Oh well, just because we want to waste government and local authority investigation time: we hacked every website in the world. Enjoy!
11 minutes ago
LulzSec The Lulz Boat
I'm not seeing "we hacked the UK census" on our twitter feed or website... why does the media believe we hacked the UK census? #confusion
13 minutes ago
Not sure we claimed to hack the UK census or where that rumour started, but we assume it's because people are stupider than you and I.
Just saw the pastebin of the UK census hack. That wasn't us - don't believe fake LulzSec releases unless we put out a tweet first.
Those tweets were deleted. Here's the official word:
"Just saw the pastebin of the UK census hack. That wasn't us - don't believe fake LulzSec releases unless we put out a tweet first."
I'm just curious, because Lulzsec posts frequently and I wonder if law enforcement could subpoena twitter in attempts to catch these people.
The FBI routinely uses software exploits to install something called CIPAV on the remote client computer to retrieve forensics data and negate the effect of proxies, vpns, tor, etc.
Twitter almost assuredly has the ability to push a custom iframe or similar based on who is logged on to support these kinds of government payloads. In the case the wired article references myspace directly assisted.
Surely being more security paranoid than usual should make it harder for an attack like this to succeed, but if the feds get pissed enough it's not unthinkable that they could get access to a targeted zero day to use.
I contacted them a little over two hours ago, I haven't received a response, yet.
It may take them a while to figure out what a "computer" is and how it might be "hacked". You could be waiting some time :)
We are aware of the suggestion that census data has been accessed. We are working with our security advisers and contractors to establish whether there is any substance to this. The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have noevidence to suggest that any such compromise has occurred.
Link to story: http://www.networkworld.com/news/2011/052611-lockheed-martin...
Of course, it could still be some anon who actually does have the census data, and considers himself lulzsec-affiliated.
I submitted my census info via the online form and given the amount of detail I included I would be terrified if that info was leaked.
Imagine that you can get this info and a pretty good idea of salary and lifestyle by running a db search in a few seconds. You can easily focus your attention on the most lucrative propositions and get info from even those that are careful to not put such info out there. Census completion is a legal requirement, everyone should be on one.
I don't find it particularly interesting, though. People earn around what you expect them to earn.
Job title, Occupation, Employees managed.
You didn't look very well ;0)>
I remember particularly as this sort of question is hard for me as I don't really have a job title, my occupation is extremely varied.
Apart from the obvious ID theft risk.
Google doesn't seem to return anything on that domain.
Here's the text of the freedom bill:
Seems pretty nice. I dread to think what they'll have to trade the tories for it though.
Not in any order of popularity:
1. Brute-force (or not) cracking of weak or default usernames/passwords
2. Privilege escalation
3. Exploiting unused and unnecessary database services and functionality
4. Targeting unpatched database vulnerabilities
5. SQL injection
6. Stolen backup (unencrypted) tapes
What you should be careful about is the things surrounding the database: the .php files (or whatever) that read/write the database, and the system it is running on.
Basic security practice for the web: NEVER trust user input: check and recheck all the GET/POST variables, check that numbers are numbers, that strings are correct strings (they have no funny characters, such as " or ; (for databases) or <>"&' (for HTML) or . (for paths)). Check all input into the databases (to prevent SQL injections) and all output for to the user (for XSS).
Basic security practice for sysadmins: Use up-to-date OS and software. Use strong passwords. Almost never run root. Make remote access hard.
This seems easy, and for the most part, it is. It's just so many things that people forget to check for them all.
It's not characters that get you, it's lack of escaping or escaping for the wrong context (e.g. magic_quotes won't work for HTML)
• For SQL use prepared statements exclusively (never let "oh, it's just a number so I don't need to" fool you)
• Escaping doesn't differ between "trusted" and "untrusted" data (and these boundaries are too easy to break eventually).
Just escape everything, always. In PHP it means every `echo $var` is a likely vulnerability and `echo htmlspecialchars($var, ENT_QUOTES)` (in HTML except script) or `json_encode($var)` (in script) is a must.
Obviously, you should do defense in depth, so input validation is great and some filtering just-in-case may be warranted, but escaping alone (assuming done well) is sufficient for security, while filtering alone is not.
I cannot vote this up enough. Also, depending on what database you are using (eg Oracle) if you don't use prepared statements (aka bind variables) you are guarantee killing your DB performance.
People have argued with me in the past that for things like sorting the data they cannot use bind variables. In that case, use the user input to select which safe string to use, eg:
if user_select_sort == 'by_account_num'
return 'order by account_num asc'
elsif user_select_sort == 'by_transaction_date'
return 'order by transaction_date'
Why not just pass numbers instead?
I am certainly no expert in this field, but I would have thought discovering new exploits and security holes would take time, yet these guys are hitting several major sites a week.
Most websites seem to have at least one XSS or SQL injection hole. Nearly all have CSRF flaws.
As soon as the census closed, the relevant boxes should have been taken offline. The data moved to a "secure" location, and the original boxes wiped and destroyed.
Considering the data that was being collected, I don't think this is overkill.
