During the 'hunt' for Wikileaks the U.S. has subpoenaed Twitter for info about supposed supporters. In the case of Lulzsec this will have very little use though, as they use VPN's to hide their IP .
Twitter almost assuredly has the ability to push a custom iframe or similar based on who is logged on to support these kinds of government payloads. In the case the wired article references myspace directly assisted.
Surely being more security paranoid than usual should make it harder for an attack like this to succeed, but if the feds get pissed enough it's not unthinkable that they could get access to a targeted zero day to use.
It's no secret that the @lulzsec account is controlled by former Anonymous spokesperson Topiary (http://twitter.com/atopiary), whose identity is not publicly known, though it has been anonymously claimed that he or she is Daniel Ackerman Sandberg.
Given LulzSec seems to post their hacks on twitter, that there's no way of validating who posted the PasteBin item and that the Office of National Statistics hasn't reported the loss, its probably best to wait and see something a little more convincing.
I wrote the article and have been trying to trace the authenticity of the release. I am still waiting to hear back from the Office of National Statistics, which at the time were unaware of who LulzSec even were.
I contacted them a little over two hours ago, I haven't received a response, yet.
It also has the Bethesda and US senate links in the end, making this look more like copy-paste of an older release. This is inconclusive though since the real LulzSec might copy paste from an older release to get all the ascii art.
I've wondered how many individuals and groups out there post things in the name of other security groups to distract attention from (or direct it toward) themselves. Maybe everyone should start signing their releases with a private key.
They are mentioning something they've got though, in similar language to the pastebin. I think it unlikely they'd have managed to acquire the full census, but I think it's probably quite possible they've got ones submitted online.
We are aware of the suggestion that census data has been accessed. We are working with our security advisers and contractors to establish whether there is any substance to this. The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have noevidence to suggest that any such compromise has occurred.
This whole escalating security situation has me thinking that IT security is heading down the same path as the War On Drugs.
I wonder if ten or twenty years from now we'll see petitions to legalize hacking tools after we see a resurgence in security breaches following the criminalization of "hacking tools"...
US companies can store data from EU countries if they comply with the "Safe Harbour" principles. Organisations can self-certify and as yet no company has been challenged as failing to meet the guidelines.
Why would jurisdiction enter into someone in the UK suing the company that processed the UK census data? Thier data. I don't know if antihero is in the UK, but if they aren't, people in the UK should do it instead. I am disturbed that my data could leak like this.
As you would expect, there is a legal entity for Lockheed Martin in the UK. Unless there is some crazy immunity for companies working on government contracts (which wouldn't surprise me) I don't see why they couldn't be sued.
I'm leaning toward "hoax." Lulzsec has been reasonably competent writers so far, and the bizarre placement of "blissfully" makes that either incompetent or some kind of steganography. That, added to the lack of tweet, makes me doubt.
Of course, it could still be some anon who actually does have the census data, and considers himself lulzsec-affiliated.
Imagining that the release is true, this will do strange things for pay bargaining. Imagine if you could look up your colleagues before asking for a rise?
On the other hand, I don't recall anything really horrific on that form. Enough data to steal my identity and take out a mortgage in my name, yes. Enough to embarrass me? no...
There may not be anything in there to embarass me but there is unequivocally enough in there for someone to steal my identity and ruin a credit rating I've been working extremely hard to build over the last three years.
You can obtain that sort of info, by dumpster diving say, but not in anything like the scale.
Imagine that you can get this info and a pretty good idea of salary and lifestyle by running a db search in a few seconds. You can easily focus your attention on the most lucrative propositions and get info from even those that are careful to not put such info out there. Census completion is a legal requirement, everyone should be on one.
It did ask for the household annual income. It also asks for the job title of the various householders so with a small bit of market info you could easily discern who earns what. Regardless, salary info would be the least of my concerns.
