×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Detailed Analysis of the SK Communications Hack

Soulskill posted more than 2 years ago | from the pulling-a-sony dept.

Australia 21

An anonymous reader writes "An Australian IT security company, Command Five Pty Ltd, has just released a detailed analysis (PDF) of the recent SK Communications hack in which the personal details of up to 35 million users were stolen. This new analysis gives details of the attackers' malicious infrastructure and contains as-yet unreported technical details of the malware used in the attack (including the fact that it has the capability to sniff raw network packets on infected machines). The report also identifies links with other malware and malicious infrastructure, demonstrating that the attack is likely to be part of a broader concerted effort by well organized attackers."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

21 comments

Why does this have 0 comments? (-1)

Anonymous Coward | more than 2 years ago | (#37524302)

Guess I am the first?

Summary of Attack (3, Informative)

Anonymous Coward | more than 2 years ago | (#37524306)

They hacked ESTsoft’s ALZip [altools.com] update server so when SK Communications's ALZip installations checked for updates it downloaded the hacked patch and thus led to pwnage.

Re:Summary of Attack (1, Interesting)

Ron Bennett (14590) | more than 2 years ago | (#37525330)

This highlights the danger of automatic software updates.

Re:Summary of Attack (1)

sgt scrub (869860) | more than 2 years ago | (#37526476)

This highlights the danger of automatic software updates from an insecure server.

FTFY

WTF! (-1)

Anonymous Coward | more than 2 years ago | (#37524346)

WTF! You moron! God talks to me! WHAT THE FUCK are you thinking slandering!

God says...
C:\TEXT\YANKEE.TXT

the popular thing in this world is novelty. These
people had never seen anything of that cowboy business before,
and it carried them clear off their feet with delight. From all
around and everywhere, the shout went up:

"Encore! encore!"

I wondered where they got the word, but there was no time to cipher
on philological matters, because the whole knight-errantry hive
was just humming now, and my prospect for trade couldn't have
been better. The moment my lasso was released and Sir Sagramor
h

35 million out of 39 million total Korean net user (5, Informative)

wesley96 (934306) | more than 2 years ago | (#37524416)

When quoting about this SK Comm hacking incident, it should be noted that the "35 million users" is quite significant. There are approximately 39 million total internet users in South Korea with 48 million total population [internetworldstats.com]. This means nearly 90% of all S. Korean internet users' information was compromised. That, or more than 70% of total population. It's suffice to say the incident practically threw all relevant Korean people's key personal information out in the wild.

Oh, and by key personal information, I'm referring to Resident Registration Numbers that were part of the leaked info. RRN is a unique, non-transferable, non-modifiable serial number given to every Korean citizen, and thus is used as a highly convenient way of identifying the person in question. You can retrieve someone's website registration ID just by knowing the name and RRN, so it's something you yourself are only supposed to know. Since password hashes were also leaked, and since lots of folks reuse same password over and over, it would be relatively easy to pick out someone out of the leaked database and use the information to login to other websites, and by doing so, get even more personal information out.

Now the Korean websites are "encouraged" more than ever to use alternative means to identify someone, but I fear the cat's already out of the bag.

Re:35 million out of 39 million total Korean net u (5, Interesting)

dingram17 (839714) | more than 2 years ago | (#37524440)

How is the RRN meant to be a unique number that only you know, if it is used at most websites? This sounds like the sillyness of the US SSN -- its "secret" but everyone asks for it. I can see why Australia made it illegal for anyone other than the Tax Office, Employers or Superannuation funds to ask for your tax file number.

Unique number identifiers are useful to ensure records don't get mixed up, but they are not a proof of identity. Using them as proof is moronic.

Re:35 million out of 39 million total Korean net u (1)

commlinx (1068272) | more than 2 years ago | (#37524516)

I can see why Australia made it illegal for anyone other than the Tax Office, Employers or Superannuation funds to ask for your tax file number

Actually anyone can ask for it, you can just decline to provide it and it's illegal for them to insist on it. You don't have to disclose it to an employer or financial institution, in which case they withold tax on your income at the highest rate marginal tax rate plus any other applicable taxes. If you have income that's already been taxed at maximum possible rate that leaves no chance of "avoidance".

Re:35 million out of 39 million total Korean net u (1)

commlinx (1068272) | more than 2 years ago | (#37524556)

Sorry to reply to my own post, but checking the legislation indeed only some people can even request it.There are a few more examples than above of institutions that can request it, but still you aren't obliged to provide it.

Re:35 million out of 39 million total Korean net u (3, Informative)

wesley96 (934306) | more than 2 years ago | (#37524594)

How is the RRN meant to be a unique number that only you know, if it is used at most websites? This sounds like the sillyness of the US SSN -- its "secret" but everyone asks for it. I can see why Australia made it illegal for anyone other than the Tax Office, Employers or Superannuation funds to ask for your tax file number.

