US broadcaster hacked in revenge for WikiLeaks report
On Saturday 28 May, Hacker group LulzSec took over the web site of the US Public Broadcasting Service (PBS) and published access data for staff and advertisers online. The hack was intended both as revenge for what the group saw as a one-sided depiction of WikiLeaks accused Bradley Manning in the documentary WikiSecrets, and as an appeal for his release.
The group says that the hack exploited a zero day vulnerability it claims to have discovered in Movable Type, the content management system (CMS) used by PBS. This could, however, be one of the security vulnerabilities that was recently fixed in the product. The group used the CMS to disseminate the fake story that rapper Tupac Shakur, who was murdered in 1996, was still alive and had been seen in New Zealand.
The hackers were able to access the SQL database, extracts of which they then published. The data included various lists of access credentials, many of which contained plain text passwords. Because an outdated Linux kernel was in use, they were also able to obtain root privileges to explore the PBS servers and collect data which included information on the broadcaster's network infrastructure. PBS has confirmed that the attack took place and, because of ongoing hacking attacks, is publishing transcripts and video extracts of the news broadcast on blog host Tumblr.
LulzSec attracted attention in early May by breaking into another US broadcaster, Fox. The group published the personal details of around one thousand potential X-Factor candidates and then followed this up by releasing access credentials for Fox staff. Because some staff were using the same passwords for Twitter and LinkedIn, this resulted in compromised accounts.
LulzSec was also responsible for one of the many attacks on Sony. Having hacked servers operated by Sony Music Japan, the group published extracts from the SQL database online. The group regularly publishes stolen data on anonymous text posting sites such as pastebin.com and pastehtml.com.