So what's the worst possible outcome here in terms of the UK government's reactions? Fast-tracked arcane legislation to make security tools illegal like they are in .de ? Broadening the terms of hacking and increasing the legal penalties? If LulzSec aren't trolling the world and they do indeed have these records I would imagine there is going to be one hell of a shitstorm in the coming weeks.
It would be just another excuse to get the Internet ID implemented. MAFIAA has been pushing for Internet ID since years now and a number of politicians are in favour. Must admit that every time I read about the latest Lulsec activity I cannot help but think that MAFIAA is behind all this.
I'd say the opposite will happen. The government will not be able to set up anything which requires a massive secure database for quite a few years. Every time they claim they can set up a secure database, the 2011 census leak will be brought up.
This was the first census where you could submit details online. I wonder if it was these records? Would be surprised if they had even finished scanning the paper ones yet, but the UK governments security record is not good. They contracted it to Lockheed Martin, who also do the US census, so presumably reused the software?
I believe that most databases are secure, especially the open source ones.
What you should be careful about is the things surrounding the database: the .php files (or whatever) that read/write the database, and the system it is running on.
Basic security practice for the web: NEVER trust user input: check and recheck all the GET/POST variables, check that numbers are numbers, that strings are correct strings (they have no funny characters, such as " or ; (for databases) or <>"&' (for HTML) or . (for paths)). Check all input into the databases (to prevent SQL injections) and all output for to the user (for XSS).
Basic security practice for sysadmins: Use up-to-date OS and software. Use strong passwords. Almost never run root. Make remote access hard.
This seems easy, and for the most part, it is. It's just so many things that people forget to check for them all.
Yes, let's secure our databases against O'Reillys and AT&Ts submitting their funny names! <g>
It's not characters that get you, it's lack of escaping or escaping for the wrong context (e.g. magic_quotes won't work for HTML)
• For SQL use prepared statements exclusively (never let "oh, it's just a number so I don't need to" fool you)
• Escaping doesn't differ between "trusted" and "untrusted" data (and these boundaries are too easy to break eventually).
Just escape everything, always. In PHP it means every `echo $var` is a likely vulnerability and `echo htmlspecialchars($var, ENT_QUOTES)` (in HTML except script) or `json_encode($var)` (in script) is a must.
Obviously, you should do defense in depth, so input validation is great and some filtering just-in-case may be warranted, but escaping alone (assuming done well) is sufficient for security, while filtering alone is not.
The way I write software, such values of user_select_sort would never even be possible... It's much slower to compare strings than to compare numbers, and passing long descriptive values that are actually booleans or short enums is just a waste of bandwidth (assuming they are passed as GET/POST variables).
Numbers or strings wasn't the point really. You can do 'order by 1' or 'order by 2' in SQL to order by the first or second selected col etc, but if you used used the number passed directly from the user in the SQL statement, you are open to SQL injection. Feel free to use the number in a case statement to select the order by string to concat into your SQL however.
Well, yes, but only when your data is skewed in general. Tom Kyte gives a 1 - 2 hour presentation about bind variables, bind variable peeking, overbinding, SQL Injection, parsing etc - great stuff if you are an Oracle guy and can get to one of this seminars.
Actually, it's not easy. It's incredibly difficult to have a webapp with a wide range of functionality that doesn't leak data to SQL injections. There's plenty of stuff that can get past the precautions you listed, although pornel is closer to the mark.
Another obvious weak point is not controlling access to copies of production databases. Developers getting access to copies of production databases full of personal info is terrifying, and yet not uncommon.
Agreed. Any submitted data should have been immediately encrypted with a public key who's companion private key was stored offline. It should have then been immediately transferred to a secondary box which was setup with a single function of accepting and storing the data. Ie a box which you can't query over the network for data.
As soon as the census closed, the relevant boxes should have been taken offline. The data moved to a "secure" location, and the original boxes wiped and destroyed.
