

LulzSec hacks into Bethesda Softworks accessing 200k Brink user accounts - dmix
http://pastebin.com/i5M0LB58

======
sudonim
Right at the bottom they have this link:
<http://lulzsecurity.com/releases/senate.gov.txt>

I wonder how long before they get their .com taken from them and have to flee
for another tld.

------
saulrh

      we grabbed all their source code
    

I'm not going to pull down that torrent, but if someone does, can you tell me
exactly what they mean by this? Did they just pirate and release the source
for a bunch of major video games? Did they grab any of the art?

~~~
patrickod
It's listed on TPB as being 15MB in size so it couldn't possibly be the source
code itself. Maybe there's a separate unlisted torrent for this?

~~~
lawnchair_larry
Source code of the website, presumably.

------
brianleb
So I just noticed this:

"Contact us: 614-LULZSEC"

A phone number? A cursory google search didn't come up with anything
informative, except that someone commented that it was a number pirated by
LulzSec with call forwarding (<http://mrnumber.com/1-614-585-9732>). I'm
certainly not going to call it myself, but I'm just curious as to what this
is, how they're using it, and what do you find on the other end. Thoughts?

<https://secure.wikimedia.org/wikipedia/en/wiki/Area_code_614>

~~~
sp332
Right now they're running a "contest". <http://twitter.com/#!/lulzsec> Call in
and say the magic word, win $1,000! I wouldn't bet on it being legit, but it
looks like fun :-)

~~~
derrida
People should check they are not charging $5/minute.

------
docgnome
I'm a little confused. "We actually like this company..." So why did they do
this? I'd think the thing to do after finding an exploit would be to notify
who has it and give them a reasonable amount of time to correct the problem. I
think I'm confused about what LulzSec is all about.

~~~
soapy_hands
They are a bunch of script kiddies with no professional ethic whatsoever. They
also try to get credit for things they haven't even done (e.g., bitcoin
temporary crash). In short, ignoring them is the right way to go. HN sucks up
to them instead and gives them exposure. Just sad, really.

~~~
huge_dong_420
Either they're incompetent script-kiddies and the fault lies with the admins
with unpatched servers, or they are competent and have access to, or have
written undisclosed exploits. There is no middle ground, and unless you have
some information that we do not, there's no reason to conclude that they are
script kiddies. Being mischievous and being intelligent are not mutually
exclusive.

~~~
jmlane
Exactly. The existence of most computer viruses are proof enough of this
statement.

------
radicaldreamer
They've also attacked the US Senate website: <http://goo.gl/Wn0eC>

You can bet that this will be used to push through draconian legislation in
the interest of "security". I wouldn't be surprised if hacking/cracking/piracy
became the new equivalent of possession in these coming decades.

~~~
blhack
The US hasn't looked kindly towards hackers since the early 1990s. This won't
change anything.

The people saying that this type of thing is going to cause an "internet
crackdown" of sorts have had their head in the sand for the last 15 years.
Doubly so for the last 5-10.

Media companies have been screaming and crying about multi-billion dollar
losses, and using all of their lobbying ability to get an "internet crackdown"
to happen.

It already has. You could argue that most of the crackers of today are a
result of it.

~~~
radicaldreamer
It's the sustained media attention that these hacks are drawing that's going
to be the catalyst for legislation.

The government's attitude has largely been static on the issue, but they need
a general population outcry to push through/rubber stamp legislation that's no
doubt already written somewhere.

~~~
blhack
And what would this legislation be? You've already got kids going to jail for
simple stuff. Look at what happened after the LOIC/Visa/Mastercard thing a few
months ago.

Even if you need to insert your drivers license to the computer in order to
access it, and every packet you send is signed with a user-specific hash, the
only people it's going to matter to are the people who aren't doing anything
wrong right now.

Cracking down is just going to create more crackers, and most of us in the
middle probably won't really notice.

------
tomjen3
Far more interesting: they hacked the US Senate:

<http://lulzsecurity.com/releases/senate.gov.txt>

~~~
woodall
Their site has been open to a lot of exploits. I tried writing my senator and
telling him... guess what, nothing.

Dear Senator Lamar:

We have exchanged ideas in the past; see the below message. I am now writing
to report a different issue. Website vulnerabilities in the Senate.Gov and
House.Gov website. I am not sure if these have been reported to the proper
person as of yet; I did email Senator Corker.

Below is a list of vulnerable urls for senate.gov

URL Redirect needs to be sanitized here: ><http://www.senate.gov/cgi-
bin/exitmsg?url=www.hackersite.com>

Here JAVA is not sanitizing input properly. There may be a chance that this
can be used to launch a larger exploit on the servers hosting the website:
>[http://www.senate.gov/artandhistory/art/common/collection_li...](http://www.senate.gov/artandhistory/art/common/collection_list/Chamber.jsp?Counter=JAVAEXPLOIT)

This is called an XSS (Cross Site Scripting) exploit. Here a person might add
malicious code to the page to do what ever the language will allow.
>[http://www.senate.gov/general/contact_information/senators_c...](http://www.senate.gov/general/contact_information/senators_cfm.cfm?OrderBy=party&Sort=%27;!--%22/%20%3E%3Cscript%3Ealert%28%22A%20malicious%20Javascript%20payload%20could%20be%20launched%20here%22%29%3C/script%3E)

Below is a list of vulnerable urls for house.gov

This link suffers the same problem as the first one posted for senate.gov; URL
redirect needs to be sanitized:
>[http://clerk.house.gov/redirect.html?title=Library+of+Congre...](http://clerk.house.gov/redirect.html?title=Library+of+Congress:+Continental+Congress&url=http://hackersite.com)

I wanted to bring this to you attention in hopes that it will be fixed. Thank
you for your time.

Sincerely,

Christopher Woodall

On 03/01/2010 04:04 PM, Correspondence_Reply@Alexander.senate.gov wrote: > > >
> March 1, 2010 > > > Mr. Christopher Woodall > > Dear Christopher, > > Thanks
for getting in touch with me and letting me know what's on your > mind
regarding identifying medical neccessities of government employees. > >
Although no legislation has been introduced in the 111th Congress > regarding
this issue, I'm always pleased to consider new ideas that will > benefit the
people of Tennessee. These are serious times, and the > willingness of good
people to get involved is very important. > Suggestions from my constituents
play an important role in determining > what initiatives I will pursue in the
Senate, and I'll be sure to > consider the issues you've raised. > >
Sincerely, > > Lamar

Looks like a few of the issues have been cleared up. I have more for
USAJobs.com and a myriad of government sites. No one listens to regular joes.

~~~
wisty
There is a webmaster, you can contact them. Senators have no direct control
over websites like this, and are unlikely to have the faintest clue what to do
about this.

I'm not sure if they would even know what "website vulnerabilities" are.

~~~
woodall
You are correct. It is better to email their customer support or webmaster if
available. Still, many websites have horrible reporting features and even
worse response rates.

------
mcs
I was laughing with them when they were making fun of Sony, but now I'm not so
amused. :(

------
KeyBoardG
Once they get caught they are going away for a loooong time. Going after Sony
following some political fighting I get, but this is just mean. Atleast reveal
it privately to Bethesda to let them secure things up.

~~~
gst
I guess that depends on the country. As long as they do not "destroy" or
"maliciously manipulate" some data, charges in many countries are pretty low
(and sometimes non-existant). In addition, there are many countries that won't
extradite their own citizens.

------
sdfjkl
In the long run their actions are likely to be beneficial for both
corporations and their customers. More attention will be paid to security now
(at least for a while), instead of purely seeing it as a nuisance to spend the
minimum time/money on. And programmers/sysadmins may be made more aware of how
embarrassing it is to get owned by a local file inclusion hole. Or what that
even is, as many "Web Developers" do not.

