In Depth: How Lulzsec cracked MilitarySingles.com

How MilitarySingles was hackedA military dating site attacked by hackers in March had serious security flaws, a report has found.MilitarySingles.com, whose users’ details were dumped online by Lulzsec hacktivists, failed to prevent the upload of malicious user content and did not properly encrypt its password database, according to data security company Imperva. The report concludes that user-generated content is not just the lifeblood of the modern internet but also its Achilles’ heel.But Rob Rachwald, the company’s director of security strategy, says the methods and aims of the hackers reflect those of major firms like Google and Facebook.As Facebook stock flows into the public market, trading on the value of users’ personal details, hackers are placing their own price on the vast quantities of data that internet companies hold.”I have a bunch of geeks working for me that like to do this kind of thing,” says Rachwald, a 42-year-old Californian who got into security when he saw Intel design specifications being sold in the streets of Tai Pei for $300 apiece.”Some people like to go to the movies, some people like to read a book, and some people like to hack.”Imperva: “Enterprises are in a pre-pubescent phase when it comes to properly protecting passwords.”On March 26 this year, hackers under the banner of Lulzsec – an offshoot of the broad-church pseudo-movement known as Anonymous (Rachwald calls it a “global disorganisation”) – dumped over 170,000 account details online.The first Lulzsec was responsible for a wave of online attacks last year, but had gone quiet after a leading member, Sabu, was co-opted as an FBI informant, leading to the arrest of three comrades. Now, apparently, it’s back – or someone using its name. Rachwald’s “geeks” probed the MilitarySingles website (“using fully legal means,” he notes) and found a series of vulnerabilities which made it easy to sneak malware onto its servers.Central to the hack, Rachwald claims, was a method called Remote File Inclusion.

The report concludes that user-generated content is not just the lifeblood of the modern internet but also its Achilles’ heel.But Rob Rachwald, the company’s director of security strategy, says the methods and aims of the hackers reflect those of major firms like Google and Facebook.As Facebook stock flows into the public market, trading on the value of users’ personal details, hackers are placing their own price on the vast quantities of data that internet companies hold.”I have a bunch of geeks working for me that like to do this kind of thing,” says Rachwald, a 42-year-old Californian who got into security when he saw Intel design specifications being sold in the streets of Tai Pei for $300 apiece.