Murdoch’s Sun Newspaper Hacked by LulzSec

 by Chris Taylor

Hacker group LulzSec, which previously announced it was disbanding, has evidently decided to come out of retirement.

The site managed to redirect the homepage of what is now News International’s best-selling newspaper, The Sun — sister paper to theNews of the World — to the LulzSec Twitter account.

Minutes earlier, the hacker group reportedly managed to redirect the Sun’s homepage to a fake news story on the sudden death of Rupert Murdoch. That hack was widely reported, though few sources save the UK-based Guardian actually saw the hack with their own eyes.

The hacks apparently began taking place as news was breaking about the ongoing News of the Worldwhistleblower scandal. Former NOTW reporter Sean Hoare had exposed the publication’s hacking of source’s phones to The New York Times, the BBC, and international audiences last fall and again last week. Today, it was revealed that Hoare had been found dead. The LulzSec attack, although not explicitly stated as such on the LulzSec Twitter account, would ostensibly a retaliation for any possible involvement on Murdoch’s part.

The Sun, a tabloid with more than 3 million readers, was launched in the late 1960s and quickly became infamous for its scantily-clad “Page 3″ girls. It was credited with swinging the UK’s 1992 election to the Conservative party — which it bragged about in the front page headline “It’s The Sun Wot Won It.” Five years later, it backed Labor leader Tony Blair, who won in a landslide.

LulzSec has previously hacked the websites of the CIA, the U.S. Senate, Sony Entertainment and several others. The hacker collective also seems to have brought down the official website of News International.

Kevin Mitnick shows how easy it is to hack a phone

by Elinor Mills

Hacker Kevin Mitnick is conscientiously working on his image.

(Credit: Declan McCullagh/CNET)

British tabloid News of the World said today it is closing down over a phone hacking scandal in which workers for the Rupert Murdoch-owned newspaper allegedly snooped on voice mail messages left on the mobile phones of murder victims, as well as celebrities, politicians, and the British royal family.

If unethical journalists can do it chances are anyone can, right?

To test my theory I called up Kevin Mitnick, who wrote about the hacking and social engineering that landed him in jail in a fascinating book coming out this summer, "Ghost in the Wires," and who serves as a security consultant, helping clients protect against privacy breaches such as this.

Phone hacking, also known as "phreaking," is easy to do, Mitnick said, adding that he could demonstrate it on my phone if I wanted proof. So I gave him permission to access my voice mail and told him my mobile phone number.

He called me right back on a conference call so I could hear what was going on. First he dialed a number to a system he uses for such demonstration purposes and entered a PIN. Then he was prompted to enter the area code and phone number that he wanted to call (mine) and the number he wanted to be identified as calling from (again mine). Next thing I know I'm listening to a voice message a friend of mine left me last night that I hadn't erased.

"See how easy it is?!" Mitnick says as my jaw drops.

He was able to get into my voice mail by tricking my mobile operator's equipment into registering the call as coming from the handset--basically pretending to be me. To do this, he wrote a script using open-source telecom software and used a voice-over-IP provider that allows him to set caller ID, but there also are online services that provide similar capability that non-hackers could subscribe to. It might be easier or harder to accomplish depending on the mobile operator, he said. (I'm keeping some of the details sketchy to avoid providing a how-to for phreaking.)

"Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes," Mitnick said. "If you're not adept at programming, you could use a spoofing service and pay for it."

This technique, called Caller ID Spoofing, has been used and abused for years. In 2006, a caller ID spoofing account in the name of Paris Hilton was suspended for voicemail hacking, with other celebrities, including Lindsay Lohan, allegedly being victims, according to IDG News Service.

The method is more sophisticated than that allegedly used by the British journalists who are accused of using default PINs to access victims' voicemail accounts, assuming correctly that many people wouldn't bother to change the PINs. Since the phone hacking scandal first erupted about five years ago, mobile operators in the U.K. have changed their practices and most now require people to set their own PINs for remotely checking voice mail.

If I want to avoid having anyone use Caller ID Spoofing to access my voice mail again, I need to change my phone settings to require a PIN even when checking voice mail from my mobile device. But that doesn't address the fact that mobile operators don't authenticate caller ID. "The magic is that my VoIP provider allows me to set any caller ID and the other operators trust it," Mitnick said. "Caller ID is automatically trusted."

Mobile phone industry specialist David Rogers suggests on his blog that operators should consider preventing people from accessing mobile voicemails remotely at all.

Meanwhile, the Truth in Caller ID Act of 2010, which was signed into law late last year, prohibits anyone intending to defraud, cause harm, or wrongfully obtain anything of value from knowingly causing any caller ID service to transmit or display misleading or inaccurate caller ID information. This could send the caller spoofing services off shore but likely won't put an end to the practice.