
LulzSec supposedly claims its biggest coup yet: The entire UK 2011 Census - mopoke
http://thenextweb.com/industry/2011/06/21/lulzsec-supposedly-claims-its-biggest-coup-yet-the-entire-uk-2011-census/
======
BasDirks
LulzSec The Lulz Boat

 _Oh well, just because we want to waste government and local authority
investigation time: we hacked every website in the world. Enjoy!_

11 minutes ago

LulzSec The Lulz Boat

 _I'm not seeing "we hacked the UK census" on our twitter feed or website...
why does the media believe we hacked the UK census? #confusion_

13 minutes ago

LulzSec The Lulz Boat

 _Not sure we claimed to hack the UK census or where that rumour started, but
we assume it's because people are stupider than you and I._

~~~
Peroni
LulzSec The Lulz Boat

 _Just saw the pastebin of the UK census hack. That wasn't us - don't believe
fake LulzSec releases unless we put out a tweet first._

~~~
Feinux
hi Lulzer, nice to here your voices, :)

------
someone13
According to their Twitter, they haven't hacked the Census. Seems like someone
was spreading false information...

See:

<https://twitter.com/#!/LulzSec/status/83168314527981568>

<https://twitter.com/#!/LulzSec/status/83167715799470080>

EDIT:

Those tweets were deleted. Here's the official word:

"Just saw the pastebin of the UK census hack. That wasn't us - don't believe
fake LulzSec releases unless we put out a tweet first."

<https://twitter.com/#!/LulzSec/status/83172089711964161>

~~~
joejohnson
When you post a tweet, how much information does twitter have about you? An IP
adress, what platform you use, etc.

I'm just curious, because Lulzsec posts frequently and I wonder if law
enforcement could subpoena twitter in attempts to catch these people.

~~~
qF
During the 'hunt' for Wikileaks the U.S. has subpoenaed Twitter for info about
supposed supporters.[1] In the case of Lulzsec this will have very little use
though, as they use VPN's to hide their IP [2].

[1] <http://www.wired.com/threatlevel/2011/01/twitter/>

[2] [http://lulzsecexposed.blogspot.com/2011/06/scared-
puppies.ht...](http://lulzsecexposed.blogspot.com/2011/06/scared-puppies.html)

~~~
trotsky
_they use VPN's to hide their IP_

The FBI routinely uses software exploits to install something called CIPAV on
the remote client computer to retrieve forensics data and negate the effect of
proxies, vpns, tor, etc.

<http://www.wired.com/threatlevel/2007/07/fbi-spyware-how/>

Twitter almost assuredly has the ability to push a custom iframe or similar
based on who is logged on to support these kinds of government payloads. In
the case the wired article references myspace directly assisted.

Surely being more security paranoid than usual should make it harder for an
attack like this to succeed, but if the feds get pissed enough it's not
unthinkable that they could get access to a targeted zero day to use.

~~~
kl4m
It's pretty much useless if the tunnel is on another machine and/or it's
firewalled properly.

------
ElliotH
Given LulzSec seems to post their hacks on twitter, that there's no way of
validating who posted the PasteBin item and that the Office of National
Statistics hasn't reported the loss, its probably best to wait and see
something a little more convincing.

~~~
m4tt
I wrote the article and have been trying to trace the authenticity of the
release. I am still waiting to hear back from the Office of National
Statistics, which at the time were unaware of who LulzSec even were.

I contacted them a little over two hours ago, I haven't received a response,
yet.

~~~
ErrantX
Knowing a little of the internals of ONS...

It may take them a while to figure out what a "computer" is and how it might
be "hacked". You could be waiting some time :)

ahem.

~~~
m4tt
Just got off the phone to them. Issuing a statement very soon. Will update
both the article and on HN.

~~~
m4tt
In related news, the "Mastermind" behind LulzSec has been arrested:
[http://thenextweb.com/industry/2011/06/21/suspected-
lulzsec-...](http://thenextweb.com/industry/2011/06/21/suspected-lulzsec-
mastermind-arrested/)

------
click170
This whole escalating security situation has me thinking that IT security is
heading down the same path as the War On Drugs. I wonder if ten or twenty
years from now we'll see petitions to legalize hacking tools after we see a
resurgence in security breaches following the criminalization of "hacking
tools"...

