Detailed Analysis of the SK Communications Hack 21
An anonymous reader writes "An Australian IT security company, Command Five Pty Ltd, has just released a detailed analysis (PDF) of the recent SK Communications hack in which the personal details of up to 35 million users were stolen. This new analysis gives details of the attackers' malicious infrastructure and contains as-yet unreported technical details of the malware used in the attack (including the fact that it has the capability to sniff raw network packets on infected machines). The report also identifies links with other malware and malicious infrastructure, demonstrating that the attack is likely to be part of a broader concerted effort by well organized attackers."
Summary of Attack (Score:3, Informative)
35 million out of 39 million total Korean net user (Score:5, Informative)
Oh, and by key personal information, I'm referring to Resident Registration Numbers that were part of the leaked info. RRN is a unique, non-transferable, non-modifiable serial number given to every Korean citizen, and thus is used as a highly convenient way of identifying the person in question. You can retrieve someone's website registration ID just by knowing the name and RRN, so it's something you yourself are only supposed to know. Since password hashes were also leaked, and since lots of folks reuse same password over and over, it would be relatively easy to pick out someone out of the leaked database and use the information to login to other websites, and by doing so, get even more personal information out.
Now the Korean websites are "encouraged" more than ever to use alternative means to identify someone, but I fear the cat's already out of the bag.
Re:35 million out of 39 million total Korean net u (Score:4, Informative)
How is the RRN meant to be a unique number that only you know, if it is used at most websites? This sounds like the sillyness of the US SSN -- its "secret" but everyone asks for it. I can see why Australia made it illegal for anyone other than the Tax Office, Employers or Superannuation funds to ask for your tax file number.
Unique number identifiers are useful to ensure records don't get mixed up, but they are not a proof of identity. Using them as proof is moronic.
Yes, it's crazy, but that's what's been happening for so long in Korea. When you register for a Korean website to create an ID, you almost always must enter your name and RRN, and it's checked with a third-party identification service that makes sure the information is legitimate (i.e. name matches recorded RRN), and that the RRN is not already associated with an existing ID. If you've passed this, the website regards that, pretty much legally, that the person registering for the site is the person with that RRN. Of course, you can masquerade as someone else by just knowing the name and RRN and make an ID on a website that the actual person has not yet bothered to register. It's true and it happens pretty often. If you do get caught doing this, you'll be liable for jail time and hefty fine, but what if this is done by some Chinese dude from mainland China, as it is often the case? Not much you can do, except send some paperwork to the company running the website and reclaim or suspend the ID in question.
The even damning aspect of the RRN leak from the SK Comm hacking is that RRN itself is permanent, with no possibility of re-issue (with possible exception of getting a sex change, because part of the number identifies your gender). At least most US websites don't ask for your SSN. At Korean websites, if you're a foreigner, you might simply be blocked off from registering, or at least ask you to provide Foreign Resident Registration Number that's analogous to RRN. Handful of websites let you go through without this. It's a very sad situation.