Feeds

back to article 1 MILLION accounts leaked in megahack on banks, websites

Hacker collective Team GhostShell leaked a cache of more than one million user account records from 100 websites over the weekend. The group, which is affiliated with hacktivists Anonymous, claimed they broke into databases maintained by banks, US government agencies and consultancy firms to leak passwords and documents. Some of …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

THE MOST BASIC FORM OF MIND CONTROL IS REPETITION

http://vimeo.com/9532613

0
0
Bronze badge
Mushroom

Re: THE MOST BASIC FORM OF MIND CONTROL IS REPETITION

Usual Open Source Swiss Cheese. All the urls have .PHP = LAMP stack being used.

1
15
Silver badge
Trollface

Re: THE MOST BASIC FORM OF MIND CONTROL IS REPETITION

LAMP stack being used.

You have mighty though possibly hasty access to reality-based truthiness, oh wise one. Might one inquire about how you obtain your amazing knowledge about the operating system, webserver and database used?

11
0
Facepalm

Re: THE MOST BASIC FORM OF MIND CONTROL IS REPETITION

Hey, that's the same extension as a PHP script on a WAMP stack! This must mean they're actually using a WLAMP stack!

1
0
Joke

Re: THE MOST BASIC FORM OF MIND CONTROL IS REPETITION

Na, they got bullied into submission, therefore it's a WIMP stack!

0
0
Bronze badge
Pirate

Apoplectic

Sweet Jesus, I figured El Reg would get it right, but noooo.... It is Cracker not Hacker. Just like they don't call them safe hackers. Be a trend setter by doing something right.

As for the CRACKERS, they aren't really hurting banks in so much as they think, if they are leaking the banks customer info. That hurt s the average person that they should be helping to protect from the banks. If they want to do some good they need to expose the banks for the scam they are.

16
15
Anonymous Coward

Re: Apoplectic

"Sweet Jesus, I figured El Reg would get it right, but noooo.... It is Cracker not Hacker. Just like they don't call them safe hackers. Be a trend setter by doing something right."

Nope, they used SQL injection so the correct term is "script kiddies". This requires almost no skill on the part of the attacker, and confirms no skill on the part of the web developer.

27
2
Bronze badge
Linux

Re: Apoplectic

True.

Now change my down vote using your scripts.

0
10

Re: Apoplectic

Simply using a SQL injection infers very little skill on behalf of the attacker, true.

However actually discovering the hole and performing the analysis in order to make it exploitable can be a task ranging from the nearly trivial to down-right infernal. Once you have done that, using SQLmap to slurp up all of the data is straight-forward.

4
0
Bronze badge

Re: Apoplectic

Are you implying that El Reg have SQL Injection vulnerabilities in their code?

1
0
Megaphone

Re: Apoplectic

That battle was lost years ago. Please move on, Rick.

8
0
Silver badge

Re: Apoplectic

>Are you implying that El Reg have SQL Injection vulnerabilities in their code?

No, el'reg runs on DBase II, dos batch files and a self aware BBC micro

14
0
Thumb Down

@djack

Implies, not infers! It's not difficult.

4
0
Mushroom

Re: Apoplectic

script kiddies definitely - want to try yourself... just grab a linux box or install the python runtime onto your windoze... download sqlmap:

./sqlmap.py -u http://siteyouwanttohackhere/index.php?id=4

you can even get google to help you:

./sqlmap.py -g "site:www.sitetohack.com inurl:filename.php"

0
0
Silver badge

Oh good work.

"Team GhostShell said the online leaks, which are part of its Project Hellfire campaign, were made in order to increase support for cops and government agents who want to enforce stricter police measures on the internet."

Right.

“All aboard the Smoke & Flames Train, Last stop, the penitentiary!" Team GhostShell wrote. "Two more projects are still scheduled for this fall and winter. It's the beginning of the end for us!"

Don't you just know it.

1
1
Anonymous Coward

"security biz Imperva" have analysed the attacks, so why is there nothing mentioning any named organisation!

"banks, US government agencies and consultancy firms" - so WHICH banks, agencies and consultancies.

Or is John Leydon to lazy to do some investigative work and is simply copying and pasting an article from somewhere else!

