Detailed Analysis of the SK Communications Hack

An anonymous reader writes "An Australian IT security company, Command Five Pty Ltd, has just released a detailed analysis (PDF) of the recent SK Communications hack in which the personal details of up to 35 million users were stolen. This new analysis gives details of the attackers' malicious infrastructure and contains as-yet unreported technical details of the malware used in the attack (including the fact that it has the capability to sniff raw network packets on infected machines). The report also identifies links with other malware and malicious infrastructure, demonstrating that the attack is likely to be part of a broader concerted effort by well organized attackers."

Summary of Attack

[Anonymous Coward]

They hacked ESTsoft’s ALZip [altools.com] update server so when SK Communications's ALZip installations checked for updates it downloaded the hacked patch and thus led to pwnage.

Re:

[Ron Bennett]

This highlights the danger of automatic software updates.

Re:

[sgt scrub]

This highlights the danger of automatic software updates from an insecure server.

FTFY

Re:

[hierophanta]

This highlights the danger of automatic software updates from anywhere but a vacuum. (see GP for clarification)

Re:

[sgt scrub]

This highlights the danger of software that needs to be updated.

35 million out of 39 million total Korean net user

[wesley96]

When quoting about this SK Comm hacking incident, it should be noted that the "35 million users" is quite significant. There are approximately 39 million total internet users in South Korea with 48 million total population [internetworldstats.com]. This means nearly 90% of all S. Korean internet users' information was compromised. That, or more than 70% of total population. It's suffice to say the incident practically threw all relevant Korean people's key personal information out in the wild.

Oh, and by key personal information, I'm referring to Resident Registration Numbers that were part of the leaked info. RRN is a unique, non-transferable, non-modifiable serial number given to every Korean citizen, and thus is used as a highly convenient way of identifying the person in question. You can retrieve someone's website registration ID just by knowing the name and RRN, so it's something you yourself are only supposed to know. Since password hashes were also leaked, and since lots of folks reuse same password over and over, it would be relatively easy to pick out someone out of the leaked database and use the information to login to other websites, and by doing so, get even more personal information out.

Now the Korean websites are "encouraged" more than ever to use alternative means to identify someone, but I fear the cat's already out of the bag.

Re:35 million out of 39 million total Korean net u

[dingram17]

How is the RRN meant to be a unique number that only you know, if it is used at most websites? This sounds like the sillyness of the US SSN -- its "secret" but everyone asks for it. I can see why Australia made it illegal for anyone other than the Tax Office, Employers or Superannuation funds to ask for your tax file number.

Unique number identifiers are useful to ensure records don't get mixed up, but they are not a proof of identity. Using them as proof is moronic.

Re:

[commlinx]

I can see why Australia made it illegal for anyone other than the Tax Office, Employers or Superannuation funds to ask for your tax file number

Actually anyone can ask for it, you can just decline to provide it and it's illegal for them to insist on it. You don't have to disclose it to an employer or financial institution, in which case they withold tax on your income at the highest rate marginal tax rate plus any other applicable taxes. If you have income that's already been taxed at maximum possible rate that leaves no chance of "avoidance".

Re:

[commlinx]

Sorry to reply to my own post, but checking the legislation indeed only some people can even request it.There are a few more examples than above of institutions that can request it, but still you aren't obliged to provide it.

Re:35 million out of 39 million total Korean net u

[wesley96]

How is the RRN meant to be a unique number that only you know, if it is used at most websites? This sounds like the sillyness of the US SSN -- its "secret" but everyone asks for it. I can see why Australia made it illegal for anyone other than the Tax Office, Employers or Superannuation funds to ask for your tax file number.

Unique number identifiers are useful to ensure records don't get mixed up, but they are not a proof of identity. Using them as proof is moronic.

Yes, it's crazy, but that's what's been happening for so long in Korea. When you register for a Korean website to create an ID, you almost always must enter your name and RRN, and it's checked with a third-party identification service that makes sure the information is legitimate (i.e. name matches recorded RRN), and that the RRN is not already associated with an existing ID. If you've passed this, the website regards that, pretty much legally, that the person registering for the site is the person with that RRN. Of course, you can masquerade as someone else by just knowing the name and RRN and make an ID on a website that the actual person has not yet bothered to register. It's true and it happens pretty often. If you do get caught doing this, you'll be liable for jail time and hefty fine, but what if this is done by some Chinese dude from mainland China, as it is often the case? Not much you can do, except send some paperwork to the company running the website and reclaim or suspend the ID in question.

The even damning aspect of the RRN leak from the SK Comm hacking is that RRN itself is permanent, with no possibility of re-issue (with possible exception of getting a sex change, because part of the number identifies your gender). At least most US websites don't ask for your SSN. At Korean websites, if you're a foreigner, you might simply be blocked off from registering, or at least ask you to provide Foreign Resident Registration Number that's analogous to RRN. Handful of websites let you go through without this. It's a very sad situation.

Re:

[Inda]

I used to play a type of side scrolling 2D platform shooter on a Korean website. Obtaining an RRN was easier than finding a crack. 30-odd mates from another gaming site also managed to join me. It really wasn't a big issue.

So yeah, it's true, and it happens pretty often :)

Re:

[Inda]

It was a figure of speech.

Finding cracks is not a hard task. Finding RRNs is just as easy.

Re:

[antifoidulus]

I would hope that they would have used salt.(Cue kimchi joke here)

tl;dr version

[Gravis Zero]

1) SK Communications was using ESTsoft's ALTools (a set of various utility programs) for their computers
2) ALTools has an automatic update mechanism that grabs stuff from ESTsoft's server
3) ESTsoft's update server gets hacked and a trojan is installed
4) upon update, a trojan is served but ONLY to SK Communications.
5) PWN3D

Symbols != Identity

[erroneus]

I think the closest we have ever come to a symbol being an effective source of identity is the RSA securid and devices like it. In order to effectively spoof them required breaking into RSA itself to collect the details needed. But beyond that, using "secret shared and collected information" as proof of identity is a problem and a vulnerability.

Every time I hear "...stolen information on individuals..." and bits like that, I just get a little tweaked not at the captured/collected information, but that inf

Re:

[NonSequor]

Web of trust is a fairly good model (and there probably aren't any models that are better than fairly good). I have an account with the phone company, a checking account, and half a dozen other accounts all with the same name and address. If (and only if) I want to prove who I am online, I ought to be able to have the companies I associate with vouch for me.

Re:

[TheLink]

I think the closest we have ever come to a symbol being an effective source of identity is the RSA securid and devices like it.

In order to effectively spoof them required breaking into RSA itself to collect the details needed.

Like this: http://yro.slashdot.org/story/11/06/07/129217/RSA-Admits-SecurID-Tokens-Have-Been-Compromised [slashdot.org]
http://it.slashdot.org/story/11/03/17/2321226/rsas-servers-hacked [slashdot.org]

Lastly every time I hear "identity theft" it just tells me that the Banks etc are just trying to shift the blame/cost to the victim.

Because it if someone tries to use your name etc to open or access a bank account, it should not be considered "Identity Theft". It should be considered Fraud or even Bank Fraud.