35 Million SK Telecom Accounts Stolen By Chinese Hackers

eldavojohn writes "South Korea's SK Telecom has revealed that earlier this week hackers stole 35 million account details from two sites. A portal called Nate Portal that provided e-mail services and a social networking site called CyWorld were the two targets by hackers who, SK Telecom claims, used IP addresses originating from China. From the article, 'The stolen data included user IDs, passwords, social security numbers, names, mobile phone numbers and email addresses. Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use.'"

Squirrel Master

[bhcompy]

Nasty Nate needs to secure his portal, apparently.

Awwwww GRITS!

[Jeremiah Cornelius]

I must have scanned the summary too fast... I read the WHOLE ARTICLE, and nothing at all about NATALIE PORTMAN!

Re:

[m2vq]

What I found stupid, even about the title, was blaming Chinese for it. Gee, I'm pretty sure every hacker stealing 35 million peoples info will connect directly to the target server! I mean, no hacker would ever think of using a Chinese proxy because they're taking so much shit for all the other things too. But of course it's chinese hackers.

Re:

[Anonymous Coward]

I don't know, how many open AND anonymous Chinese proxies does the Great Firewall allow? I mean if every ISP there must have a license from the government, and every subscriber must use his government issued id when opening an account, how many rogue servers can there be in China? And if there are, how long lived can they be?

Additionally, it wouldn't make sense for them to be on top of censoring the millions of Weibo feeds every minute (so as not to blemish the public image of China) yet not be able to filt

Re:

[m2vq]

They aren't some dedicated proxy servers, they're personal pc's which have been infected and open proxy server has been opened on them. It's easy to find those with google.

Riiiigggghhhht

[Anonymous Coward]

Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use

Encryption! Bwahahahahahahahahahahahaha!

*shits in pants with tears in eyes - breathes*

Ahahahahahahahahahahahahahahahaha!

Oh God! That was FUNNY!

Yeah, yeah, yeah, the check is in the mail; I'll call you in the Morning; I won't cum in your mouth, blah blah blah ......

Accounts being stolen left and right

[Compaqt]

Some questions:

1. Anybody still using the same username at multiple websites?

2. Anybody work at a place that has been affected? Citibank, whatever? Or their webdev firm? Are there wholesale firings? Of development, IT, or the business side?

3. Anybody work at a company that actually has some kind of decent security and cares about protecting customer data?

Re:

[pixelpusher220]

4. can we get an accurate summary?

*Nothing* was stolen. It was illegally obtained, but not stolen. The accounts still exist and are usable by the rightful owners baring any disabling by the telecom itself.

Re:Accounts being stolen left and right

[flyingsquid]

One thing the summary gets wrong: the original article, at NPR, does not say that these are "Chinese hackers". The article only says that the attack "originated in China". The reason you can't actually pin this on the Chinese is that there are are actually two countries that conduct offensive cyberwarfare operations out of China. One being China, obviously. The other is North Korea. Believe it or not, North Korea is thought to have one of the most advanced offensive cyberwarfare capabilities out there (apparently when North Korea puts its mind to something, like hacking or making nuclear bombs and ballistic missiles, they're actually not that bad at it, which makes you wonder why there still isn't enough rice to go around). Given the effectiveness with which China manages to police its internet, however, it's damn hard to believe that the North Koreans aren't operating without their approval, or even active assistance.

Re:

[tehcyder]

4. can we get an accurate summary?

*Nothing* was stolen. It was illegally obtained, but not stolen. The accounts still exist and are usable by the rightful owners baring any disabling by the telecom itself.

You are doing the usual slashdot splitting of hairs. Yes, we all know that if you copy information the original is still there, and therefore it is not analogous to ptheft of physical property.
I suppose if I electronically transfer the contents of your savings account to mine (after I have illegally copied your bank details and passwords) then there is no therft involved, since I am merely electronically moving 1s and 0s around, and they cannot in themselves belong to anyone.

PII is bad, m'kay.