------
antihero
If this is true then I am suing Lockheed Martin under the Data Protection Act.

~~~
estel
There's jurisdiction for that?

~~~
eftpotrm
If their servers have been compromised to leak the data, should be. They ran
the survey and UK and European data protection law makes data leaks the
responsibility of the data holder.

~~~
sunchild
They were one of the first companies to admit that the RSA SecurID exploit
compromised them over the past months, too.

Link to story: [http://www.networkworld.com/news/2011/052611-lockheed-
martin...](http://www.networkworld.com/news/2011/052611-lockheed-martin-
outage.html)

------
khafra
I'm leaning toward "hoax." Lulzsec has been reasonably competent writers so
far, and the bizarre placement of "blissfully" makes that either incompetent
or some kind of steganography. That, added to the lack of tweet, makes me
doubt.

Of course, it could still be some anon who actually does have the census data,
and considers himself lulzsec-affiliated.

~~~
StavrosK
Why can't anyone bother to sign their press releases, it's not like it's the
60s.

~~~
MiguelHudnandez
Plausible deniability? (assuming you meant to cryptographically sign the press
releases.)

~~~
StavrosK
Hmm, good point.

------
Peroni
If true, this will be a _massive_ coup and regardless of how they obtained the
records, LulzSec will get all of the significant negative attention they so
badly crave.

I submitted my census info via the online form and given the amount of detail
I included I would be terrified if that info was leaked.

~~~
shubble
Imagining that the release is true, this will do strange things for pay
bargaining. Imagine if you could look up your colleagues before asking for a
rise? On the other hand, I don't recall anything really horrific on that form.
Enough data to steal my identity and take out a mortgage in my name, yes.
Enough to embarrass me? no...

~~~
Peroni
There may not be anything in there to embarass me but there is unequivocally
enough in there for someone to steal my identity and ruin a credit rating I've
been working extremely hard to build over the last three years.

~~~
mariuskempe
What info from the census would enable someone to steal an identity? From the
looks of it there's only DoB and address in terms of personal info...

~~~
Peroni
Childrens names & DoB, previous addresses, employment status, national
insurance number. That info alone is enough for someone experienced to do
damage.

~~~
jules
Isn't that info relatively easy to obtain from most people anyway? Not on such
a large scale of course.

~~~
pbhjpbhj
You can obtain that sort of info, by dumpster diving say, but not in anything
like the scale.

Imagine that you can get this info and a pretty good idea of salary and
lifestyle by running a db search in a few seconds. You can easily focus your
attention on the most lucrative propositions and get info from even those that
are careful to not put such info out there. Census completion is a legal
requirement, everyone should be on one.

------
patrickod
So what's the worst possible outcome here in terms of the UK government's
reactions? Fast-tracked arcane legislation to make security tools illegal like
they are in .de ? Broadening the terms of hacking and increasing the legal
penalties? If LulzSec aren't trolling the world and they do indeed have these
records I would imagine there is going to be one hell of a shitstorm in the
coming weeks.

~~~
crocowhile
It would be just another excuse to get the Internet ID implemented. MAFIAA has
been pushing for Internet ID since years now and a number of politicians are
in favour. Must admit that every time I read about the latest Lulsec activity
I cannot help but think that MAFIAA is behind all this.

~~~
mike-cardwell
I'd say the opposite will happen. The government will not be able to set up
anything which requires a massive secure database for quite a few years. Every
time they claim they can set up a secure database, the 2011 census leak will
be brought up.

------
justincormack
This was the first census where you could submit details online. I wonder if
it was these records? Would be surprised if they had even finished scanning
the paper ones yet, but the UK governments security record is not good. They
contracted it to Lockheed Martin, who also do the US census, so presumably
reused the software?

~~~
crocowhile
LM was penetrated few days before census day. Maybe the left some back doors?
[http://www.ibtimes.com/articles/154078/20110529/lockheed-
mar...](http://www.ibtimes.com/articles/154078/20110529/lockheed-martin-cyber-
attack.htm)

------
pedrokost
With the amount of hacking that is flooding the news recently, I would like to
learn about database security. What are some good books/tutorials/videos on
how to make databases more secure?