Unique number identifiers are useful to ensure records don't get mixed up, but they are not a proof of identity. Using them as proof is moronic.

Yes, it's crazy, but that's what's been happening for so long in Korea. When you register for a Korean website to create an ID, you almost always must enter your name and RRN, and it's checked with a third-party identification service that makes sure the information is legitimate (i.e. name matches recorded RRN), and that the RRN is not already associated with an existing ID. If you've passed this, the website regards that, pretty much legally, that the person registering for the site is the person with that RRN. Of course, you can masquerade as someone else by just knowing the name and RRN and make an ID on a website that the actual person has not yet bothered to register. It's true and it happens pretty often. If you do get caught doing this, you'll be liable for jail time and hefty fine, but what if this is done by some Chinese dude from mainland China, as it is often the case? Not much you can do, except send some paperwork to the company running the website and reclaim or suspend the ID in question.

The even damning aspect of the RRN leak from the SK Comm hacking is that RRN itself is permanent, with no possibility of re-issue (with possible exception of getting a sex change, because part of the number identifies your gender). At least most US websites don't ask for your SSN. At Korean websites, if you're a foreigner, you might simply be blocked off from registering, or at least ask you to provide Foreign Resident Registration Number that's analogous to RRN. Handful of websites let you go through without this. It's a very sad situation.

Re:35 million out of 39 million total Korean net u (1)

Inda (580031) | more than 2 years ago | (#37524918)

I used to play a type of side scrolling 2D platform shooter on a Korean website. Obtaining an RRN was easier than finding a crack. 30-odd mates from another gaming site also managed to join me. It really wasn't a big issue.

So yeah, it's true, and it happens pretty often :)

Re:35 million out of 39 million total Korean net u (0)

Anonymous Coward | more than 2 years ago | (#37524986)

I'm curious- how were you planning to crack a game hosted on a website?

Re:35 million out of 39 million total Korean net u (1)

Inda (580031) | more than 2 years ago | (#37525170)

It was a figure of speech.

Finding cracks is not a hard task. Finding RRNs is just as easy.

Trust relationships (0)

Anonymous Coward | more than 2 years ago | (#37524542)

Users and network administrators need to continually reassess who and what they trust on the Internet - so true... Can you imagine if 7Zip, WinRAR, or PKZip were hacked and used as a launchpad? If you cant trust a software update what can you trust?

tl;dr version (2)

Gravis Zero (934156) | more than 2 years ago | (#37524636)

1) SK Communications was using ESTsoft's ALTools (a set of various utility programs) for their computers
2) ALTools has an automatic update mechanism that grabs stuff from ESTsoft's server
3) ESTsoft's update server gets hacked and a trojan is installed
4) upon update, a trojan is served but ONLY to SK Communications.
5) PWN3D

Symbols != Identity (1)

erroneus (253617) | more than 2 years ago | (#37524694)

I think the closest we have ever come to a symbol being an effective source of identity is the RSA securid and devices like it. In order to effectively spoof them required breaking into RSA itself to collect the details needed. But beyond that, using "secret shared and collected information" as proof of identity is a problem and a vulnerability.

Every time I hear "...stolen information on individuals..." and bits like that, I just get a little tweaked not at the captured/collected information, but that information is used in place of identity. I don't know a "better way" other than not making things so big that mass collection and consolidation of data is a requirement for continued operation. People are not commodities and shouldn't be treated as such.

Re:Symbols != Identity (2)

NonSequor (230139) | more than 2 years ago | (#37524822)

Web of trust is a fairly good model (and there probably aren't any models that are better than fairly good). I have an account with the phone company, a checking account, and half a dozen other accounts all with the same name and address. If (and only if) I want to prove who I am online, I ought to be able to have the companies I associate with vouch for me.

Re:Symbols != Identity (1)

TheLink (130905) | more than 2 years ago | (#37527456)

I think the closest we have ever come to a symbol being an effective source of identity is the RSA securid and devices like it.

In order to effectively spoof them required breaking into RSA itself to collect the details needed.

Like this: http://yro.slashdot.org/story/11/06/07/129217/RSA-Admits-SecurID-Tokens-Have-Been-Compromised [slashdot.org]
http://it.slashdot.org/story/11/03/17/2321226/rsas-servers-hacked [slashdot.org]

Lastly every time I hear "identity theft" it just tells me that the Banks etc are just trying to shift the blame/cost to the victim.

Because it if someone tries to use your name etc to open or access a bank account, it should not be considered "Identity Theft". It should be considered Fraud or even Bank Fraud.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...