“LulzSec vs The Sun”, a Case Study?

Rupert MurdochLot of media (and not even those related to info security) reported this story today: LulzSec is back! Their last victim was the well-known English newspaper: the Sun. They redirected the site to a fake page which announced the death of Rupert Murdoch.

When reading this kind of news, our first reaction is often: “Wow! How did they achieve this? They should have deployed high-level hacking techniques!“. Then you start searching for more information and found that the attack was quite “simple”.

In 2009, a XSS vulnerability was found on the Sun website. A LulzSec member found an old server still online and running an old version of the newspaper website being still vulnerable to the same attack! Once pwned, this server was used as a jump-host to go deeper into the infrastructure. Finally the content management system used to publish the breaking news was also pwned: A simple line of JavaScript code injected in all published news was enough to redirect all the visitors to the fake page hosted somewhere else.

Some v€ndor$ are always looking for such “horror stories” like this one to push for some extra security products. Stop! This is a nice case study. Let’s review some facts:

1. The first component used to conduct the attack was a retired server. Why was this server still online? By implementing inventory and change management procedures you’ll avoid such zombies on your network.

2. The server was still running an outdated (read: vulnerable) version of the website. By implementing proper patch management, you could prevent this. Apply patches on all your systems not only the production.

3. The retired server suddenly generated some traffic and events (new connections, sessions opened). By using a log management solution, suspicious activity could be detected in time.

4. Visitors were redirected to a rogue server. By using simple monitoring tools, you could detect changes in the homepage or the server banners.

As you can see, implementing basic security rules could prevent from some attacks. No need to deploy $1M security boxes to protect your main door if some back doors remains unprotected!

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.