20 year old South Korean hacked 104 websites and collected 280,000 private recordsHacker uploads hacking guidesVictims of lax security
Hacker uploads hacking guides
Jang, it seems, wanted to make his handiwork well known among the hacker community, he also published tips and tricks of his craft on blogs- even to the extent of uploading videos of his conquests. It is believed that he made about 13,000 records of the 280,000 stolen by him, public in one of these ways. The information stolen from the websites included credentials for social networking accounts like Facebook and Twitter, along with details about employees of national or international government agencies, taken from North Korean websites. Jang also looked to exploit his evil deeds financially. The authorities have evidence that Jang trying to make purchases with the credit card information he had stolen. One of the victims of the financial fraud was a Korean official who also lost control of his email account to Jang. According to Korea Joongang Daily, the hacker told the police that the motivation behind his attacks was to prove himself among fellow hackers.
Victims of lax security
Looking at the list of targets, the critical fact that comes to light, is that only websites with weak security measures were targeted by Jang. A simple way of doing this is using an SQL injection. It is a very known trick and can easily be protected against. But most websites do not care to bother about this basic measure. Most websites do not even encrypt sensitive data like passwords before storing them in their databases thus making them a jackpot for a potential hacker. It would be safe to assume that if such basic protection was not in place, the targeted websites were probably riddled with easy to exploit bugs and weaknesses. Drupal adminstration alerted in the middle of October of a highly critical SQL injection vulnerability in Drupal 7 that would not require too much knowledge to be exploited. At the end of the month, the developers of the CMS warned that websites that had not been patched within hours from the initial disclosure of the glitch should be considered compromised. The methods used by Jang have not been disclosed by the authorities, although he has already made them public to the world at large- which probably led to his arrest in the first place.