Infragard Atlanta, an FBI affiliate, hacked by LulzSec

Filed Under: Data loss, Featured, Privacy, Vulnerability

Infragard logoIn a self-titled hack attack called "F**k FBI Friday" the hacking group known as LulzSec has published details on users and associates of the non-profit organization known as Infragard.

Infragard describes itself as a non-profit focused on being an interface between the private sector and individuals with the FBI. LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.

Where did the plain text passwords come from? Considering LulzSec was able to decrypt them it would imply that the hashes were not salted, or that the salt used was stored in an insecure manner.

One interesting point to note is that not all of the users passwords were cracked... Why? Because these users likely used passwords of reasonable complexity and length. This makes brute forcing far more difficult and LulzSec couldn't be bothered to crack them.

In addition to stealing data from Infragard, LulzSec also defaced their website with a joke YouTube video and the text "LET IT FLOW YOU STUPID FBI BATTLESHIPS" in a window titled "NATO - National Agency of Tiny Origamis LOL".

Infragard Atlanta's defaced website

Aside from defacing their site and stealing their user database, they tested out the users and passwords against other services and discovered many of the members were reusing passwords on other sites - an violation of FBI/Infragard guidelines.

LulzSec singled out one of these users, Karim Hijazi, who used his Infragard password for both his personal and corporate Gmail accounts according to the hackers.

They've published a BitTorrent with what they claim are nearly 1000 of Hijazi's corporate emails and a IRC chat transcript that proclaims to be a conversation they had with him.

They also disclosed a list of personal information including his home address, mobile phone and other details.

It's hard to say when these attacks will end, but a great start would be to carefully analyze your security practices and ensure that your data is properly encrypted and to regularly scan your servers for vulnerabilities.

As for LulzSec? It appears they have declared war on one of the premier police forces in the world... Their fate remains a mystery.

, , , , , , , ,

You might like

32 Responses to Infragard Atlanta, an FBI affiliate, hacked by LulzSec

  1. Joe · 1049 days ago

    Are these people a collective group of 12-year-olds with nothing else to do than flaunt the tired and tried "Oh, look- we can get peoples' passwords! Awesome!" attention phases?
    We get it - organizations, especially those up top, need to be more secure. But the surface of this group (looking at its name alone) seems to suggest they're more than anything else a lonely group of selfish people who don't care what consequences their actions have for others. Innocent people lost their privacy.
    As often as some say it's a great way to encourage organizations to increase security, there are other ways to do so. Ultimately, they are creating a problem that wasn't there before and it leads to more and more people to do the same.

    • Sean · 1049 days ago

      "Are these people a collective group of 12-year-olds with nothing else to do than flaunt the tired and tried "Oh, look- we can get peoples' passwords! Awesome!" attention phases?"

      Probably not. This is a dumb assertion disguised as a rhetorical question in an attempt to make a dumb idea seem less dumb. Sows ear and silk purse - remember that.

      "a lonely group of selfish people"

      Yeah, and pedophiles are easily identified as being old guys with funny eyes. These groups can be interestingly diverse. Guys are likely to be over-represented, but not the cliched 12 year-old perma-virgins. Your comments are stultifying uninformed speculation of the kind better reserved for Daily Mail leaders.

      I'd argue that companies failing to take decent security precautions are culpable here. The crackers are breaking the law, and if caught should be prosecuted, but what about companies and organisations that were tasked with protecting this data? These recent intrusions, Sony being the largest, were made possible by poor security practices. Seriously, who on earth uses the same password for multiple systems containing sensitive data?

      • (another) Sean · 1047 days ago

        Well said.

        Nintendo just got hacked too, however they didn't leak any user information. Why? Because nintendo uses LAYERS of security. Not a half assed network that just sticks the load on my connection by assigning.

        ENCRYPT OUR PERSONAL INFORMATION YOU N00BS.