~~~
tomp
I believe that most databases are secure, especially the open source ones.

What you should be careful about is the things surrounding the database: the
.php files (or whatever) that read/write the database, and the system it is
running on.

Basic security practice for the web: NEVER trust user input: check and recheck
all the GET/POST variables, check that numbers are numbers, that strings are
correct strings (they have no funny characters, such as " or ; (for databases)
or <>"&' (for HTML) or . (for paths)). Check all input into the databases (to
prevent SQL injections) and all output for to the user (for XSS).

Basic security practice for sysadmins: Use up-to-date OS and software. Use
strong passwords. Almost never run root. Make remote access hard.

This seems easy, and for the most part, it is. It's just so many things that
people forget to check for them all.

~~~
pornel
Yes, let's secure our databases against O'Reillys and AT&Ts submitting their
funny names! <g>

It's not characters that get you, it's lack of escaping or escaping for the
wrong context (e.g. magic_quotes won't work for HTML)

• For SQL use prepared statements _exclusively_ (never let "oh, it's just a
number so I don't need to" fool you)

• Escaping doesn't differ between "trusted" and "untrusted" data (and these
boundaries are too easy to break eventually).

Just escape _everything_ , _always_. In PHP it means every `echo $var` is a
likely vulnerability and `echo htmlspecialchars($var, ENT_QUOTES)` (in HTML
except script) or `json_encode($var)` (in script) is a _must_.

Obviously, you should do defense in depth, so input validation is great and
some filtering just-in-case may be warranted, but escaping alone (assuming
done well) is sufficient for security, while filtering alone is not.

~~~
fendale
> For SQL use prepared statements exclusively (never let "oh, it's just a
> number so I don't need to" fool you)

I cannot vote this up enough. Also, depending on what database you are using
(eg Oracle) if you don't use prepared statements (aka bind variables) you are
guarantee killing your DB performance.

People have argued with me in the past that for things like sorting the data
they cannot use bind variables. In that case, use the user input to select
which safe string to use, eg:

    
    
        if user_select_sort == 'by_account_num'
          return 'order by account_num asc'
        elsif user_select_sort == 'by_transaction_date'
          return 'order by transaction_date'
        else 
          return ''
        end if
    

Then if someone sends in something tricky, it will just order wrong.

~~~
tomp
The way I write software, such values of user_select_sort would never even be
possible... It's much slower to compare strings than to compare numbers, and
passing long descriptive values that are actually booleans or short enums is
just a waste of bandwidth (assuming they are passed as GET/POST variables).

Why not just pass numbers instead?

~~~
fendale
Numbers or strings wasn't the point really. You can do 'order by 1' or 'order
by 2' in SQL to order by the first or second selected col etc, but if you used
used the number passed directly from the user in the SQL statement, you are
open to SQL injection. Feel free to use the number in a case statement to
select the order by string to concat into your SQL however.

------
Simon_M
I wonder if they are using the same (undocumented) exploit for each of these
attacks.

I am certainly no expert in this field, but I would have thought discovering
new exploits and security holes would take time, yet these guys are hitting
several major sites a week.

~~~
mike-cardwell
From what I understand, their main tool is simple SQL injection.

Most websites seem to have at least one XSS or SQL injection hole. Nearly all
have CSRF flaws.

~~~
wisty
Still, census data should _not_ be accessible from a public facing web site.
That's just amateur hour. You should really assume that anything with a POST
form is vulnerable.

~~~
mike-cardwell
Agreed. Any submitted data should have been immediately encrypted with a
public key who's companion private key was stored offline. It should have then
been immediately transferred to a secondary box which was setup with a single
function of accepting and storing the data. Ie a box which you can't query
over the network for data.

As soon as the census closed, the relevant boxes should have been taken
offline. The data moved to a "secure" location, and the original boxes wiped
and destroyed.

Considering the data that was being collected, I don't think this is overkill.

