Hacked? Really?

[turbidostato]

"The word "hacked" is overused."

Still, if this was not a North Korean site but, say, a US Gov one, wouldn't this boy be already assaulted by a SWAT team, moved to gitmo and presented as public enemy number one?

Why the double standard?

Re:Hacked? Really?

[turbidostato]

"Hack means to gain unauthorised access to a system."

That's a crack.

A hack is any clever and usually unexpected use of technology to accomplish a task.

Re:Hacked? Really?

[JustAnotherOldGuy]

Agreed...this is not really worthy of the "hacked" label.

To call this "hacking" is akin to microwaving a burrito and calling it "cooking".

Re:Hacked? Really?

The best definition I've heard is that a hack is using something for a purpose it was not originally intended for. That purpose can be, but not necessarily is malicious.

Re:Hacked? Really?

[thegarbz]

That was a crack. Language has moved on and left the old definitions in the past. That's the upside and the downside of English and while you like the distinction if you tell someone you cracked a system they will likely think you're inhaling a new kind of drug.

Re:Hacked? Really?

[turbidostato]

"That was a crack. Language has moved on and left the old definitions in the past."

Only it has not moved. When a comment in code reads " # dirty hack: I did this because... " nobody thinks the author left a backdoor in the program.

Re:Hacked? Really?

is the burrito cooked at the end of the process? if it is, how can the process of taking a burrito and making it a cooked burrito not be called cooking?

Re:Hacked? Really?

[thegarbz]

Only it has not moved.

I beg to differ, as do people who read newsspeak, read the internet, consume various forms of popular media, talk at the water cooler, and those who write dictionaries which document the present use of words. Note I said document. The dictionary does not define, it only documents the present popular usage and some nicer dictionaries give you a bit of history of the words too.

To claim the distinction is to not move with the times which while you're right unfortunately makes you an "outcast" to the common usage. Not that this is a bad thing, its actually part of being intelligent, but there's no denying that the language in common use has well and truly moved on.

Re:Hacked? Really?

[turbidostato]

I beg to differ, as do people who read newsspeak, read the internet"

It's funny then, that just yesterday, in the most sold newspaper in my country (so, for the masses), the CEO of one of the biggest telcos in the world presented his newly appointed Chief Data Officer as the "most famous hacker in the country". You can bet he was not talking about somebody that illegally breaks into others' systems.

Re:Hacked? Really?

[mcswell]

Polysemy.

Hacked

"which adds that the password was "password""

He must have used a sophisticated brute force attack.

Re:Hacked

If your brute force succeeds on the first try, it's still brute force, no ?

Re:Hacked

I think that's called intimidation tactics.

Re: Hacked

No. This was pushing the unlocked door in.

Link the front page to factnet.org

And watch the Scientologists square off with the government of North Korea.

I'll bring the popcorn....

Re:Link the front page to factnet.org

[Frosty+Piss]

No one cares about your Scientology obsession, because no one cares about Scientology. If you were stupid enough to get sucked into it in the first place, you're still stupid.

Re: Link the front page to factnet.org

Not just yet. I thingk tgey should redirect the tech support to Mormon chat online, complaint derpartment to Landover Baptist chat ajin to a Catholic vs WASP forum, and what should Jehova's Vitnesses be bressed with from Best Korea server?

which cunry has more...

I dunno who boasts more Chuck-len Norris-esque jokes, Scottlan or Bess Koreahhhhh? I would have sold admin access to someone who would write some embassy into North Korea like on the tip of their Waffelhotel or write some more unicorn layets around somewhere... you know, because tgey tend to claim fiction exaggerations as greatest propoanda peices. Then install System D on their server to really scare them.

food not meds.

Pot is an agriculture product, no different than hopps.

Re: food not meds.

Just like poppies. I think I'll go sell heroin to middle school kids.

Re: food not meds.

Sell them cannabis too so there can more evidence of one of the few substances on Earth with no lethal dose, even with kids.

Re: food not meds.

I call BS. there is a lethal dose. Even if the LD 50 is something like 2Kg/Kg, it still has a lethal dose (In this case, the case of death would be something like overeating or crushing, if you really did apply 2Kg/Kg. )

Re: food not meds.

You must be fun at parties.

Re: food not meds.

I call BS on your BS. How to take it all before having the best nap of your life? Be fucking practical, not stupid.

More people have died on water overdoses, not even counting drownings, of course.

Safety

I'm not sure I'd put my real name on any sort of embarrassment to the North Koreans. They are rather unpredictable.

Re:Safety

I'm not sure I'd put my real name on any sort of embarrassment to the North Koreans. They are rather unpredictable.

The human race as a whole is unpredictable. Anon for a reason.

Re:Safety

[Opportunist]

As unpredictable as the average child with a water gun full of ink. Yes, in theory he could ruin your dress, but in the end he's more afraid of the spanking he'd get for it than you are about your suit.

