PBS.org hacked… LulzSec targets Sesame Street?

Update: LulzSec has made a post to pastebin.com stating they did not use SQL injection to compromise the PBS website. They claim they used a zero day exploit in Movable Type 4 and were able to compromise Linux servers running outdated kernels. They were able to further penetrate the systems by compromising administrative user accounts that used the same passwords on multiple systems within PBS.

PBS logoIn the latest politically motivated attack related to the Wikileaks saga, a group that calls themselves LulzSec has hacked the Public Broadcast Service (PBS). PBS is the American public television network most famous for the creation of Sesame Street.

PBS lulz hack

In addition to dumping numerous SQL databases through a SQL injection attack, LulzSec injected a new page into PBS’s website as seen above.

Their motive? Mayhem. They took offense to the portrayal of Bradley Manning in a segment on PBS’s Frontline news magazine program and decided to attack the broadcaster.

LulzSec posted usernames and hashed passwords for the database administrators and users. Worse, they also posted the logins of all PBS local affiliates, including their plain text passwords.

PBS affiliate database

While PBS is the victim here, the passwords disclosed for most affiliates are embarrassingly predictable.

There was absolutely no skill involved in this attack, as it used freely available tools to exploit the databases. The attackers represent nothing more than what many historically thought of as hackers: people creating chaos with no other purpose than gaining fame, irrespective of the damage caused.

The attack is nearly identical to the recent attack against SonyMusic.co.jp. LulzSec used the same tool to attack the Sony website, although far less sensitive information was disclosed in the Sony attack.

Several other databases were disclosed, some including plain text passwords, others using hashes. It is unfortunate that PBS was vulnerable to this kind of attack and even worse that so many passwords were stored in clear text. Revealing this information is criminal and there are certainly more respectable ways of disclosing flaws than exposing so many users’ passwords.

The media may have the perception that the real risk from hackers is related to cyberwar and uber-secret defense contractors, but the reality is that we all have a role to play in securing ourselves, our partners and our customers.

It appears the fallout from Wikileaks’ disclosure of diplomatic cables has not yet reached its climax, and anyone and everyone may be targeted by the vigilante justice dished out by their fans.

Whether you are related to political causes or not, an easy way to ensure you aren’t the next victim is to make sure that you protect the information you are entrusted with. Data stored insecurely is a bomb waiting to detonate. Security must be a proactive attitude because reacting is simply too dangerous.