[poodlehat]

From what I've heard about many websites based in S. Korea, you need to provide a resident registration number (like the US SSN) in order to register. This hack should be proof that websites shouldn't demand such personally identifing information.

Re:

[mlts]

From what I know, it is the law in SK for sites to demand the registration number.

If a number is needed, perhaps the best idea would be for the SK government to have a website that citizens and residents can log into, and get a one time code that can be put in other places. This way, the law still works, but there is no way an attacker who does not attack the Korean government site could be able to figure that a number entered in actually belongs to which resident.

Personally, demanding a registration numbe

"encrypted" my ass

[girlintraining]

Nate said the social security numbers and passwords are encrypted

And stored in a database, which for authentication purposes would need to be able to convert said "encrypted" data into plain text for any customer service representative, the billing systems, etc. The key has to be something that's widely accessible, or goes through a proxy. Either way, it's highly unlikely the "encryption" scheme is much more sophisticated than a single XOR operation. Decrypting that field for a substantial portion of the database SELECT statements would be a huge overhead.

No, I suspect they have the SSNs, it's just a matter of time before they get them back in plain text. Besides, the 'nice' thing about SSNs is... If you know where the person was born, and what year (not hard to find), you can predict 6 out of the 10 digits with a high degree of accuracy, thus aiding substantially in the cryptanalysis. This isn't random data being encrypted... it's highly structured, and most of the plain-text is already known.

They're screwed.

Re:

[Microlith]

Besides, the 'nice' thing about SSNs is... If you know where the person was born, and what year (not hard to find), you can predict 6 out of the 10 digits with a high degree of accuracy, thus aiding substantially in the cryptanalysis.

That's assuming that South Korean SSNs are issued using similar procedures as US SSNs.

Re:

[OzPeter]

Besides, the 'nice' thing about SSNs is... If you know where the person was born, and what year (not hard to find), you can predict 6 out of the 10 digits with a high degree of accuracy, thus aiding substantially in the cryptanalysis.

That's assuming that South Korean SSNs are issued using similar procedures as US SSNs.

Assuming that SK actually even has SSNs

Re:

[Anonymous Coward]

SSN is actually mandatory requirement for most online (and offline) registration in Korea.
Also, its in a format YYYYMMDD - XXXXXXXX so first part of it is easy to figure out if you have the information.

Re:

[Firkragg14]

I was wondering about this. The fact that SSNs tend to follow a pattern would surely make them an easier target of cryptoanalysis. Even just knowing the format would cut down on the keyspace you had to search by a large margin wouldn't it?

Re:

[nbetcher]

Correction: SSN area prefixes aren't generated based on an applicant's place of birth. The area prefix is determined by the ZIP CODE that the applicant provides on his/her application to the SS office. The zip code provided does not even need to be the applicant's residence.

Re:

[Mana Mana]

> social security numbers

You know that they (SSN's) are American, right? Since we're talking about South Korea citizens and purportedly mainland China crackers WTF are we talking about?

Korean ID numbers? Well, alright then, let's say so.

Re:

[AlphaGremlin]

Either way, it's highly unlikely the "encryption" scheme is much more sophisticated than a single XOR operation. Decrypting that field for a substantial portion of the database SELECT statements would be a huge overhead.

Or you encrypt the value you want to look for before using it in your WHERE clause. Unless the key is individually salted for each person, you can do a much quicker binary comparison with encrypted value against encrypted value. If it IS individually salted, you could store a hash to compare with rather than the full value, decreasing the amount of work that needs to be done. As far as I'm aware, performing a hash operation + compare would be quicker than full decryption + compare. If you don't salt the has

Re:

[chaostaco]

I agree with your final conclusion that they're screwed, but your understanding of encryption and software is a little off.

And stored in a database, which for authentication purposes would need to be able to convert said "encrypted" data into plain text for any customer service representative, the billing systems, etc. The key has to be something that's widely accessible, or goes through a proxy.