7
3

SQL Injection

SQL Injection is an old, known attack. the defense is (1) use only stored procedures and (2) sanitize input data.

getting hacked via SQL Injection is simple negligence on the part of the system operations staff. they should incur the $$$ liability for this.

9
4
Anonymous Coward

@mike acker: Re: SQL Injection

I don't know anything about this subject and so I don't really know if you are right or wrong. But I agree that there has got to be some kind of monetary liability in order to encourage companies and their IT departments to take sufficiently good care of their customers' data.

4
0

Re: SQL Injection

unless your organization is retarded and has outlawed stored procedures.

0
1

Re: SQL Injection

Nope. Stored procedures can be vulnerable to injection attacks themselves. The solution is the use of parametrised queries (even within stored procedures). That way the server has no doubts over what is data and what is code.

7
0
WTF?

Re: SQL Injection

Hey. Why are you blaming the systems operators? The blame here goes to the developers and management for not hiring whitehat pen testers. Systems staff rarely get a say in which software they run on their systems.

5
0
Silver badge
Coat

Re: SQL Injection

Who doesn't sanitise their input data?;GO;DROP TABLE Users;GO;

2
0
Thumb Up

Re: SQL Injection

You are the only one seems to get it! Stored procedures STILL can be vulnerable to SQL Injection. It is ALL about checking the input!!!!

2
1

Re: SQL Injection

obligatory XKCD

http://xkcd.com/327/

5
1
Anonymous Coward

Re: SQL Injection

correct - if they're using PHP prepared statements are usually the way to go... that way the data is just read as "data"...

0
0
Silver badge
WTF?

Again, the SQL injection attacks!

How long has this been known of and standard measures to protect been available? - Years!

WTF are these organisations doing with their IT budgets?

9
0

This post has been deleted by its author

Anonymous Coward

Re: Again, the SQL injection attacks!

Buying iPads because their upper management has decided they need some new shiny?

3
0
Anonymous Coward

WTF are these organisations doing with their IT budgets?

Many of them have funded both sides of major wars.

2
0
Holmes

Re: Again, the SQL injection attacks!

Laying off programmers so they can add another wing to their McMansions.

2
0
Bronze badge
FAIL

Re: Again, the SQL injection attacks!

Q: WTF are these organisations doing with their IT budgets?

A: Probably paying out millions in executive bonuses; and shit for developers.

WTF else is new?

0
0
Bronze badge

Re: Again, the SQL injection attacks!

How long has this been known of and standard measures to protect been available? - Years!

Yes. SQL injection attacks became a common topic around 2001, and they were discussed before that, though they weren't prominent.[1] An example of an earlier discussion is Bugtraq BID 994 / Microsoft MS00-010 (February 2000), "Site Server Commerce Edition non-validated SQL inputs". The Bugtraq discussion describes modifying a URL to inject an additional subquery into a query, and includes the comment "I know this is possible on a number of large commercial sites".

So we have a decade of widespread discussion, starting with a documented vulnerability and exploit for a Microsoft product (acknowledged by the vendor). There's absolutely no excuse for any organization of any size to be unaware of the problem.

WTF are these organisations doing with their IT budgets?

Well, they're clearly not buying their developers copies of The n Deadly Sins of Software Security[2], which does an excellent job of explaining this and other common vulnerabilities, how to find them in existing code, and how to remedy them. (There are other good books, but Deadly Sins is concise, clear and inexpensive.) I think it should be required reading for every professional programmer who works with any of the technologies it covers - which is pretty much everything outside some specialized domains.

[1] RFP's paper on SQL injection was published in 2001. An example of a slightly earlier text in the field that doesn't mention SQL injection is A Complete Hacker's Handbook, published in 2000.

[2] Where n is a value between 19 and 24, depending on which edition you buy.

1
0

This post has been deleted by its author

This post has been deleted by its author

Ru
Silver badge
Meh

"affiliated with hacktivists Anonymous"

Isn't almost everybody, these days?

Honestly, what is this supposed to mean? "We don't know who they are, so they're clearly Anonymous, lol". Its like every terrorist group mentioned on the news having "links with al Quaida".