~~~
crocowhile
For those who are interested, these are the questions:
[http://www.ons.gov.uk/census/2011-census/2011-census-
questio...](http://www.ons.gov.uk/census/2011-census/2011-census-
questionnaire-content/2011-census-questions---england.pdf)

------
binarymax
So, after I was strongarmed into filling out the damn thing, now all my
identity data is in the wild. I will be joining in a suit of Lockheed if this
is true.

~~~
arethuza
There is already a guide on how to take a case under the Data Protection Act:

[http://www.ico.gov.uk/upload/documents/library/data_protecti...](http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/taking_a_case_to_court.pdf)

------
mike-cardwell
There'll be some interesting mashups if this is true.

------
crocowhile
I don't like where this is going.

~~~
beseku
Whats worrying about the apparent proliferation of security breaches like this
is that as the attacks get more sophisticated, so do the prevention methods.
This could get to the point whereby the skill level required to protect an
application or server goes way higher than the skill level of many developers.

The result being that independent development is impossible as you would need
to hire ever more expensive security consultants for anything that stores
data.

~~~
zwp
I understand your point (it is potentially true for more than just the
security domain of application development) but I think your premise in this
case is false. SQLI (XSS, CSRF, ...) attacks are neither sophisticated nor
new. SQLI has been known since at least _1998_ (Phrack 54).

SQLI protection at least should be abstracted away from the developer's
concerns by use of default parametrized queries. Technical difficulty is not
the problem here.

------
acron0
Head of the hydra and all that....

<https://twitter.com/#!/LulzSec/status/83164092998758400>

------
drtse4
"Biggest" only for the media coverage this could get, i would not be surprised
if they had exploited a common vulnerability. At least when we are discussing
about publicly accessible sites, "security-illiterate" is the perfect
definition for these government agencies (and the external companies that
realize the sites they need).

Will this kind of things make the general public at least a bit more security
conscious?

------
iamichi
What pissed me off was that it is a legal requirement to complete the census
([http://en.wikipedia.org/wiki/United_Kingdom_Census_2011#Oper...](http://en.wikipedia.org/wiki/United_Kingdom_Census_2011#Operation)),
so everyones personal details are in the database, which if stollen is a
identify thief's dream load.

------
InclinedPlane
It appears that LulzSec isn't directly responsible for this. Although, since
they called for the hacking of every government agency in the world with their
"anti-sec" call to arms it's a bit disengeneous for them to rock back on their
heels in shock and confusion.

------
JackWebbHeller
Scotland Yard press release: They have confirmed his arrest.

[http://content.met.police.uk/News/eCrime-unit-arrest-
man/126...](http://content.met.police.uk/News/eCrime-unit-arrest-
man/1260269113895/1257246745756)

------
evolution
LulzSec just confirmed this being rumor on their twitter account
<http://twitter.com/#!/LulzSec/status/83167715799470080>

------
retube
They're going to piss a lot of people off if they do this. Like every single
UK citizen.

Exposing security flaws and embarrassing govt is one thing, but to put un-
redacted personal data online is quite another.

~~~
rwmj
_If_ this is true (and it seems it's probably not) then the people to get
angry with are the UK government and their contractors Lockheed-Martin. WTF
are we using a US-based company for anyway?

~~~
estel
Presumably they put it out for tender and got the best package that they
could.

Isn't that what we'd expect a Government to do? Tender jobs out to the private
sector and choose the provider that offers the best value for money?

It's not as if Lockheed Martin are a particularly insecure or untrustworthy
company to hold private data.

~~~
chrisjsmith
LM have a terrible reputation. Google around.

~~~
rlpb
Is there any Government IT contractor that doesn't have a terrible reputation?

Government contracts are a pain to do. Most of the work is in jumping through
hoops rather than actually doing the work. Most (all?) competent companies
avoid Government work for this reason, making it very difficult to get any
Government IT work done well.

~~~
chrisjsmith
That is a fair point.

