PBS.org hacked... LulzSec targets Sesame Street?

Filed Under: Data loss, Featured, Privacy, Vulnerability

Update: LulzSec has made a post to pastebin.com stating they did not use SQL injection to compromise the PBS website. They claim they used a zero day exploit in Movable Type 4 and were able to compromise Linux servers running outdated kernels. They were able to further penetrate the systems by compromising administrative user accounts that used the same passwords on multiple systems within PBS.

PBS logoIn the latest politically motivated attack related to the Wikileaks saga, a group that calls themselves LulzSec has hacked the Public Broadcast Service (PBS). PBS is the American public television network most famous for the creation of Sesame Street.

PBS lulz hack

In addition to dumping numerous SQL databases through a SQL injection attack, LulzSec injected a new page into PBS's website as seen above.

Their motive? Mayhem. They took offense to the portrayal of Bradley Manning in a segment on PBS's Frontline news magazine program and decided to attack the broadcaster.

LulzSec posted usernames and hashed passwords for the database administrators and users. Worse, they also posted the logins of all PBS local affiliates, including their plain text passwords.

PBS affiliate database

While PBS is the victim here, the passwords disclosed for most affiliates are embarrassingly predictable.

There was absolutely no skill involved in this attack, as it used freely available tools to exploit the databases. The attackers represent nothing more than what many historically thought of as hackers: people creating chaos with no other purpose than gaining fame, irrespective of the damage caused.

The attack is nearly identical to the recent attack against SonyMusic.co.jp. LulzSec used the same tool to attack the Sony website, although far less sensitive information was disclosed in the Sony attack.

Several other databases were disclosed, some including plain text passwords, others using hashes. It is unfortunate that PBS was vulnerable to this kind of attack and even worse that so many passwords were stored in clear text. Revealing this information is criminal and there are certainly more respectable ways of disclosing flaws than exposing so many users' passwords.

The media may have the perception that the real risk from hackers is related to cyberwar and uber-secret defense contractors, but the reality is that we all have a role to play in securing ourselves, our partners and our customers.

It appears the fallout from Wikileaks' disclosure of diplomatic cables has not yet reached its climax, and anyone and everyone may be targeted by the vigilante justice dished out by their fans.

Whether you are related to political causes or not, an easy way to ensure you aren't the next victim is to make sure that you protect the information you are entrusted with. Data stored insecurely is a bomb waiting to detonate. Security must be a proactive attitude because reacting is simply too dangerous.

, , , ,

You might like

12 Responses to PBS.org hacked... LulzSec targets Sesame Street?

  1. NotFakeGreggHoush · 1242 days ago

    The hackers used a cryptic phrase in the fake Tupac story they posted on PBS. The phrase read, "yank up as a vital obituary" and the hackers tweeted that they meant this phrase as a puzzle for the world.

    The phrase is an anagram for the names of four well-known hacker members of Anonymous: Topiary, Kayla, AVunit, and Sabu. Is this a red herring or a true calling card? Only time will tell.

  2. mugabo · 1242 days ago

    I am in favour of establishing minimum security requirements for all owners of connected devises with scaling punitive consequences.

  3. Dave Nelson · 1241 days ago

    Cyber warriors should be treated as cyber war criminals. Attacking a prestigious news and documentary outlet for speaking the truth is shameful. It's time that we go after the hackers.

    • Ryan · 1240 days ago

      You can't go after them. They're too good at covering their tracks and leave no paper trail.

  4. Matt Harrigan · 1241 days ago

    Suggesting that someone has no skills because they use open source security tools makes it seem like you might not understand much about what you're writing about.

    • Guest · 1225 days ago

      No... it suggest that they're a pathetic little script kiddie living in mommy's basement, contributing nothing to society and ONLY having enough skills to copy attack vectors using canned software. Sad. Really, really sad!

  5. MAphisto · 1241 days ago

    No single individual is really in danger here, hackers like this arent targeting single people but groups who have spoken against Wikileaks, so therefor, the average consumer really has nothing to fear, so dont buy into the media's take on "everyone is at risk" its stupid and unwarrented.

  6. :)----- · 1241 days ago

    Atleast they hack the right sites, greedy corporation bastards deserve this. They don't care about us, just their money and monopol.

    • But that's the problem here!

      PBS.org is The Public Broadcasting Network. They are non-profit. Their shows taught my little brother to read when no one else wanted to take the time to help him. PBS did and still does so much to make people's lives better.

      I thought it was sad that the affiliates' userid's and passwords were posted too. It increases the exposure to parties only very peripherally (or not at all) associated with PBS decision-making regarding WikiLeaks. But it will make these affiliates more fearful, hesitant to continue support/ participation in a socially beneficial entity like PBS,org. Or that's what I am afraid of. It will hurt our children, all of us.

  7. John · 1241 days ago

    How do I get a bigger copy of that AYB screenshot, I want it for a my desktop :)

  8. I have been reading the blog for some time and I usually agree largely with what is said but....Why would anybody write a 0-day exploit, or spend weeks planning an attack when they can use a simple public exploit? No matter how Inferior you make the attacker sound, they still managed to compromise the target.

  9. 0v3rcl0ck · 1100 days ago

    I think the point has already been lost. You defend the media, known for censoring things and keeping things back (though often not of their own accord) though hacking and then revealing private, restricted data seems to contradict it's self. And using open tools to hack? I think they're trying to make another point: if you can use something freely available to achieve something that used to require specialized programs and operating system environments, maybe those that are supposed to look after the security aren't quite as skilled or smart as they need to be? The hacking you see in movies: someone infiltrates the building to directly connect to a server or terminal to be able to get the data? Turns out it's much easier than that! Seems they all believed they were secure, wanted to make a big statement about how hard it is and how much trouble you'll be in... Then suddenly, freely available, public tools are used that someone relatively new to it could easily get a script to do the hack for them... Can you really put the blame soley on those that use the tools? Isn't it actually the other parties faults for making it so easy in the first place? You have to be pretty sharp to spot security flaws and exploits. I almost can't believe how 'easy' it was! Don't forget that technology is actually quite neutral. It's use ultimately depends on how 'good' or 'eeeeevil' the end result is, or how it's perceived. I'm sure explosives are used for good, not just to cause chaos. Or it's for 'research' which really means "a damn good excuse for blowing something up and use an expensive slow motion capture camera or three". I must admit, it is awesome to watch. :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.