Considering the data that was being collected, I don't think this is overkill.
well its got to go in somehow, perhaps a facade that exposes only preparedstatements procs could have prevented this, but equally perhaps they exploited the facade, the transport mechanism to the facade, the db driver..... who knows, what is known is that theres a path, however narrow
Whats worrying about the apparent proliferation of security breaches like this is that as the attacks get more sophisticated, so do the prevention methods. This could get to the point whereby the skill level required to protect an application or server goes way higher than the skill level of many developers.
The result being that independent development is impossible as you would need to hire ever more expensive security consultants for anything that stores data.
I understand your point (it is potentially true for more than just the security domain of application development) but I think your premise in this case is false. SQLI (XSS, CSRF, ...) attacks are neither sophisticated nor new. SQLI has been known since at least 1998 (Phrack 54).
SQLI protection at least should be abstracted away from the developer's concerns by use of default parametrized queries. Technical difficulty is not the problem here.
I was thinking more in terms of reactions. Governments rarely admit their own faults and weaknesses. They will react claiming computer terrorists must be stopped now and that more control on the Internet is needed to protect everybody.
"Biggest" only for the media coverage this could get, i would not be surprised if they had exploited a common vulnerability. At least when we are discussing about publicly accessible sites, "security-illiterate" is the perfect definition for these government agencies (and the external companies that realize the sites they need).
Will this kind of things make the general public at least a bit more security conscious?
It appears that LulzSec isn't directly responsible for this. Although, since they called for the hacking of every government agency in the world with their "anti-sec" call to arms it's a bit disengeneous for them to rock back on their heels in shock and confusion.
Is there any Government IT contractor that doesn't have a terrible reputation?
Government contracts are a pain to do. Most of the work is in jumping through hoops rather than actually doing the work. Most (all?) competent companies avoid Government work for this reason, making it very difficult to get any Government IT work done well.
I've always thought that the government should have their own IT agency. The NHS would do well to fire all the paid up consultants and commercial software and start a Google-style technology cooperative and share their results to other agencies. The NHS has the biggest IT problem of all and with the right minds on the job we'd have massive progress in the organisation and some serious advances in computer science to boot.
Whilst yes the UK govt and/or LM are to be criticised for their lack of security, LulzSec or whoever don't need to actually go post all the data for the world to see. If they want to prove they've done it post re-dected samples. It's childish, self-defeating and insanely irresponsible to publish them.
Anonymous had a lot of support for their attacks on Mastercard et. al. People, not just the programmers demographic, were seeing them as civil disobedience through the internet and hailing them for taking a right cause, namely against dirty, probably unconstitutional, certainly unethical attacks on wikileaks by numerous powerful groups.
What's more, anonymous was seen as more powerful than such groups on the internet arena. It was felt that such powerful groups would thus think twice and know that they are against probably smarter people, perhaps even their own employees. Alas, like actual physical protests, they did not manage to change much. Wikileaks has almost been forgotten now. Julian has gone quite. The organisation itself seems to have become divided and disorganised. They possibly are buying time. But the power that be has shown us that they have the resources, are willing to play, publicly, dirty tricks, and can even withstand a public opinion quite strongly against them.
Julian has been given some outstanding honour in journalism. He might even win the Peace prize for what some say was the effect of wikileaks on bringing about the Arab Spring. That may show that there are many powerful avenues to resist and/or push back the power that be.
All of that is being undermined for no apparent reason whatever. Although Lulzec might be trying to send a signal to the power that be. We are stronger. We are smarter. You need to know that before thinking again about doing dirty tricks. They don't seem to be able or willing to choose their targets well to send such a message. Showing that you can for example steal the census data in order to increase the security of organisations which deal with our data is like a man showing that he can steal a car by so breaking into the car and stealing it.
We can all commit crimes. We choose not to for very good reasons. Some things can not be fortified and turned into castles. And even castles can be brought down.
So the ultimate effect is that anonymous is painted with the same brush. As petty criminals bringing havoc into the streets of the neighbourhood by breaking car windows to show us that they can so break car windows.
