LulzSecurity

[Ormorof]

maybe they are security professionals looking for a wage increase or job security...

"you cant fire us! look whats happening to everyone else!"

followed shortly by a "bwuahahahaha...mwuuuuahahahahahaahaha" sound from the IT security department meeting

 

[ST^]

Rather unlikely it's spotty teenagers, the whole LulSecurity thing is just a cover up. I'd says its some serious professionals from the security industry being funded heavily by someone for some reason. The motive? Who knows but it's something big and I'd say they are using a zero day MYSQL remote buffer overflow exploit or an injection. Not much can be done until thy find out how they are getting in (serious debugging, monitoring and traffic sniffing) and the software devs get it fixed.

The gaming company's are not at fault, not much they can do, the exploit is not known and they have to use the software. If it was me, I'd be hiring some serious professionals like HD Moore - Wikipedia, the free encyclopedia to keep an eye on my network.

DDoS are not much to worry about though, that probably just means they can't get in. Even Daoc was vulnerable to a very simple syn spam attack a few years due to a poorly configured and maintained network.

Why do you think there is heavy funding? How does exploiting a zero day vulnerability (which I very much doubt it is) or doing injection attacks require heavy funding?! What are they spending the money on?

It is likely just SQL injection. And the Bethesda one was local file inclusion (where the code includes local files based on POST/GET vars, but isn't secured, so they used it to include the files containing SSH keys). SQL injection absolutely can be prevented.

 

[soze]

A guy I work with though it might be a load of Cisco guys who are being made redundant trying to drum up business so they can keep their jobs.

 

[GimmlyThe3rd]

Why do you think there is heavy funding? How does exploiting a zero day vulnerability (which I very much doubt it is) or doing injection attacks require heavy funding?! What are they spending the money on?

It is likely just SQL injection. And the Bethesda one was local file inclusion (where the code includes local files based on POST/GET vars, but isn't secured, so they used it to include the files containing SSH keys). SQL injection absolutely can be prevented.

Well you have to think, the group is new, targeting big time company's and doing something that's' never been seen before. They are also making it public as possible, if they were after profit, they would be harvesting user info and credit card info and selling it. It would not be this public and only these type of company's, The threat of getting caught is far too great (FBI hacker nerds etc are super good at catching you also) than flexing your hacker ego.

I haven't looked at the Bethesda one, link to the details? To think this was simply a SQL injection that hit all these big boys could be prevented by coding is ridiculous. Unless something very big has just been discovered in SQL Injections, I'd say it's more like a MYSQL remote stack overflow. And what makes it different, most people that find zero days, usually sell them or inform the company's and release them. As to go on a tear exploiting company's lands you a lengthy jail term.

 

[Roo Stercogburn]

It will be interesting to find out what zero-day exploit they've found. I suspect when its uncovered their spree will come to an end.

 

[ST^]

Well you have to think, the group is new, targeting big time company's and doing something that's' never been seen before. They are also making it public as possible, if they were after profit, they would be harvesting user info and credit card info and selling it. It would not be this public and only these type of company's, The threat of getting caught is far too great (FBI hacker nerds etc are super good at catching you also) than flexing your hacker ego.

I haven't looked at the Bethesda one, link to the details? To think this was simply a SQL injection that hit all these big boys could be prevented by coding is ridiculous. Unless something very big has just been discovered in SQL Injections, I'd say it's more like a MYSQL remote stack overflow. And what makes it different, most people that find zero days, usually sell them or inform the company's and release them. As to go on a tear exploiting company's lands you a lengthy jail term.

LulzSec versus Bethesda & Senate.gov - Pastebin.com

What do you mean by "never been seen before"?

I doubt it is a remote MySQL attack as almost all MySQL installations listen only to localhost.

 

[GimmlyThe3rd]

LulzSec versus Bethesda & Senate.gov - Pastebin.com

What do you mean by "never been seen before"?

I doubt it is a remote MySQL attack as almost all MySQL installations listen only to localhost.

No one has ever hacked this many big company's in a short space of time and claimed doing it.

mm doesn't say how the gained access to run the LFI on Apache to gain root though.

It's not really that uncommon to have remote access enabled. There is so many ways to exploit MYSQL, PHP, Apache etc, just look how many public exploits there are. For sure this has to be zero days and a huge motive behind it, it just isn't a new group hacking a few websites for fun

 

[Thorwyn]

They´re a bunch of delueded wannabe Robin Hoods with no moral or ethics other than their incredible overinflated self-importance.