Re:Safety

[Mr+D+from+63]

I'm not sure I'd put my real name on any sort of embarrassment to the North Koreans. They are rather unpredictable.

I predict North Korea will have at least one less (living) IT staff members.

Re: Safety

Maybe 20 years ago.

Next man up

The poor shlub who administers that site has probably already been executed.

Lock him up!

Doesn't matter what he did, you said "hacker". It's the law!

Lock him up!

Hopefully he will be extradited to face his punishment.

The new generation

[fred911]

"The teenager said he had "no plans" for the compromised site"

  Ah these young'ins, back in the day it would be goatse.cx 'ed or at the very minimum a penis bird!

  Jeeze what's this world become.

Re:The new generation

When talking about NK, perhaps his decision leads to the execution of the people in who created the Facebook clone.

Re:The new generation

[Gravis+Zero]

"The teenager said he had "no plans" for the compromised site"

[...]

  Jeeze what's this world become.

hopefully, more civilized. previous generations are really trying hard to ruin what's left of the world.

Re:The new generation

[Some+nick+or+other]

I can think of something more useful. See if the site computer has a modem or phone connection or something, and then bridge over onto the Kwangmyong intranet. Port scan and download everything! ... although at dialup speeds, it would take a while.

Re:The new generation

[techno-vampire]

I think that if I managed to hijack a site in North Korea, I'd simply redirect it to a tourism site in South Korea to let the North Koreans get a look at how the other half lives.

Re:The new generation

[thegarbz]

hopefully, more civilized. previous generations are really trying hard to ruin what's left of the world.

Wow, found the captain of the fun police.

Re:The new generation

[Opportunist]

Linking to goatse? Why, it's North Korea, I'm pretty sure the page already showed a huge asshole on the front page.

Re:The new generation

North Korean internet is effectively a county wide LAN

Re:The new generation

Which shows you'd have no hope of hacking it unless they used password as the password. You'd need to host the propaganda images locally or the redirect would only work outside NK. It wouldn't be effective though since only the NK elite has Internet access, and they already know the average SK citizen has it better than the average NK citizen. Like their counterparts in other countries, they do not care about those suckers.

Re:The new generation

Actually, I've met a few North Korean expatriates, we asked one, "what was it that made you risk your life leaving NK?" The answer, "nail clippers". He was posted on the NK/SK border across from an SK soldier, the SK soldier dropper some nail clippers and didn't bother picking them up. It ate at him, " how could he just leave something so valuable on the ground?" That one incident was the first thing that helped undo the brain washing of s lifetime of propaganda and lies.

I've heard other similar stories as well.
I assume the poor bastards just actually believe the propaganda. I mean, especially when your family will be thrown in a prison camp if you're caught.

Re:The new generation

Yep, linking to external content would have no useful effect. If he had wanted to make an impact he could have posted content from some other anti-NK site. Maybe even linked it off one of the main page's links rather than on the front page itself to avoid detection for a while.

totally called it

[Gravis+Zero]

seriously, this was an easily predicted outcome. PHP and security are at odds with each other.

Re:totally called it

[Tablizer]

What's the safe language then?

It's North Korea

So it's ok to be a virtual vandal in some cases?

Password is in english?

Shouldn't the password have been in Korean?

And what "eventual ads?" Maybe propeganda, but in a true Communist country there are no billboards, TV ads, or on-line ads. People are directed to build things like this and the central government is supposed to provide what people in the West would buy (food, shelter, clothes). And bigger items get shared by the public.

Re:Password is in english?

[hcs_$reboot]

Shouldn't the password have been in Korean?

The guy pumped and untared a tar.gz he found on the Net somewhere in a "docs" folder. Probably from the billions available from the US. That happens all the time in Western countries, but since it's NK, that makes the news.

They were lucky

[ruir]

sarcasm on: He could have changed the password, and then they would not know how to regain it back....

Crime

I hope he is prosecuted to the full extent of the law both UK and NK, any propaganda induced biased against NK is not reason enough to commit a crime.

Re:Crime

[Noah+Haders]

it's not a crime to hack the DPRK.

NK U?

[Tablizer]

It was probably a student project, not a gov't sponsored site. I doubt the NK gov't gives a fuck.

Still illegal.

It's surprising that one would admit to a felony like that. It being in nk doesn't suspend law.

In what language is "password" a secure password?

[raymorris]

He got in because the password was left as "password". In what programming language is "password" a secure password?

Having said that, ten years or fifteen ago PHP had serious security issues, given that it is designed to be used on web, where the application will be attacked daily. It was literally impossible to write a secure program in PHP; literally "hello world" had a security vulnerability. Much has changed. PHP was originally a CMS, written in Perl with a bit of C. It's now an actual programming language, one used by clueless little companies like Facebook. Seriously, it has improved a lot. The world's largest web sites wouldn't be running on PHP if it were junk.