For now, anonymous still has the upper moral ground. That is for now. By for now I mean for the next few days or weeks. The report for example that a member of lulzsec has been arrested who has connections with anonymous helps tremendously in blurring the lines between anonymous and lulsec.
The blurring means nothing more nor less than the excuse and the swaying of the public opinion that the power that be needs to go after anonymous and send a clear signal. You may be smarter but we have more resources and more avenues and the consequences you face are much greater.
The biggest signal that the power that be may send however is that they are able to control the public opinion by playing tricks. I think we all remember how last year we were talking about how the power that be is going to deal with wikileaks. The conversations that were had here on hackernews are probably still accessible through searching. Killing him seemed to be the most mentioned option, but quickly refuted by others. Now, it may be a strong statement to make seeing as I have no evidence whatever, but the information that did come out in regards to the two women, the fact that Assange is still here in Britain almost a year after, that he is actually free, suggests that tainting him with rape accusations was their choice. As we are seeing, it seems to have worked.
Equally, I do not know who lulzecs is. They have no motive, no reason, to do what they are doing. They are intelligent. Thus I doubt they would risk years in prison to just show that they can break a car. People do not tend to do things for no reason, especially if there are great consequences.
There is no laughter to be had of say having access to a lot of information of sonny users. Nor is there any lulz in having say the information of the census.
I therefore think that there is a probability that Matercard, Visa, Bank of America et al got quite pissed off from anonymous' attacks, but unable to do anything because of the strong public support that anonymous had, thought creatively and went for the blurring of the lines between common thief's and civil disobedience.
That is one possibility. Probably the more likely possibility. Sophos for example seems to be salivating every time lulzsecs does something.
The other option, that they are kids, being stupid, like most teenagers at time, confused, rebellious, is a possibility but unlikely. They probably know full well, that gaining such a high profile while not having any public support or even having the public against them means that they will crash down painfully to the bottom and remain there for years and years.
I'll finally finish this quite long comment by stating that if lulzsec is anything else than affiliated or corrupted, then they should know that they are tainting ideals with petty crimes.
Give me a break. There are no ideals, and it's not a conspiracy. It's just a bunch of trolls on summer vacation. They are doing it because they don't really care to consider consequences when they choose to do something. Mystery solved by Occam's Razor.
If you didn't know that lots of people like to do mean, pointless things all day for no reason, then welcome to 4chan, you may or may not enjoy your stay.
That's the impression I have of a lot of contemporary political and business interests: "There are no ideals, and it's not a conspiracy. It's just business." Some do it for the lulz. Some do it for the bottom line.
LulzSec's tactics may be callous or juvenile, but they also somehow see a fitting expression for some of the inchoate disenchantment that I feel. When I pause to consider that I'm doing pretty well, all things considered, I can imagine the deeper chord they strike with others.
but they also somehow see a fitting expression for some of the inchoate disenchantment that I feel.
I've been curious about this feeling as it certainly seems to me that you're not alone. What is it that they've done that makes them hit a chord with you? What I see when I look at lulzsec is mostly behvior that hurts a random collection of common people - like dropping emails, hashes, personal info of people who just happened to be unlucky enough to make an account with one of their many targets. Or DDOS on small indie software developers to prevent their customers from playing their games for a bit. Are you disenchanted with gamers and people who sign up for a book forum and such?
I totally understand the appeal of the Anonymous DDOS's and HB Gary hack for example, so the whole thing isn't lost on me. But I just find lulzsec idiotic and grating.
I think that if there's an overriding principle behind it, you could say the principle is this:
The world is full of crazy laws and arbitrary rules which are frequently both boring and harmful. The only reasonable laws are ones that are purposeful and enforceable. If a law is stupid or if you can't enforce the law, we will break it at our whimsy, and if you don't like it, then you're the one that should change somehow, because anyone else could and probably should go break it too.