 

[ST^]

No one has ever hacked this many big company's in a short space of time and claimed doing it.

mm doesn't say how the gained access to run the LFI on Apache to gain root though.

It's not really that uncommon to have remote access enabled. There is so many ways to exploit MYSQL, PHP, Apache etc, just look how many public exploits there are. For sure this has to be zero days and a huge motive behind it, it just isn't a new group hacking a few websites for fun

I dunno why you're so intent on avoiding the simple reason for it all. Anyone who has worked with other people's code knows that so many developers out there are clueless.

Look at the Citibank attack. The URL contained an id which related to your account. The hackers just changed this id and found that it didn't have any kind of auth check. You could just change the URL and look at other people's accounts. That's a banking website. Poor coding is what's happening. Nothing else.

 

[GimmlyThe3rd]

I dunno why you're so intent on avoiding the simple reason for it all. Anyone who has worked with other people's code knows that so many developers out there are clueless.

Look at the Citibank attack. The URL contained an id which related to your account. The hackers just changed this id and found that it didn't have any kind of auth check. You could just change the URL and look at other people's accounts. That's a banking website. Poor coding is what's happening. Nothing else.

I don't agree, 2 - 3 yes maybe due to poor coding but not this many top businesses. Citibank hack was a complete joke though,

I'm fimilar with exploits (http://wormblog.files.wordpress.com/2006/11/worm2.c) my name in the credits for making it work, got over 20k

 

[CorNokZ]

Why do you think there is heavy funding?

Because of the risk.. No basement dwelling coding faggot would be doing all of this and taking such a big risk without getting anything besides "internet fame" and "cool status" around other hackers

Surely he'd want to move out of his mom's basement soon

 

[CorNokZ]

Apparently they took down CIA.gov for two hours last night..

 

[BloodOmen]

getting more cocky by the day it would seem. they'll be caught within a month.

 

[Cyradix]

The EU is proposing a new law that makes writing hacking tools a criminal offense (so not just using them)

That's just silly imo....

 

[BloodOmen]

The EU is proposing a new law that makes writing hacking tools a criminal offense (so not just using them)

That's just silly imo....

Thats very silly indeed... the people that make them generally have no regard for the law anyway let alone when it comes to using said programs thus it'd just be a waste of taxpayer money enforcing it.

Thats like them saying they'll arrest every single person that downloads something illegal... they'd basically have to arrest the majority of the planet which in turn would be equally as pointless.

 

[Job]

I don't understand most of this thread.
And here lies the problem.

 

[old.Tohtori]

I don't understand most of this thread.
And here lies the problem.

Hackers crashed a few login servers(except eve which was taken down), people think doom&gloom with tinfoil hats on, usual day of itnernets.

 

[Ch3tan]

The EU is proposing a new law that makes writing hacking tools a criminal offense (so not just using them)

That's just silly imo....

And so the dark ages begin again.

 

[Thorwyn]

Is it really that silly?

As far as I know, the act of building a bomb is also against the law, regardless whether you use it or not. If you want to deal with explosives, you need a licence and accept a certain degree of contrlol by the government.
So: building something that´s potentially dangerous and only serves one purpose (destruction) is not allowed... and in the case of bombs rightly so.

The problem now is to find out if a piece of software is designed for just this one purpose This could be rather tricky and - of course - contains the possibility of abusing the power.

 

[old.Tohtori]

And so the dark ages begin again.

See what i mean job? Joor has been ridiculed for less

 

[Ch3tan]

Is it really that silly?

As far as I know, the act of building a bomb is also against the law, regardless whether you use it or not. If you want to deal with explosives, you need a licence and accept a certain degree of contrlol by the government.
So: building something that´s potentially dangerous and only serves one purpose (destruction) is not allowed... and in the case of bombs rightly so.

The problem now is to find out if a piece of software is designed for just this one purpose This could be rather tricky and - of course - contains the possibility of abusing the power.

Yes, because governments have been looking for an excuse to regulate the net for a long time now. Now they have one, under the guise of protecting the public. Say goodbye to the internet you know.

 

[Thorwyn]

Yes, because governments have been looking for an excuse to regulate the net for a long time now. Now they have one, under the guise of protecting the public. Say goodbye to the internet you know.

