Before login

You are here: Home » LulzSec Breaches PBS Through Unpatched CMS

LulzSec Breaches PBS Through Unpatched CMS

/ by / Mr. P / on / June 01, 2011 @ 4:11 pm
References
URL: 
http://freze.it/lulz
Sources: 
http://www.scmagazineus.com/lulzsec-uses-zero-day-on-pbs-promises-more-attacks/article/204243/
http://freze.it/91
http://blogs.forbes.com/parmyolson/2011/05/31/interview-with-pbs-hackers-we-did-it-for-lulz-and-justice/
http://www.washingtonpost.com/blogs/blogpost/post/lulzsec-hacked-pbs-is-sony-next/2011/05/31/AG2aXUFH_blog.html
http://twitter.com/#!/lulzsecs
Injected Page

 Security group "LulzSec" has garnered a reasonable amount of media attention lately, with their latest exploit being the relatively public PBS Hack. Late Sunday night, a story appeared on PBS stating that Tupac Shakur (a rapper from the mid 90's) had been found alive and well in New Zealand. This is a largely discredited fact, and as such, should have been a reasonable indication to most people that something was amiss in the PBS systems.

LulzSec had breached the PBS website by exploiting a Zero-Day vulnerability in their CMS software (Moveable Type version 4, which was not at current patch levels). This allowed them to have full control over the CMS systems, following an injected page displaying their humour on the site. This control allowed the group to also delete the users and admin's of the CMS system, leaving the admin's a more difficult problem to work through. This was eventually overcome by restoring a database backup, but not before the group had time to grab MySQL root passwords, all stations and passwords, all press passwords, frontline logins, SQL databases, a network map disclosure, and staff and admin details, using the initial breach as a leverage point.

The group claimed this hack was in retaliation and justice for the recent "WikiSecrets" documentary aired by PBS, which is alleged to have portrayed Bradley Manning and Wikileaks in a negative light from the start (having not seen the documentary myself, I cannot personally comment on the validity of this claim). They also claimed, in an interview with Forbes.com, that they did this partially "for the lulz".

Other notable endeavours undertaken by LulzSec include hacking the Sony Japan website, leaking Fox broadcasting employees usernames and passwords, and leaking the emails and phone numbers of the upcoming American X-Factor contestants in a Torrent on ThePirateBay. Largely based on an answer to a Formspring question, there is a theory that AT&T could be their next target, whilst some "Sownage" is also on the table.

 

TL; DR: Hacker group LulzSec causes some damage and leaks much info from PBS in the form of databases and passwords.

/tags/