backtop


Print 29 comment(s) - last by lwesten.. on Jun 9 at 11:56 AM


Black & Berg CyberSecurity Consulting LLC were defaced by LulzSec today -- but they were happy about it. Turns out they were having a hacking contest.

A closeup of the photoshopped image that LulzSec posted to the defaced page. The group has refused the $10K cash prize promised by the security firm.
They just did it for the "lulz"

LulzSec ("Lulz Security") a group of skilled computer hackers/cyber-griefers have earned a reputation for controversy.  They took down parts of the computer network of famed hacker publication 2600, arbitrarily due to a feud with a single Dutch user.  They hacked PBS in what some argue was an attempt to subvert the new network's freedoms of speech and the press.  And they posted user names and plaintext passwords of elderly users (and others) from recent system intrusions [1][2][3] at Sony Corp. (TYO:6758).

But the group's latest effort is unlikely to create much controversy.  After all the affected party was asking for it-- literally.

LulzSec defaced the homepage of the "Cybersecurity For The 21st Century, Hacking Challenge" sponsored by Black & Berg Cybersecurity Consulting, LLC.  Black & Berg who do contract work for government agencies and private companies writes:
Change this website's homepage picture and win $10K and a position working with Senior Cybersecurity Advisor, Joe Black.

You can probably guess where this is going.  LulzSec altered the page background slightly and photoshopped their monocled mascot into the picture displayed on the page.  And amusingly they refused the cash prize stating:

DONE, THAT WAS EASY. KEEP YOUR MONEY WE DO IT FOR THE LULZ

Given that the group recently hacked a U.S. Federal Bureau of Investigations affiliate, it's not terribly surprising that they wouldn't want to compromise their location by accepting a prize from a public contest.  As Admiral Ackbar would say, "It's a trap!" (Potentially, at least.) Perhaps they should have offered the prize in bitcoins.

Founder Joseph K. Black took to Twitter, posting praise for the group.  He writes:

Black & Berg Cybersecurity Consulting appreciate all the hard work that you're putting in. Your Hacking = Clients for us. Thx ~Joe

We've said it once, and we'll say it again -- for better or worse, we doubt this is the last we'll see of LulzSec.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

As advertised, they gave me my lulz
By Taft12 on 6/8/2011 4:09:18 PM , Rating: 5
So, will the security consulting company let us in on how Lulzsec managed to break in? Or could it be they don't even know how it was done...




By fic2 on 6/8/2011 4:29:07 PM , Rating: 2
I am sure that for a fee the security company will tell you if they know or don't know how they were hacked.


By lwesten on 6/9/2011 11:56:50 AM , Rating: 2
If you View Source, you can see an sql error output at the bottom of the page. Injection attack attempt, obviously.

If they did use an injection attack, I'm wondering if they exploited the mailing list signup input. The developers that built the site used js to generate the query string to submit the input data instead of using a FORM tag. Looks like they have at least SOME server-side validation, but obviously not enough. :)

On top of that, looking at the INSERT error, they're not hiding the absolute script path, either.

These guys are supposed to be experts? I don't condone what these guys are doing, but damn. Issuing a $10k challenge and not knowing wtf you're doing is kinda asking for it.


"We shipped it on Saturday. Then on Sunday, we rested." -- Steve Jobs on the iPad launch














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki