1 MILLION accounts leaked in megahack on banks, websites Hacker collective Team GhostShell leaked a cache of more than one million user account records from 100 websites over the weekend. The group, which is affiliated with hacktivists Anonymous, claimed they broke into databases maintained by banks, US government agencies and consultancy firms to leak passwords and documents. Some …
Sweet Jesus, I figured El Reg would get it right, but noooo.... It is Cracker not Hacker. Just like they don't call them safe hackers. Be a trend setter by doing something right.
As for the CRACKERS, they aren't really hurting banks in so much as they think, if they are leaking the banks customer info. That hurt s the average person that they should be helping to protect from the banks. If they want to do some good they need to expose the banks for the scam they are.
"Sweet Jesus, I figured El Reg would get it right, but noooo.... It is Cracker not Hacker. Just like they don't call them safe hackers. Be a trend setter by doing something right."
Nope, they used SQL injection so the correct term is "script kiddies". This requires almost no skill on the part of the attacker, and confirms no skill on the part of the web developer.
Simply using a SQL injection infers very little skill on behalf of the attacker, true.
However actually discovering the hole and performing the analysis in order to make it exploitable can be a task ranging from the nearly trivial to down-right infernal. Once you have done that, using SQLmap to slurp up all of the data is straight-forward.
This post has been deleted by its author
"Team GhostShell said the online leaks, which are part of its Project Hellfire campaign, were made in order to increase support for cops and government agents who want to enforce stricter police measures on the internet."
Right.
“All aboard the Smoke & Flames Train, Last stop, the penitentiary!" Team GhostShell wrote. "Two more projects are still scheduled for this fall and winter. It's the beginning of the end for us!"
Don't you just know it.
"security biz Imperva" have analysed the attacks, so why is there nothing mentioning any named organisation!
"banks, US government agencies and consultancy firms" - so WHICH banks, agencies and consultancies.
Or is John Leydon to lazy to do some investigative work and is simply copying and pasting an article from somewhere else!
I don't know anything about this subject and so I don't really know if you are right or wrong. But I agree that there has got to be some kind of monetary liability in order to encourage companies and their IT departments to take sufficiently good care of their customers' data.
This post has been deleted by its author
How long has this been known of and standard measures to protect been available? - Years!
Yes. SQL injection attacks became a common topic around 2001, and they were discussed before that, though they weren't prominent.[1] An example of an earlier discussion is Bugtraq BID 994 / Microsoft MS00-010 (February 2000), "Site Server Commerce Edition non-validated SQL inputs". The Bugtraq discussion describes modifying a URL to inject an additional subquery into a query, and includes the comment "I know this is possible on a number of large commercial sites".
So we have a decade of widespread discussion, starting with a documented vulnerability and exploit for a Microsoft product (acknowledged by the vendor). There's absolutely no excuse for any organization of any size to be unaware of the problem.
WTF are these organisations doing with their IT budgets?
Well, they're clearly not buying their developers copies of The n Deadly Sins of Software Security[2], which does an excellent job of explaining this and other common vulnerabilities, how to find them in existing code, and how to remedy them. (There are other good books, but Deadly Sins is concise, clear and inexpensive.) I think it should be required reading for every professional programmer who works with any of the technologies it covers - which is pretty much everything outside some specialized domains.
[1] RFP's paper on SQL injection was published in 2001. An example of a slightly earlier text in the field that doesn't mention SQL injection is A Complete Hacker's Handbook, published in 2000.
[2] Where n is a value between 19 and 24, depending on which edition you buy.
This post has been deleted by its author
This post has been deleted by its author
"Team GhostShell said the online leaks, which are part of its Project Hellfire campaign, were made in protest against banks and in revenge for the rounding up of hacktivists by cops and government agents."
So to get their revenge, they stole a million innocents people private data... cause that will only hurt the banks right?
@Oviver
Re: Pen testers
You could be right, they may have reported vulnerabilities - in which case I would retract that one. But my comment was about pen testers was based on personal experience of 'reputable' London based companies. Sometimes they are not quite as good as they claim to be, even when they come with price tags of £10k's for small jobs. You may be surprised (or not) how many times I have seen costly invoices from pen testers for a report that simply dishes out recommendations in cases where no issues were found to exist, and yet gaping holes that should have been found never were.
