Notorious hackivist group Lulzsec has brought down Australian domain registrar and web hosts Distribute.IT and publicly published a list of 62,000 international email addresses and passwords. The data files appear to be cobbled together from a variety of sources, but the Australian email details include a number from Australian …
for the lulz
No doubt they are thrilled to bits with all this publicity. My website went down in February to a DDOS attack that lasted 3 weeks, it cost me tens of thousands of pounds in lost revenue and bandwidth bills. Money that is needed to pay my suppliers, my bills and feed my children.
Saying that though, I am firmly for re-education of these kids and not jail time, they are simply too immature to understand the consequences of their little lulz games.
It was mildly amusing when they attacked Sony but it seems to be getting out of hand now. But the more publicity they gain the more they will want to hit the headlines.
What's the point here?
To start with, I thought that it was a few people with a grudge. Then it looked like they were a bit naive, then stupid, now?
Now I'm not sure, but part of me wonders if it might be a group trying to drum-up support for cyber security / warfare? It certainly adds fuel to the US saying that they will declare cyber activities as acts of war (although it now seems that everything can be classed as war / terrorism nowadays and countered with deadly violence).
On the other hand maybe the completely different targets are the results of a google search for vulnerabilities, and they are going after anything that showed up?
I'm not going to bother posting anon; it would only encourage them to hack the Reg to get my details if they were that bothered...
OK, this is getting boring now!
Could we have their list of hacks in monthly digest form instead?
Any evidence they are linked?
Does the author of this article have any evidence whatsoever to link Lulzsec to the Distribute IT hack?
I don't see any mentioned in your post, and it's not mentioned in any of either parties official communications, so where is this coming from?
In fact, if you've been on LulzSec's IRC before, they openly request leaks and information for possible "operations". They are about as much of a group as Anonymous is.
I can understand doing things for the fun of it and poking big companies with sharp pointy sticks and childishly going "nerr nerr, your security does suck" *blows raspberry*
But stealing information and publishing it is way over the line, adversely affecting thousands of innocent people while trying to dress it up as comedy simply doesn't fly. It's no wonder that the virgin teenager with no money in the parent's basement stereotype perpetuates so well because this is exactly the sort of thing those socially maladjusted people would consider "absolutely hilarious". I'm not saying they should be hanged, but someone needs to give them a brief introduction to manners and real life before they are lost forever.
I must be old but frankly I just don't get it. Presumably this group Luluz etc (and others) must put some considerable effort into doing this kind of thing but frankly I simply don't see the point of it.
All it does is irritate lots of people, cause inconvenience and misery. Hacking for profit or salacious sleb gossip I can understand (I suppose) but this?
Does upsetting some unremarkable average people's lives, make some people happy these days? I think it's quite sad.
What are you talking about?
Laughing at the misfortune of others has been a common passtime for millenia. I'm not saying that it's right but it's hardly new.
To get noticed, why else?
You can't understand kids "getting-off" on seeing others suffer? How many times have you seen a public kharzi broken? A station waiting-room door broken? These arseholes who do it aren't around to see the effect of the damage they cause, they just know someone else will have to sort it out. They have made their presence known and that's the key to why kids do things like that, simply to let people know they exist.
This lot need rounding up and packing off for some re-education in manners, perhaps seeing the consequences of their actions. See the people who's emails got published now getting loads of shit in their inboxes and the possibility of being suckered by some scumbag scam email.
>> The latest hack attack from LulzSec follows on from its CIA security violation yesterday.
Do you mean the DoS attack? Hardly a "security violation." I think you're giving these kiddies a little too much credit.
Paving the way for a fully locked-down Internet
Are these hackers blind? You hack a company or two every so often, and governments won't really care. You hack government agencies and Internet registrars every day and it's only a matter of time before they turn the Internet into a fully locked-down sandbox, with every individual computer needing to be registered and vetted or it isn't coming on, and governments having total knowledge of everything. "For our safety."
They are just making that day come closer with every attack..
Re: Paving the way for a fully locked-down Internet
Are you advocating security by obscurity?
Security by Obscurity
As opposed to Security by Government mandate? Yes, I'll take obscurity any day thank you.
Re: Security by Obscurity
Which is exactly what....
... the governments who are in a position to do such a thing actually WANT. I'm looking at you, USA, UK, Australia.
Who is to say this isn't simply a black-flag operation by the right-wing-nutter arms of said governments?
it's just misdirection. The more random the attacks look, the less chance you have of spotting the one that gets the data they're looking for.
Hackivists? - Uh No.
Stop labelling them 'hackivist' - it makes it sound like they have some moral agenda, something to fight for - they don't.
Lulzsec are just a bunch of childish w*****s who need to just get back to school and grow up.
mmmm cheesy wotsits
And now that it's summer we can expect the kiddies to have more fun more often.
I don't get it either.