You could say that this is the grow-a-thicker-skin Internet philosophy. It's an idea that is appealing if you're young, moderately intelligent and computer-savvy, because your life has probably been filled with really stupid rules that are totally pointless and/or completely unenforceable, and you have no idea how to fix it, and you have probably never been on the other end of things.
What is it that they've done that makes them hit a chord with you?
As an American, I have a demoralizing sense that the country has given up on doing great things and, more specifically, turned its back on underdogs. I could make a more detailed case, starting with my view of human nature and extending to the latest Supreme Court decisions and the drivel I see nosing around Twitter and Facebook, but that would be sort of beside the point here.
Why gamers and book forum readers? I don't have anything against them personally and I agree there are probably more suitable targets. At the same time, obsessive game-players and score-keeping book-readers offer an obvious illustration for the kind of obliviousness and escapism that I can find symptomatic of larger social problems.
I suspect Lulzsec owes part of its style to The Joker from the last Batman movie. Remember that scene when the Joker lights the pile of money on fire? I agree Anonymous is a more constructive example of civil disobedience. But Lulzsec, in its aimlessness, may be the more potent symbol. I see it as a form of satire as much as anything.
Would my attitude would change if, say, they deleted my gmail account? Probably. But then maybe there would be something constructive in that, too.
I was thinking of saying something along the lines of I'd be surprised if they view their own actions so introspectively. Perhaps comparing it to the classic english teacher interpreting meaning behind a work for he class that the author never intended.
But I suppose it really doesn't matter - if people get something from a work it really makes no difference if the intent was there with the creation.
Doesn't seem too different than the usual teenage hubris. Kids think adults are boring on purpose and try to disrupt the social order to make life more interesting. They don't realize order and a good life is actually quite hard to maintain, and a bit of boring is the cost of living well.
I thought the actions of anonymous did have ideals. They were protecting free speech through disobedience.
I've seen 4 chan. Its no more than the corner teenagers playing around. They may once in a while break a window, or inconvenience some person, but they do not go to steal banks, or hit a police officer. All that is metaphors obviously, perhaps imperfect metaphors.
All I am saying is that I, we, do not know who or what Lulsecs is. Anonymous is everyone. You can apparently just enlist your computer towards some action. Lulzsecs is who?
Considering what happened to wikileaks why is there no probability, though slight, that it may be some dirty trick?
For example, anonymous is everyone right? Yet this guy who has been arrested, the "lulzsec mastermind", is apparently someone who has connections with anonymous.
Moreover, since lulzec appears to logically have no motive to take such a grave risk, as shown by someone who just got arrested individual and may possibly rot in jail, but many groups have an interest to get rid of anonymous, thus would want to blur the lines and sway the public opinion, I think there is at least some probability that they have been either corrupted or are affiliated.
I'd rather keep an open mind. We'll probably learn much more once this Lulzsec guy goes to trial, hopefully here in Britain, rather than extradited to some extrajurisdictional American prison, or offered a job in some company.
- 4channers have been sitting around DDOSing and defacing websites recreationally for years. The only difference here is that the websites are big organizations instead of some poor dude's message board or personal site, and that might seem like a big difference to you, but I don't think it seems like a big difference to the folks involved.
- I don't know what the mystery is here about "who or what Lulzsec is" or about "Anonymous is everyone." It's a bunch of teenagers on IRC, not a shadowy order of the shadows. It's pretty much the same guys every time, with people popping in and out.
- What does this have to do with Wikileaks, even tangentially? The fact that it's on a computer and the government doesn't like it?
- It's surprising that LulzSec has "connections" with Anonymous? The name of their group is "LulzSec" and their Twitter mascot is the 4chan monocle guy! Where did you think they came from, thin air?
This whole thing looks so completely ordinary to me that I don't see any reason to postulate foul play.
I'm using it as a shorthand for: "Here is a perfectly reasonable explanation that fits the facts. The other given explanation requires the conjunction of multiple unlikely things and I see no evidence favoring it. I believe the other explanation is sufficiently unlikely that there's not much point speculating about it."