Having said THAT, it's still an "easy" language to start learning. You can start writing little PHP scripts without being trained and educated as a programmer. If you do that in any language and put your scripts on the web, you'll get hacked. While PHP as a language is pretty decent now, PHP "scripters" who don't know any programming language other than PHP are still mostly people who don't know much. But the same is true of .Net or many other languages. If you learned a bit of a language but never learned programming and especially security issues of web programming, you probably shouldn't expose your software to internet hackers.

Non-story

[Wuhao]

This sounds like a default, or near-default install of a basic web application, made available from a public-facing IP. The only remotely interesting thing here is that the IP is in NK, but the only real story seems to be "someone in North Korea with the ability to allocate a public IP played with dolphinPHP." I mean, it could be an official party directive. Or it could be that some bureaucratic entity in DPRK did what bureaucratic entities love to do: had an idea that went nowhere, which may not have ever been understood by anyone in the first place, and led to some amount of useless effort being expended.

Since when?

[burni2]

1.) since when it is not a crime to hack DPRK, just because its the DPRK, I think the UK computer fraud acts are pretty specific.

The big exception is, when you would be part of the military or part of a secret service - then you can commit crimes sometimes even against humanity and go unpunished.

2.) And there might be an exception when the hacking could go unpunished, exactly if it would be used to save lifes, for example or stop attrocities (by changing the execution list for example), or bring evidence forth about violation of human rights.

Re:Since when?

[Noah+Haders]

Who from the DPRK is going to press charges? That would make the Dear Leader look like a Deer Breeder. Also, what kind of jury would convict on something like that? Also, I'd like to see the evidence.

Re:Since when?

[Joe_Dragon]

and if the DPRK fakes evidence or clams that the hacked killed someone then what?

Re:Since when?

[Noah+Haders]

A gold medal.

Re: Since when?

So, is it not a crime, or just causes embarrassment?

In other words, you don't know what the fuck you are talking about.

Re:In what language is "password" a secure passwor

ObPHPlink: A fractal of bad design.

the question is

Will North Korea pursue this malignant hacker?

Re:the question is

Will North Korea pursue this malignant hacker?

No, but maybe the Polis will pay this wee bampot a visit..

Oh? This is a story now?

[SeaFox]

Kinda amused to see this get put out as a story now. It didn't get much attention when I pointed it out yesterday. The little ninja character was gone pretty fast, though.

Re:In what language is "password" a secure passwor

The world's largest web sites wouldn't be running on PHP if it were junk.

Lol, I'm sure that's a logical fallacy.

The only reason why Facebook is still using PHP is because they had too much legacy code. They had serious up-scaling issues a number of years ago, so they created their own "PHP", which is compiled and supports type checks. They also use extensive unit tests for every little bit of code, which is not how the typical PHP app is written.

So is it possible to write (non trivial) secure code with modern PHP? Maybe, with a lot of effort and testing. But I wouldn't stake my life on it. Wordpress and Drupal get hacked all the time.

Btw I'm maintaining/refactoring a large legacy PHP backend, so I'd like to think I know what I'm talking about. PHP is the only programming language I've used (of many) where WTF is the new normal...

I don't get it.

[hey!]

Why is this news? Were people expecting North Korean admins of off-the-shelf websites to somehow be better than ones in the rest of the world?

Re:In what language is "password" a secure passwor

[raymorris]

>> Ten or fifteen years ago PHP sucked
> I'm maintaining/refactoring a large legacy PHP

I feel your pain. I've done the same with a million-line PHP project called Moodle.

    Since you are refactoring, I hope you study modern PHP and apply it where it makes sense.

Re:In what language is "password" a secure passwor

[jordanjay29]

Having used Moodle for a university class, I bow to your unholy patience and fortitude.

Has it been changed yet??

I bet that the owner cannot or does not read this or any other tech news.

Deathtoll ?

[Thanatiel]

How many North Corean people will die because of this ?
Or is the crazyness not to that level yet ?

Re:Deathtoll ?

That was my first thought also. Yes it is certainly at that level.

Re:Deathtoll ?

Was thinking the same thing, this Andrew McKean fellow probably just inadvertently got a whole bunch of people killed or sent to a prison camp, etc.

Thoughtless youth

This prank will probably cause the poor schmuck that is web admin for the site to literally lose his head.
North Korea consists of 1 maniac leader, a handful of supplicant generals fearing for their lives, and millions of poor schmucks nearly starving to death while fearing for their lives.

Re:In what language is "password" a secure passwor

He got in because the password was left as "password". In what programming language is "password" a secure password?

The password programming language of course. It is spelt pa55w0rd don't you know? Shame on you Mr. Morris. LOL

An older vesion, I'm guessing

[raymorris]

I'm guessing you used an older version. Moodle too has improved dramatically in the last four years. It has really grown up.

host a special election

Powdered Toastman ftw!

Dunno why...

...but some guy called Kim has the most friends.