It's not lulz. The group seem to be responsible for wearing out a word. Typically, the name LulzSec, linked with their activities and outcomes which are costs many lots of money; is unimaginative. Really? I mean, trying to impress other 4chan kiddies is *that* important. Can we have some real news. Perhaps if we ignore them long enuff, they will get bored and start secondary school.
fixed the subtitle for you
Wankers release 62,000 email details
I don't get it
Why are these people able to obtain passwords and email addresses anyway, seems to me like a lot of best practise is being ignored, perhaps the targets should have taken better care of our data and encrypted it rather than storing it in plain text, quite why anyone needs to store a password at all is totally beyond me.
Thats not to excuse the hack but it would limit damage.
Think of it as user education
My guess is that for most of the Reg readership, the concept that the internet is fundamentally insecure is old news. We have no safety or privacy, except that which we put in place ourselves.
But for the rest of the world, this is an overdue wake-up call. Your data is there for the taking in a lot of different places. LulzSec are screaming "The Emperor has no clothes". It's always been true. Now even the suits know it.
If you think the correct response is to crack down on LulzSec, then you have failed this part of your training session. Shooting the messenger doesnt improve the protection of our data. Suppressing the symptoms doesnt cure the disease.
It is because it isn't.
"If you think the correct response is to crack down on LulzSec, then you have failed this part of your training session. Shooting the messenger doesnt improve the protection of our data. Suppressing the symptoms doesnt cure the disease."
Then cracking down on LulzSec may be the vital next phase of education. You have to demonstrate that it is not the answer.
This is a title
Any burglar'll tell you that real-world security's much the same illusion.
So if a bunch of chavs bump-keyed, bumped or jimmied their way into your house, had away your valuables and shat all up the walls for good measure, your first reaction would be to roll your eyes, smile and say, "Well that's a lesson in security for me then!"
clearly a black op
Government needs excuse to turn off the internet and gut it. Then we will be given access to a walled garden instead. Effectively just Facebook, but run on behalf of the government (like it already is). There will be no more DNS system. You just point your browser at Facebook, "the new internet", and write up everything you did that day, because it will be mandatory.
But first and most importantly of all they need the people to demand that something is done about "the hackers". This is just the start of a blitz that will have every newspaper in the country demanding outright enslavement before the year is out. Our politicians, although they really have no power over anything, are the useful idiots who will read those news stories and implement the police state. They have all the tools.
This is the capstone. Get ready to lose everything.
Re: clearly a black op
Uhuh. Do you believe this stuff? Here, go switch off the internet:
The data also appears to be bogus (again)
It took me a while but I also got hold of this list of passwords. Do note that the source of the passwords is still undetermined. One source says it came from Writerspace, another source claims that it was undisclosed and now ElReg speaks of an Australian ISP? Vague, vague...
While on their twitter account it seems (I don't do nor want social website nonsense) they claimed that it got from "their collection".
But lets assume that the source was indeed a website or ISP. What website or ISP would keep invalid addresses in their database? Look at the list yourself (its not that hard to find; once again distributed in plain text even). "hotmail.com.jj" anyone ? Or what about 1 e-mail address which appears multiple times with multiple passwords ....in the same section ?
It gets better.. I simply tried to verify a few addresses myself. Not by sending e-mails, that's spamming and intrusive. By using either the "verify" SMTP command or simply using RCPT TO: and check the results (after which I cleanly disconnect). Most tested valid but a lot also appear to be invalid.
How does any decent ISP or modern website (e-mail verification is so common these days) end up with non-existing (hotmail.com.jj) or invalid e-mail addresses ?
wrt the sections: there are three; one which lists "<password> | <email> | |". One which lists "<email> | <password>" and finally one which does "<number> | <password> | <email>".
Australian ISP? Its possible I suppose, but when looking at the list you'll notice that the majority are accounts from Brazil.
In the UK we have creatures called chavs, these are generally teenagers who hang round shops etc, intimidate people and vandalise phone boxes etc. These lot seem to be the Internet equivalent.
I don't mind hackers who expose bad security and tell the owner so they can fix it, even if they release stuff when the company ignores them. But lulz are doing it for no reason now, it's not even funny, it's just mindlessly destructive, just like chavs.
we have Neds: The West Coast equivalent to Lulz, only funnier and higher up the evolutionary chain.
Paris, because she has more Lulz than these Loolzers.
'Lulz' are not a pointless reason...
If people can break into systems and perform deep network intrusions as a spare time / hobby for shitz'n'gigglez'n'lulz imagine what the dedicated professional corporate / government / military sponsored types are quietly achieving ...
While doing it for the 'lulz' seems initially immature, pointless, stupid blah blah, it does beg the question "so what about other groups who are doing this, for reasons that have nothing to do with lulz"...
The media reported 'lulz' hacks are the tip of the ice-berg: what we're seeing above the waterline, and unnervingly illistrates that no one has any idea at all how deep the problem lies below the waterline...
Unencrypted Passwords, Unsecure Practices
Let's face it, Lulzsec wouldn't have been able to get at this data if it had been properly protected.
And for storing unencrypted passwords in a database, that's unforgivable in this day and age.
Granted what they're doing is causing lots of innocent people trouble, but that is because those innocent people are putting their trust into websites that do not deserve it. Lulzsec are simply bringing this out into the open for everyone to see.
If I told you I stored all your passwords and e-mails unencrypted, would you give me them?
Just over-fed punks
Get a job. get a life.