As customer (of Bethesda, both Sony divisions and Codemasters) I'm also being
even more careful now. I only put information into sign-up forms on a need to
know basis. If they don't need to ship me something, they don't need my
address (although sometimes this interferes with credit card validation). If
they don't need my real name (so other users can identify me, usually), they
get a fake one. And there's rarely a good reason to hand out a phone number or
birth date anymore.

In addition to this, for many years now I've been using one email address per
service, which has served me well in both identifying sites that leak/sell my
personal information (very popular after a company goes under) and easily
filtering the resulting targeted phishing/spam.

------
FeministHacker
Unfortunately for LulzSec, they lost any respect I could have had for them
when they went after 2600

(As far as I can gather, someone they were [potentially rightfully] in a
dispute with used the 2600 irc servers. Go figure...)

------
Tichy
What games did they make that require user accounts? Or is it only accounts
from support forums?

~~~
eswat
None really. While you can link the console version of Brink to your Bethesda
Account—to see your stats online—that game doesn’t require you to create an
account or provide an email or password to play it.

If they did manage to get 200k Brink accounts, I doubt most of them have any
personally-identifiable information tied to them.

------
jmlane
Did they leak any private end-user information? As much as I can tolerate
mischievous crackers violating corporate security and releasing intellectual
property, I am loathe to give any praise to groups that victimize
consumers/users by violating their right to privacy. It seems thoughtless and
uncaring.

~~~
nihilocrat
They specifically said they are not leaking all of the juicy user data they
found.

It's nice that they did that, but it's kind of like breaking into your house
and stealing everything except your Rolodex because, well, that would be a
dick thing to do.

~~~
jmlane
Not really a great analogy: unless you are employees or shareholders, it's not
really your "house". If you are a dedicated customer, you may be more invested
in the welfare of the company than most customers, who mostly just care about
their personal interests (products or services they've paid for and any
personal information that company keeps on record).

I tried to cook-up a comic store analogy where the loyal customer is most
concerned about their orders and personal contact info being stolen than the
merchandise of their favourite shop, but that analogy ignored the fact that
what LulzSec did to Bethesda is essentially the following: making copies of
the shop's inventory manifest, latest promotional program, and names of
customers in a Rolodex, and then publishing all that info online (or in a
local comic hobbist newsletter). Other than the loss of potential business and
the trust of their customers, are the owners and employees likely to suffer as
a result of this break-in? I tend to think that lost business will be minor,
especially if customer privacy and interests are not noticeably compromised by
the break-in.

Not trying to start a morality debate (unless that's welcome here?). I just
wanted to point out why I tend to see "black hat security audits" as generally
to the victims' benefit, when individuals aren't likely to suffer as a direct
result. In the reality of my above analogy, the comic shop is likely going to
invest in better security after this kind of break in, which is a positive
outcome for the business and the customers. Only the very paranoid or
"security minded" customers will choose to take their business elsewhere after
the break-in, which likely amounts to very little lost business to the shop.

------
cookiecaper
I hope all of these attacks are the push that people need to finally start
taking public-key cryptography seriously.

~~~
recoiledsnake
What has this got to do with public-key cryptography?

~~~
cookiecaper
Properly implemented pub-key crypto would make it so much of the loot from
these attacks was unreadable. Of course, if people store unencrypted secret
keys on vulnerable servers, or just use one key to encrypt for everyone in the
company, or something like that, it's not that useful.

------
nvictor
the pirates of this decade...

------
shareme
Can we pay these guys to go after China's hackers?

The fireworks would be epic :)

~~~
JabavuAdams
I don't think a bunch of hotshot crackers are prepared to play at the nation-
state level.

It's all fun and games until someone decides it's just easier to kill you.

~~~
shareme
but than the state actors in the act of that attempt uncloak themselves..which
is what the CIA, MIA, etc want..

~~~
siculars
are you sure about that?

------
suking
These guys are on a rampage.

------
int3rnaut
Without getting into politics, the letter itself is very
humorous...lulzboat... lol.

I can't help but think what a much better world this would be if every
objectionable act was handled in such a way.