        I don't mind Ps3, but at least Xbox's network and matchmaking is much higher quality. The only reason they haven't been hacked yet though is because of all the years of dealing with windows came in handy.

    • Lucky · 1046 days ago

      Let the revolution begin!!!

    • Raion · 1045 days ago

      ya great that the fbi has trouble against 12 year olds.

  2. Jesse · 1049 days ago

    these people will be killed. The government will find out who they are and kill them.

    • Tim · 1047 days ago

      It's their own people, so nothing will happen to them. They're doing it so they can justify passing the "internet kill switch" legislation. Even though it's common knowledge that electric, nuclear, and other sensitive systems are NOT online, they'll still say we need to do this "as a matter of national security".

    • Wiki Leeks · 1046 days ago

      Exactly ... It's pointless going after them if they are the Government themselves don't you think?

      They create a PROBLEM and then scream ACTION is reuired and then hey ... they too offer the SOLUTION.

      :-)

  3. well · 1049 days ago

    maybe its the government itself. what better excuse to monitor everyone and everything. lols indeed. anonymous no more. that's what i think this is.

  4. 'maybe its the government itself'

    You must be smoking Jesse Ventura's conspiracy stash to think the FBI hatched a plan to make themselves look like incompetent morons to get more power to monitor everyone. The FBI doesn't need more power - it's needs to be called on the carpet and held accountable. That means reprimands, notices of termination, or possibly prosecution for those FBI employees or contractors who were grossly negligent in following basic security protocols.

    While Lulzec is doing it for malicous laughs and feigning to be saviors of Internet freedom, other more formidable advisories (e.g. foreign intelligence services) are without a doubt exploiting the same security vulnerabilities but they do so discreetly without the Lulzsec ego stroking publicity.

    • well · 1049 days ago

      Read carefully before you rant on. No mention of giving "more power" to FBI. My concern is that soon state will require registration before granting access to the net.

      (that said, I am sure there are few other agencies in us gov that wouldn't mind making FBI look like morons and have the means to pull this off ...)

    • Lucius · 1047 days ago

      False flag events are what governments do. It's history, not conspiracy. When terror occurs, think government first. If they publicize the event, it's almost guaranteed.

    • SOG · 1046 days ago

      The FBI wouldnt be the ones launching the attack, the FBI would be the scapegoat. Look to higher echelons of power.

      False Flag

  5. vincent · 1049 days ago

    im sure that thier lives is in big trouble........ FBI is one of the biggest org. of the government >.<

  6. andy · 1049 days ago

    these guys are smarter than they may lead you to think.

    • stonemirror · 1048 days ago

      "these guys are smarter than they may lead you to think."

      Heh. They'd almost have to be.

  7. jilm · 1047 days ago

    little oragamis....thats usually the case with people who choose proffesions that lack humanity and respect for all people vs the team tribal machinations they are exlploited through

  8. GFG · 1047 days ago

    This is insane! The most egregious mistake being that apparently the CEO reused passwords, not to mention the many weak passwords of users.
    I know of many organizations that require complex passwords and some sort of physical key card.
    Apparently there was nothing of the sort there, not even proper file/password encryption.

    But still, these hackers are criminals, or smart assholes who want to rip on other lazy assholes!

  9. Zeta Thompson · 1047 days ago

    Perhaps users need to start saying NO too. They need to start refusuing to disclose information over the internet, I have been asked for my cell phone number and address from Google, twitter and facebook so I can KEEP in touch. In all the above cases I refuse. In cases where it is a form that must be filled in and I feel the information they are asking is truly pertinent to what I am doing, I refuse to fill it in online and send in paper. Yes companies must encrypt and secure their data, but users should use a little sense too and refuse data that a company does not need to provide the services over the internet.

  10. Nash · 1047 days ago

    Crazy as a Fox!

  11. trter · 1047 days ago

    Everyone is getting hacked right before they roll out their new laws that give the government the power to take over the internet.

