A Teen at the WA University successfully hacked into Microsoft and their partners; A Genius or A Bandit?

An Aussie boy *FLaC’s hobby was breaking and entering, specializing in computer hacking. From early on in his young life, he’s spent enough time in the glow of his computer monitor. In the Internet world, he spoke like a big man, not some awkward and misunderstood teenager that hung out with faceless friends in words he would rather type than speak.

FLaC’s mischiefs began while he was still in high school where he had been suspended twice already for getting into its IT system. For an immature but tech-smart new generation boy from the hills outside Melbourne, breaking into Pentagon’s computer systems seemed like a challenge he could take on, and he was probably eager for the boasting right among his hacker comrades. What he accomplished from early 2011 till about mid 2013 for about 2 1/2 years is rather incredible. That’s why it’s so difficult to put a label on him, a genius or a bandit. Let’s not forget that he was (and still is as of this entry) a teenager. He has told Kotaku, a popular game site, that he did not mean any harm and he was “merely curious.” Maybe, it was just a game for him. The outcome spoke louder than any of his original intentions.

FLaC, aka SuperDaE, and his hacker posse were able to find a way into major international game companies, and better yet, acquired the secret specifications of the forthcoming Xbox system before its release from Microsoft’s own vault. Their conspiracies began with multiple SQL (*Structured Query Language) Injection Attacks, malicious attacks by inserting data controlling program codes, that allowed FLaC and his fellows to acquire log-in credentials, personal and financial information of Microsoft and its partners’ employee’s. SQL Injection Attack not only allows an unauthorized person to gain access to the data, but also allows him or her to manipulate the data. “I was quite surprised when we found out that these people [Microsoft and its partners] basically all had terrible security,” says FLaC in an interview with The Australian. Eventually, getting their hands on employees’ data allowed them access to confidential and crucial information that could have jeopardized Microsoft and all of its software development partners, and even to U.S. Army’s training simulator program.

Many of the new generation of hackers claim to be inspired by hacktivists, such as Julian Assange. The hacktivists claim to have their ethics based on free speech, human rights, and freedom of information. And as any other cult or “culture”, they have terms for their own Good and Evil:

1. White Hats, aka Hackers, who are computer security experts;
2. Black Hats, aka crackers, the criminals we usually call “hackers.”

As anything can be interpreted in one’s own way, many of these ingenious self-taught hackers often hold the wrong notion of challenging corporations and the government’s security system as being the righteous test to prove themselves in the Internet world. Only they know the true intention of their actions, but the bottom line is that misuse of important information is part of this so-called-test, and the process of acquiring the data which they are not entitled to is also another form of burglary. It really is an extremely fine line between being a White Hat and a Black Hat and who picks the color, or rather the shade of the hat for any of these computer wizards? FLaC seems to have felt morally challenged at times. According to the *indictment (Contributed by Lauren Raab, Los Angeles Times) where he was redacted as unindicted co-conspirator, he has said to his peers that he felt making money out of it [hacking] was degrading. Perhaps, he really meant it when he said he was merely curious. Does that make him a White Hat? Or is he still a Black Hat for what he’s done?

_{Photo of Australian Federal Police Commander Glen McEwen}

The cost of initiation eventually falls on unexpected victims, often the innocent employees of the organizations or the customers, but to a young mind that is eager to be recognized, it could seem like another stage they have to clear in their game. However “innocent” their first intention was, there’s always possibilities of different factors that will turn them into dangerous threats. In the interview with The Australian, the manager of the Australian Federal Police’s Cyber Crime Operations, Commander Glen McEwen put it in perfect words, “It may start off as defacement of a website but it can go to the other end of the spectrum where you are encoding malware and stealing millions of dollars.”

Let’s face the 21st century’s inevitable burdens the convenience of the Internet has brought along. It connects anyone to anything in the world with a connection. Now, imagine yourself in a new world with endless information flow and you have learned to fiddle with locks. You have just learned that nobody recognizes you and when you jiggle the tools in the right direction, doors open with prizes. Wouldn’t you want to venture out? Why would you not want to challenge yourself for bigger prizes? Or would you rather knock on a stranger’s door and let her or him know that their locks are not secure?

Whether the original goal of hackers’ were truly to help people or not, tricks and methods are getting more sophisticated by the hour and the major corporations and governments with a whole team of security are being targeted by self-educated teenagers for fun. This time, it was a nerd from WA University that was in spotlight, and there’s plenty more out there looking for the same fame, or possible infamy.

The Open Web Application Security Project (OWASP) has introduced the SQL Prevention Cheat Sheet, so we can all be aware and also request involved software developers to help us keep ours and our customers’ data safe.
Primary Defenses Methods are:

• Use of Prepared Statements (Parameterized Queries)
  Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied.
• Use of Stored Procedures
  They require the developer to define the SQL code first, and then pass in the parameters after. The difference between prepared statements and stored procedures is that the SQL code for a stored procedure is defined and stored in the database itself, and then called from the application. Both of these techniques have the same effectiveness in preventing SQL injection so your organization should choose which approach makes the most sense for you.
• Escaping all User Supplied Input
  Each Database Management System (DBMS) supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities.

Additionally:

• Enforce Least Privilege
  To minimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment. Do not assign DBA or admin type access rights to your application accounts.
• Perform White List Input Validation
  Input validation can be used to detect unauthorized input before it is passed to the SQL query.

What else can we do to protect ourselves while the big organizations and governments are at risk? Always make sure you are up-to-date on the possible security issues by following the security providers closely or hire the professionals to watch close and make sure your computer system is safe.

* FLaC, aka SuperDaE, aka Dan Henry
* SQL is a special-purpose programming language designed for managing data