So I suppose my experience is that a large outlay does not necessarily buy decent pen testers - even where they do have a good reputation.
"How does Anon not see that they would cause problems for victims like that?"
They are either - not without exception though - too stupid, or they simply don't care. I would guess it's generally a bit of both tinged with other excesses of youth.
It's obvious by the actions of Anon and this bunch that ethics, morals, standards etc. are sorely lacking in their little lives. No doubt, there is some 'talent' out there in these groups. It's just a crying shame that the talented minority can't disengage from the lulz and the kewlz and do something productive.
Paged through some of the leaks a bit. I'm sure there's some sensitive info there but I didn't see anything earth shattering. It looks more like they found 100 random sites that were hackable and leaked some of their data of mixed importance. Sounded like a much bigger deal at first. I like how they started out with "CIA Services" in pastebin. That's not the same CIA you're thinking of.
Either they are competitors or organized criminals or secret agencies.
That is who really is behind all the hacking against corporations, banks, government servers.
Then the population really believes that these groups would be 12 to 18 years old "genius hackers"...
How gullible people are nowadays.
"Then the population really believes that these groups would be 12 to 18 years old "genius hackers"...
How gullible people are nowadays."
I don't think anyone in their right mind would consider anyone perpetrating a SQL injection attack as a 'genius'. As for ages, some recent 'hacker' arrests:
Raynaldo Rivera, 20
Ryan Cleary, 19
Jake Davis, 18
Ryan Ackroyd, 25
Unnamed, 17
Unnamed UK schooboy, 16
Greek national, 16
Greek national, 17
Greek national, 18
The list goes on and on... and on. So, plenty of teens.
When you say:
And I quote your post here:
--------------------------------------------
Re: Apoplectic
That battle was lost years ago. Please move on, Rick.
------------------------------------------------------------------------------
You weren't referring to this, were you?
---------------------------------------------------------------------------
We're no strangers to love
You know the rules and so do I
A full commitment's what I'm thinking of
You wouldn't get this from any other guy
I just wanna tell you how I'm feeling
Gotta make you understand
CHORUS
Never gonna give you up,
Never gonna let you down
Never gonna run around and desert you
Never gonna make you cry,
Never gonna say goodbye
Never gonna tell a lie and hurt you
We've known each other for so long
Your heart's been aching but you're too shy to say it
Inside we both know what's been going on
We know the game and we're gonna play it
And if you ask me how I'm feeling
Don't tell me you're too blind to see (CHORUS)
CHORUSCHORUS
(Ooh give you up)
(Ooh give you up)
(Ooh) never gonna give, never gonna give
(give you up)
(Ooh) never gonna give, never gonna give
(give you up)
We've known each other for so long
Your heart's been aching but you're too shy to say it
Inside we both know what's been going on
We know the game and we're gonna play it
---------------------------------------------------------------------
If you were old chap, couldn't agree more.
No, unfortunately they also have a bad sense of humour.
They stole STOCK, AITKEN, UNT WATERMAN'S master tapes.
Unfortunate Aliens on another planet shall be rick-rolled. It shall be several centuries before they learn the technique of text-rolling. All that wil happen is another civilisation shall fall into decline. No good shall be served.
SAW's record sales shall go up. Rick shall date even more preposterously beautiful girls We shall be so jealous, some of us develop congenital diseases....
Life shall go on.
And when I wake up in the morning, I shall be greeted by this insanity before my yearning for bacon or even eggs:
Never gonna give you up (hipswing)
Never gonna let you down (hips other way)
I pray the rest of my species do not befall my fate.
(Ripley - Alien 2012)
There is only one thing left to do. And you know what I all mean.
This is what makes me proud to be human.
This why we need to punish companies (not the developers) that released shit code.
Considering how often data gets breached and how often a company is punished why would you pay decent wages for decent developers, test the code properly and take the time to do it right.
There's very little reason for so many systems to still be susceptible to SQL injection attacks.
Or stuff like Tesco sending plain text passwords. This stuff shouldn't be happening but there is no real reprecussions for producing a poor product.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