    Say goodbye to the Interent if you buy this crap.

    They are going to do whatever it takes to take this freedom away! These hacks will only continue and expand until you can't login without biometric confemation of who you are which is the mark of the beast.

    Freedom isn't free, you better fight not to have your freedoms stolen by government.

  12. Tim · 1047 days ago

    "Where did the plain text passwords come from? Considering LulzSec was able to decrypt them it would imply that the hashes were not salted, or that the salt used was stored in an insecure manner."

    Umm, hello... If they are using an ASP.NET "membership" database, all the password "salts" are stored RIGHT IN THE DATABASE so they're reaaallly easy to get.

  13. someprogrammer · 1047 days ago

    Lol. While you guys argue over mindless details, I keep asking myself why these "attacks" come out of nowhere just before they start a big push for cyber security policies from Washington. OK, people go back to sleep. Your government is in control.

  14. Vince · 1047 days ago

    I'm going to try and post this AGAIN, but a bit differently. STUPID moderators...

    The reason for all the attacks lately: The administration has stated that dropping bombs on people is not an act of war; while, haxzeing a computer is an act of war...

    Doesn't that just ooze Orwellian... FFS...

  15. Rynosaur · 1047 days ago

    This is totally the catalyst for new internet legislation for the government. Can we say "False-flag"?

  16. hayet · 1046 days ago

    Save me government.....the hackers are going to get me...dont worry...we might just have a plan...we've been telling you we need strict controls on the web...sure sure....as long as you dont censor the porn....haha
    I cant believe people are consistently buying the fables....i just read...Anonymous.....woooo..hacked into the Iranian foreign ministry.....and all these people excited that they have a hero......what a joke.....dont worry superanonymous is here to save our rights on the Internet.....pay attention to anonymous and not to the laws we are trying to implement.....waking up is so boring compared to getting high on fables and entertainment......

  17. Cryogenix · 1046 days ago

    Rarely do hackers strike on the right people.. This is one of those rare times.

  18. Spit Fyre · 1044 days ago

    Premier police force in the world my ass!

  19. anon · 1039 days ago

    Well they made one mistake, even though lulzsec.com is registered to a hidden name on whois, their IRC channel is hosted on lulzco.org which is registered by this person:
    Registrant Name:David Davidson
    Registrant Organization:LulzCo
    Registrant Street1:615 North Mathilda Avenue
    Registrant Street2:
    Registrant Street3:
    Registrant City:Sunnyvale
    Registrant State/Province:California
    Registrant Postal Code:1001
    Registrant Country:US
    Registrant Phone:+1.44232525353
    Registrant Phone Ext.:
    Registrant FAX:
    Registrant FAX Ext.:
    Registrant Email:contact@lulzco.org

    tiny oversights will always cause someone to trip up....

    • Guest · 1038 days ago

      Well...

      Unless you want to meet them at McDonald's for a cup of coffee then that address isn't going to do you much good. They may be sad, pathetic, arrogant, sociopathic, attention-hungry little losers, however; they're not stupid (just not smart).

      LULZ!!!

      :)

  20. Guest · 1038 days ago

    Sad, pathetic, little losers...

    LulzSec - Losers United Lacking Zyprexa - Sadly Erectile Challenged

    Get a job, move out of mommy's basement and contribute something useful to society. If the only way you can feel good about yourself (or have a LULZ) is to tear down something that someone else has built then you have serious issues. The good news is... they make medication for that. Try some!!!

    Flame away skiddies...

    :(

    P.S. In the case of the most recent "FBI Friday" attack... Way to go... Your arrogance is now officially exceeded only by ignorance... LULZ!!!

  21. government stinks · 867 days ago

    The government have been using false flag for ages!!
    its the best way for the government to take control..
    like 911

    corruption is the key here and always will be
    cause the government is so powerfull and keeps getting more power
    i think its to late almost to stop the government

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.