Assuming that they are using widespread password encryption practices (i.e. only storing a salted, hashed version of the password) then they never convert the encrypted data back into plain text for authentication. Instead, they salt/hash the password that the user has entered using cryptographically strong but publicly known algorithms (no secret keys) and compare the result to what i

Resident Registration Number

[MischaNix]

Decrypting the resident registration numbers in this set would not be difficult, as the number follows a systematic pattern a la pre-obfuscated SSNs. See Wikipedia [wikipedia.org] for details.

The consequences of this for identity theft and how it is handled in Korea should be interesting.

Title Fail

[Anonymous Coward]

IPs originating in chine does not automatically mean it was conducted by Chinese Hackers.

Re:

[cyfer2000]

No to mention even the computer used to initialize the attack was located China does not mean the hacker is holding a Chinese passport. One little game I always play when I see news regarding Chinese is replacing word "Chinese" with the word "Jew" or "Jewish". If I can finish the title without feeling I am a Nazi, I proceed to read the article. Otherwise, I make myself a tinfoil hat.

Re:

[Anonymous Coward]

Whether or not it offends your delicate flowery view of the world, Its not racism to assume China is going to continue shitting all over the rest of the world. They've given us no indication of stopping anytime soon.

Re:

[John Saffran]

Except for the fact that chinese hackers (some working for the chinese government) are known to be attacking the rest of the world. For example, http://en.wikipedia.org/wiki/GhostNet [wikipedia.org].

It's always possible that activity from a chinese IP may be non-chinese, but suffice to say that the chinese haven't done themselves any favours reputation-wise in the field of computer security.

35 million?

[Anonymous Coward]

Given that South Korea has a population estimated around 49 million... That's usernames, passwords, KSSNs, phone numbers and email addresses for nearly 71% of the population at the most generous estimate of one account per user. That is absolutely ludicrous amounts of data to have on a country: nearly all of its online population's details?!

This is an unprecedented invasion of privacy. The South Korean government had better be all over this: someone out there now has all the information they need to imperso

Tea Partiers take Notice

[NEDHead]

We can balance the budget by stopping Social Security payments to South Koreans

proof of idiocy

[frovingslosh]

Just more proof that anyone who gives their S.S.# to a phone company or other business who doesn't pay into the S.S. account and isn't required by law to have it is an idiot. How much of this does it take before the sheep start refusing to use the S.S.# as some sort of public ID. Giving it to web portals? Insane!

Re:

[Anonymous Coward]

give S.S.# to portal to register is required by law in Korea

Re:

[javelin682]

While I agree that these types of companies shouldn't necessarily have your SSN, in a lot of cases, they do a credit check to make sure you're the type to pay your bills. So, if you want their service, you kinda have to give them the SSN so they can do a check. Now, I'm not sure if they also report to the credit bureau(s) as well to let them know you do pay on time.

SS# is NOT for identification

[frovingslosh]

Many years ago, long before the problems of identity theft well well publicized and even before many /.ers were born, I needed to rent a car and got myself to a local rental office. Showed them my ID, there was no question about payment, but there on the rental form they wanted my SS#. I filled in the form but left the SS# blank. The clerk insisted I needed to give my SS# or they would not rent to me. I talked to the manager. I explained the issue and that I simply was not going to give him my SS#. He resta

Re:

[shoehornjob]

FTF article "Nate said the social security numbers and passwords are encrypted so that they are not available for illegal use" That is until the attacker('s) find the key. One of these days someone is gonna really get pissed at these Chinese hackers and bad things will ensue.

Why is this news?

[Anonymous Coward]

China is in a cold war with the west. We will see continuing on-line attacks until the war turns hot.

Uplink cables ready

[Vahokif]

No system is safe!

P(i) R(a) C(y)

[slick7]

Only in China is criminality synonymous with nationalism.

One or the other

[kakyoin01]

Well nowadays, it's either hacking or selling children, it seems. All in a day's work for those Chinese.

Seriously though, they must have done SOMETHING right, seeing as China is slowly consuming the United States. Either that, or we (the US) is doing something very wrong. I have a feeling it's at least the latter.