I've always thought that the government should have their own IT agency. The
NHS would do well to fire all the paid up consultants and commercial software
and start a Google-style technology cooperative and share their results to
other agencies. The NHS has the biggest IT problem of all and with the right
minds on the job we'd have massive progress in the organisation and some
serious advances in computer science to boot.

------
thomasknowles
Apparently it's fake:

<http://twitter.com/#!/LulzSec/status/83168314527981568> reply

------
arn
of interest [edit, arrest link below]:

<http://twitter.com/#!/channel4news/status/83129762142363649>

 _19-year-old suspected of being mastermind behind computer hacking group
LulzSec arrested in Wickford, Essex. #c4news_

~~~
ZeroMinx
It's on the Met Police site - [http://content.met.police.uk/News/eCrime-unit-
arrest-man/126...](http://content.met.police.uk/News/eCrime-unit-arrest-
man/1260269113895/1257246745756)

~~~
JonnieCache
_"The PCeU was assisted by officers from Essex Police and have been working in
co-operation with the FBI."_

------
cabalamat
Anyone can _claim_ to have the census data; I won't believe this until they
release it.

------
Andrew_Quentin
Such a shame.

Anonymous had a lot of support for their attacks on Mastercard et. al. People,
not just the programmers demographic, were seeing them as civil disobedience
through the internet and hailing them for taking a right cause, namely against
dirty, probably unconstitutional, certainly unethical attacks on wikileaks by
numerous powerful groups.

What's more, anonymous was seen as more powerful than such groups on the
internet arena. It was felt that such powerful groups would thus think twice
and know that they are against probably smarter people, perhaps even their own
employees. Alas, like actual physical protests, they did not manage to change
much. Wikileaks has almost been forgotten now. Julian has gone quite. The
organisation itself seems to have become divided and disorganised. They
possibly are buying time. But the power that be has shown us that they have
the resources, are willing to play, publicly, dirty tricks, and can even
withstand a public opinion quite strongly against them.

Julian has been given some outstanding honour in journalism. He might even win
the Peace prize for what some say was the effect of wikileaks on bringing
about the Arab Spring. That may show that there are many powerful avenues to
resist and/or push back the power that be.

All of that is being undermined for no apparent reason whatever. Although
Lulzec might be trying to send a signal to the power that be. We are stronger.
We are smarter. You need to know that before thinking again about doing dirty
tricks. They don't seem to be able or willing to choose their targets well to
send such a message. Showing that you can for example steal the census data in
order to increase the security of organisations which deal with our data is
like a man showing that he can steal a car by so breaking into the car and
stealing it.

We can all commit crimes. We choose not to for very good reasons. Some things
can not be fortified and turned into castles. And even castles can be brought
down.

So the ultimate effect is that anonymous is painted with the same brush. As
petty criminals bringing havoc into the streets of the neighbourhood by
breaking car windows to show us that they can so break car windows.

For now, anonymous still has the upper moral ground. That is for now. By for
now I mean for the next few days or weeks. The report for example that a
member of lulzsec has been arrested who has connections with anonymous helps
tremendously in blurring the lines between anonymous and lulsec.

The blurring means nothing more nor less than the excuse and the swaying of
the public opinion that the power that be needs to go after anonymous and send
a clear signal. You may be smarter but we have more resources and more avenues
and the consequences you face are much greater.

The biggest signal that the power that be may send however is that they are
able to control the public opinion by playing tricks. I think we all remember
how last year we were talking about how the power that be is going to deal
with wikileaks. The conversations that were had here on hackernews are
probably still accessible through searching. Killing him seemed to be the most
mentioned option, but quickly refuted by others. Now, it may be a strong
statement to make seeing as I have no evidence whatever, but the information
that did come out in regards to the two women, the fact that Assange is still
here in Britain almost a year after, that he is actually free, suggests that
tainting him with rape accusations was their choice. As we are seeing, it
seems to have worked.

Equally, I do not know who lulzecs is. They have no motive, no reason, to do
what they are doing. They are intelligent. Thus I doubt they would risk years
in prison to just show that they can break a car. People do not tend to do
things for no reason, especially if there are great consequences.