You´re right, but regulating the net has nothing to do with the legal evaluation of writing software, at least not directly.

All the hacks and attacks by those self declared freedom fighters *will* result in a drastical change of the current status quo, because - as you say - it provides the governments with the perfect arguments.

 

[Ch3tan]

Yes it does, if they can persecute those writing software then they can target those websites. Creating law to shut down and regulate websites which may have a link to hacking... slippery slope.

 

[Ormorof]

heh its a bit like arresting gun manufacturers when their weapon is used to kill someone...

im not sure how they could prove that a piece of software was specifically designed for illegal purposes... do security companies not use tools to asses their own security?

and if they start banning that whats next, bit torrent software used to distribute illegal software?

closure of websites which mention hacking? forums where people discuss hacking?

there was an article on the bbc which mentioned the "dark side of the internet" such as forums and chat rooms, kinda bugged me that they failed to mention that there are also thousands of perfectly harmless forums not infested with hackers and criminals...just despicable reprobates!


BBC News - Dark corners of the net

 

[- English -]

Twitter

Its quite a funny read really.. they have leaked 62000 passwords and emails for download, and people are randomly checking their email accounts, paypals, ordering things at their expense.

Just happy its not happening to me ... yet

 

[Chronictank]

Hackers crashed a few login servers(except eve which was taken down), people think doom&gloom with tinfoil hats on, usual day of itnernets.

They aren't hacking anything, they are doing denial of service attacks on various sites, it's not hard or clever nor is it to 'show security holes in services'

If all they were doing was showing security holes why are they publishing literally thousands of peoples email/twitter/facebook accounts?
The publicity has gone to their heads and they are just making themselves an inconvenience to be quite frank

What they are doing is terrible for the rest of us because it will mean more regulation and speed through previously rejected laws which limit our freedom to information.

 

[old.Tohtori]

Yeah i used the term hackers loosely.

It is quite dissshhpicable. For the lol factor, crashing a login server is fine, but releasing info is just plain criminal and should be punished.

Preferably with the old 10 years ban from computers.

 

[Access Denied]

True Hackers break into comptuer systems to prove to themselves that they can. they do it for fun and they don't do any damage, nor do they distribute names and passwords. Lulz Security are merely script-kiddies and tossers.

This reminds me of the English guy who's fighting extradition to the U.S for hacking into the D.O.D looking for the truth about UFO's. The U.S Government states that he caused untold thousands in damage but unless I'm being massively ignorant, I fail to see how merely entering a database like that can cause monetary damage.

All this will do, as others have said is give Governments the justification for clamping down and the internet in the guise of "Protecting the public"

Stupid fuckers.

 

[Ceixah]

True Hackers break into comptuer systems to prove to themselves that they can. they do it for fun and they don't do any damage, nor do they distribute names and passwords. Lulz Security are merely script-kiddies and tossers.

This reminds me of the English guy who's fighting extradition to the U.S for hacking into the D.O.D looking for the truth about UFO's. The U.S Government states that he caused untold thousands in damage but unless I'm being massively ignorant, I fail to see how merely entering a database like that can cause monetary damage.

All this will do, as others have said is give Governments the justification for clamping down and the internet in the guise of "Protecting the public"

Stupid fuckers.

Rest assured this lulzsec nonsense won't help Gary Mckinnon one bit :| shame really because although what he did was wrong you can't blame the guy for wanting to access the info...

 

[BloodOmen]

True Hackers break into comptuer systems to prove to themselves that they can. they do it for fun and they don't do any damage, nor do they distribute names and passwords. Lulz Security are merely script-kiddies and tossers.

This reminds me of the English guy who's fighting extradition to the U.S for hacking into the D.O.D looking for the truth about UFO's. The U.S Government states that he caused untold thousands in damage but unless I'm being massively ignorant, I fail to see how merely entering a database like that can cause monetary damage.

All this will do, as others have said is give Governments the justification for clamping down and the internet in the guise of "Protecting the public"

Stupid fuckers.

It can't, they just want to make an example of Gary Mckinnon (sp?) because he made them look like fools, there is literally no other reason they'd chase it so hard.

American pride, what a load of bollocks. As for LuLzSec i'm quite sure they don't realise just whats going to happen to them once caught, i'm sure they think they'll just get a slap on the wrist and let go, sadly for them they'll be facing literally hundreds of years worth of charges and will never see the light of day again.

Enjoy your lives boys because they're about to be void.