10
1
Anonymous Coward

Re: "affiliated with hacktivists Anonymous"

IT'S TIME FOR A NEW BOGEYMAN ANYWAY

The media could call them the Penis Disturbers; rumoured to remove your foreskin or if you dont have one they put some other guys on you. its all true.

3
0
Devil

Re: "affiliated with hacktivists Anonymous"

You see, terrorists and cr/hackers need to trademark their names; that way, if some loudmouth in Iraq declares he's a leader of Al Qaeda, the real Al Qaeda can sue him.

1
0
WTF?

Hmph!

"Team GhostShell said the online leaks, which are part of its Project Hellfire campaign, were made in protest against banks and in revenge for the rounding up of hacktivists by cops and government agents."

So to get their revenge, they stole a million innocents people private data... cause that will only hurt the banks right?

11
0
Anonymous Coward

The developers of the compromised systems - dicks.

Any pen-testers who worked on said systems - dicks.

The fools who compromised said systems and subsequently plaster user data everywhere - prize dicks.

Team GhostShell? This lot, l33t haxors? Don't make me laugh. Team Teen Penis morelike.

7
3

I wouldn't blame the testers, they probably reported the vulnerabilities that they found and were ignored by the managers who saw the cost to close the holes.

6
0
Anonymous Coward

@Oviver

Re: Pen testers

You could be right, they may have reported vulnerabilities - in which case I would retract that one. But my comment was about pen testers was based on personal experience of 'reputable' London based companies. Sometimes they are not quite as good as they claim to be, even when they come with price tags of £10k's for small jobs. You may be surprised (or not) how many times I have seen costly invoices from pen testers for a report that simply dishes out recommendations in cases where no issues were found to exist, and yet gaping holes that should have been found never were.

So I suppose my experience is that a large outlay does not necessarily buy decent pen testers - even where they do have a good reputation.

0
0
Bronze badge

Doing Homeland Securit today, eh?

Place banks in a financial-attack column, but Homeland Security's website is different.

Hurricane victims TODAY and TOMORROW will be using HS's facilities. I hope that they get in.

How does Anon not see that they would cause problems for victims like that?

1
0
Anonymous Coward

Re: Doing Homeland Securit today, eh?

"How does Anon not see that they would cause problems for victims like that?"

They are either - not without exception though - too stupid, or they simply don't care. I would guess it's generally a bit of both tinged with other excesses of youth.

It's obvious by the actions of Anon and this bunch that ethics, morals, standards etc. are sorely lacking in their little lives. No doubt, there is some 'talent' out there in these groups. It's just a crying shame that the talented minority can't disengage from the lulz and the kewlz and do something productive.

6
0
Silver badge
Big Brother

Re: Doing Homeland Securit today, eh?

"Hurricane victims TODAY and TOMORROW will be using HS's facilities."

Because it's a good idea to amalgamate the guys fingering and checking your laptop under threat of an MP5 and the ones rescuing you when nature acts up.

EVEN MORE DICKS.

0
0
FAIL

I'm sorry but "hacking" (not that this is hacking/cracking... bloody script kiddies) as a form of protest against "Big Brother" retaining private information and then releasing it is about as effective as fornicating for virginity.

6
1
Silver badge

Whatever it is

To be honest, the fact that some of the data was obtained in an easy way is even better, it makes the point about how lousy security is in the real world.

0
2
Anonymous Coward

----

"fornicating for virginity"

Well maybe so, but it _could_ be worth trying.

3
0
Anonymous Coward

Paged through some of the leaks a bit. I'm sure there's some sensitive info there but I didn't see anything earth shattering. It looks more like they found 100 random sites that were hackable and leaked some of their data of mixed importance. Sounded like a much bigger deal at first. I like how they started out with "CIA Services" in pastebin. That's not the same CIA you're thinking of.

0
0
Holmes

School of Meaningless "Statistics"

"Some of the breached databases each contained more than 30,000 records."

0
0
Silver badge

Seems to me that the "statistic" itself is proper reporting. What would be meaningless would be any conclusion derived from that figure.

0
0

Page:

This topic is closed for new posts.