Security
Meet The Lebanese Hacker Tormenting Sony “For Moral Reasons”
The unprecedented hacker feeding frenzy that has surrounded Sony since early April has been fueled by complex motives: The hacker collective Anonymous originally barraged Sony for its lawsuit against hacker George Hotz. And the newly-emerged group LulzSec continues to pound the company for, well, the “lulz”–the pure joy of destruction. “If you want ethics, go cry to Anonymous. True lulz fans, stay tuned in,” the group wrote on its Twitter after hacking three more Sony sites on Saturday.
But ask one lone Lebanese hacker who has been targeting Sony for three weeks why he continues to torment the company, and he offers an even more ambiguous answer: It began as “justice,” says the hacker who calls himself “Idahc.” Then it became “a game.” And now, he argues, he’s actually trying to make the Web more secure. “I did this to push Sony to pay more attention on their security and to show everyone that I.T security is fundamental,” he writes to me in an email. “I don’t hack for ‘lulz’ but for moral reasons.”
Idahc says he’s an 18-year old Lebanese computer science student, working from a “poor Internet connection” and a laptop, hiding his identity with the usual tricks such as VPNs and proxy servers that disguise his origin, as well as hacking into his neighbor’s network. From that humble setup, he’s managed to evade arrest while hacking Sony three times, most recently compromising a database of Sony Portugal users last Thursday by exploiting three different types of Web vulnerabilities on one page: A cross-site scripting flaw, a SQL injection, and an iFrame injection.
Idahc made a point, however, of not exposing the entire database, only a small sample of the email addresses. “I am not a black hat to dump all the database,” he wrote in his now-deleted announcement of the hack on publishing site Pastebin. “I am grey hat.”
That Sony breach makes three for Idahc, after the young hacker earlier penetrated Sony Europe’s database with a similar web bug and exposed 120 users’ information, and before that hacked Sony Ericsson in Canada, compromising 2,000 users’ information and posting about half of it online. “ALL websites of Sony are vulnerable ……0.0001% security,” he wrote on Twitter over the weekend.
But Idahc maintains that he has stayed apart from groups like LulzSec because he considers them to be “black hat” hackers without his restraint. ” I like to work alone, especially because when you are in a group it will always be a team decision, so when it’s about confidential info some person may choose to do something illegal with it, ” he writes. “I like to handle it in my own way.”
That Idahc considers himself a “grey hat” hacker, however, shows how far towards the darker end of the spectrum that term has shifted. The 1990s hacker group the L0pht, for instance, which claimed to be ”grey hat” hackers, worked directly with the companies whose products it hacked to fix their flaws. But Idahc hasn’t contacted Sony to discuss the company’s security issues, and argues that the company wouldn’t have responded if he had. “The best way is to show in public some information like emails of the vulnerable server and they will directly correct the flaw,” he writes.
I contacted Sony for comment, but didn’t immediately hear back from the company.
Even if Idahc’s methods may cross the line of what the infosec community calls “responsible disclosure,” to put it lightly, he nonetheless criticizes LulzSec’s recent escapades, like hacking the FBI program Infragard and the security firm Unveillance. “They shouldn’t play with the FBI,” he says. “I think this act falls on the black hat side.”
Likewise, he says he wouldn’t have breached one million of the passwords in Sony Pictures’ database, as LulzSec did earlier this month. “I didn’t even publish all the information I had,” he writes. “It is not my goal to destroy. I want to help Sony.”
With more than 17 hacking embarrassments in just the last two months, it’s safe to say this is the sort of “help” Sony would happily decline.
Post Your Comment
You must be logged in to post a comment
Members
Log in with your Forbes account
Haven't Registered Yet?
Create an account to join Forbes now
SQL injection attacks are cause for embarrassment. It’s more like trespassing than breaking & entering. No web-accessible database should be vulnerable to that, it’s one of the easiest attacks. Cross-site scripting is slightly harder to prevent, but not too much. Really, it’s the least you could do if you’re trying to protect someone else’s data (like your users’ emails). If SONY won’t protect their user’s data with the most basic of defenses just because it’s the right thing to do, maybe embarrassing them will make them pay attention. At the very least, it will show users that their data isn’t safe with SONY, so maybe they’ll stop giving up their data. Either way, the web will be safer.
One of three things is probably going on with Sony:
1) Their data security personnel are incompetent;
2) Their data security people know what to do but management has refused to fund it;
3) They outsourced their data processing to vendors who have done a very poor job of securing customer data.
When you talk to them, can you try to find out which is the case?
Do they handle their data processing and security on a very decentralized basis where each division runs its own show or do they have centralized control of the whole data processing/security operation?
Why have they been so slow to respond and correct these deficiencies?
Bet they won’t want to answer these questions!
http://ReportingWrongdoing.com