There is no laughter to be had of say having access to a lot of information of
sonny users. Nor is there any lulz in having say the information of the
census.

I therefore think that there is a probability that Matercard, Visa, Bank of
America et al got quite pissed off from anonymous' attacks, but unable to do
anything because of the strong public support that anonymous had, thought
creatively and went for the blurring of the lines between common thief's and
civil disobedience.

That is one possibility. Probably the more likely possibility. Sophos for
example seems to be salivating every time lulzsecs does something.

The other option, that they are kids, being stupid, like most teenagers at
time, confused, rebellious, is a possibility but unlikely. They probably know
full well, that gaining such a high profile while not having any public
support or even having the public against them means that they will crash down
painfully to the bottom and remain there for years and years.

I'll finally finish this quite long comment by stating that if lulzsec is
anything else than affiliated or corrupted, then they should know that they
are tainting ideals with petty crimes.

~~~
mquander
Give me a break. There are no ideals, and it's not a conspiracy. It's just a
bunch of trolls on summer vacation. They are doing it because they don't
really care to consider consequences when they choose to do something. Mystery
solved by Occam's Razor.

If you didn't know that lots of people like to do mean, pointless things all
day for no reason, then welcome to 4chan, you may or may not enjoy your stay.

~~~
klenwell
_There are no ideals, and it's not a conspiracy._

That's the impression I have of a lot of contemporary political and business
interests: "There are no ideals, and it's not a conspiracy. It's just
business." Some do it for the lulz. Some do it for the bottom line.

LulzSec's tactics may be callous or juvenile, but they also somehow see a
fitting expression for some of the inchoate disenchantment that I feel. When I
pause to consider that I'm doing pretty well, all things considered, I can
imagine the deeper chord they strike with others.

~~~
trotsky
_but they also somehow see a fitting expression for some of the inchoate
disenchantment that I feel._

I've been curious about this feeling as it certainly seems to me that you're
not alone. What is it that they've done that makes them hit a chord with you?
What I see when I look at lulzsec is mostly behvior that hurts a random
collection of common people - like dropping emails, hashes, personal info of
people who just happened to be unlucky enough to make an account with one of
their many targets. Or DDOS on small indie software developers to prevent
their customers from playing their games for a bit. Are you disenchanted with
gamers and people who sign up for a book forum and such?

I totally understand the appeal of the Anonymous DDOS's and HB Gary hack for
example, so the whole thing isn't lost on me. But I just find lulzsec idiotic
and grating.

~~~
klenwell
_What is it that they've done that makes them hit a chord with you?_

As an American, I have a demoralizing sense that the country has given up on
doing great things and, more specifically, turned its back on underdogs. I
could make a more detailed case, starting with my view of human nature and
extending to the latest Supreme Court decisions and the drivel I see nosing
around Twitter and Facebook, but that would be sort of beside the point here.

Why gamers and book forum readers? I don't have anything against them
personally and I agree there are probably more suitable targets. At the same
time, obsessive game-players and score-keeping book-readers offer an obvious
illustration for the kind of obliviousness and escapism that I can find
symptomatic of larger social problems.

I suspect Lulzsec owes part of its style to The Joker from the last Batman
movie. Remember that scene when the Joker lights the pile of money on fire? I
agree Anonymous is a more constructive example of civil disobedience. But
Lulzsec, in its aimlessness, may be the more potent symbol. I see it as a form
of satire as much as anything.

Would my attitude would change if, say, they deleted my gmail account?
Probably. But then maybe there would be something constructive in that, too.

~~~
trotsky
Thanks for taking the time to respond.

I was thinking of saying something along the lines of I'd be surprised if they
view their own actions so introspectively. Perhaps comparing it to the classic
english teacher interpreting meaning behind a work for he class that the
author never intended.

But I suppose it really doesn't matter - if people get something from a work
it really makes no difference if the intent was there with the creation.

~~~
klenwell
I agree. I expect their actions are not introspective but reactionary.
Nevertheless, I think there's a logic behind them consistent with the sort
explored by behavioral economists.