That's how Australia treats important (Top Secret classified) data. I don't know how classified our census is, it should be treated with a bit of respect.
The result being that independent development is impossible as you would need to hire ever more expensive security consultants for anything that stores data.
SQLI protection at least should be abstracted away from the developer's concerns by use of default parametrized queries. Technical difficulty is not the problem here.
We reached that point quite a while ago. What we are seeing now is the result of that point being reached, without anyone realising at the time.
I quite liked this post: http://1raindrop.typepad.com/1_raindrop/2011/06/unfrozen-cav... people are just not investing in security. Most of the attacks are not very sophisticated, it is just no one is spending money on solving the basic security weaknesses.
Will this kind of things make the general public at least a bit more security conscious?
Exposing security flaws and embarrassing govt is one thing, but to put un-redacted personal data online is quite another.
Each census form had a unique ID, which is obviously linked to your address as it was sent to you through the post.
We’re keeping them under lock and key though… so don’t worry about your privacy (…until we finish re-formatting them for release)
So, given they really arer LulzSec, they are hinting that they won't publish the data un-redacted.
Isn't that what we'd expect a Government to do? Tender jobs out to the private sector and choose the provider that offers the best value for money?
It's not as if Lockheed Martin are a particularly insecure or untrustworthy company to hold private data.
Government contracts are a pain to do. Most of the work is in jumping through hoops rather than actually doing the work. Most (all?) competent companies avoid Government work for this reason, making it very difficult to get any Government IT work done well.
I've always thought that the government should have their own IT agency. The NHS would do well to fire all the paid up consultants and commercial software and start a Google-style technology cooperative and share their results to other agencies. The NHS has the biggest IT problem of all and with the right minds on the job we'd have massive progress in the organisation and some serious advances in computer science to boot.
19-year-old suspected of being mastermind behind computer hacking group LulzSec arrested in Wickford, Essex. #c4news
Anonymous had a lot of support for their attacks on Mastercard et. al. People, not just the programmers demographic, were seeing them as civil disobedience through the internet and hailing them for taking a right cause, namely against dirty, probably unconstitutional, certainly unethical attacks on wikileaks by numerous powerful groups.
What's more, anonymous was seen as more powerful than such groups on the internet arena. It was felt that such powerful groups would thus think twice and know that they are against probably smarter people, perhaps even their own employees. Alas, like actual physical protests, they did not manage to change much. Wikileaks has almost been forgotten now. Julian has gone quite. The organisation itself seems to have become divided and disorganised. They possibly are buying time. But the power that be has shown us that they have the resources, are willing to play, publicly, dirty tricks, and can even withstand a public opinion quite strongly against them.
Julian has been given some outstanding honour in journalism. He might even win the Peace prize for what some say was the effect of wikileaks on bringing about the Arab Spring. That may show that there are many powerful avenues to resist and/or push back the power that be.
All of that is being undermined for no apparent reason whatever. Although Lulzec might be trying to send a signal to the power that be. We are stronger. We are smarter. You need to know that before thinking again about doing dirty tricks. They don't seem to be able or willing to choose their targets well to send such a message. Showing that you can for example steal the census data in order to increase the security of organisations which deal with our data is like a man showing that he can steal a car by so breaking into the car and stealing it.
We can all commit crimes. We choose not to for very good reasons. Some things can not be fortified and turned into castles. And even castles can be brought down.
So the ultimate effect is that anonymous is painted with the same brush. As petty criminals bringing havoc into the streets of the neighbourhood by breaking car windows to show us that they can so break car windows.
For now, anonymous still has the upper moral ground. That is for now. By for now I mean for the next few days or weeks. The report for example that a member of lulzsec has been arrested who has connections with anonymous helps tremendously in blurring the lines between anonymous and lulsec.
The blurring means nothing more nor less than the excuse and the swaying of the public opinion that the power that be needs to go after anonymous and send a clear signal. You may be smarter but we have more resources and more avenues and the consequences you face are much greater.
The biggest signal that the power that be may send however is that they are able to control the public opinion by playing tricks. I think we all remember how last year we were talking about how the power that be is going to deal with wikileaks. The conversations that were had here on hackernews are probably still accessible through searching. Killing him seemed to be the most mentioned option, but quickly refuted by others. Now, it may be a strong statement to make seeing as I have no evidence whatever, but the information that did come out in regards to the two women, the fact that Assange is still here in Britain almost a year after, that he is actually free, suggests that tainting him with rape accusations was their choice. As we are seeing, it seems to have worked.
Equally, I do not know who lulzecs is. They have no motive, no reason, to do what they are doing. They are intelligent. Thus I doubt they would risk years in prison to just show that they can break a car. People do not tend to do things for no reason, especially if there are great consequences.
There is no laughter to be had of say having access to a lot of information of sonny users. Nor is there any lulz in having say the information of the census.
I therefore think that there is a probability that Matercard, Visa, Bank of America et al got quite pissed off from anonymous' attacks, but unable to do anything because of the strong public support that anonymous had, thought creatively and went for the blurring of the lines between common thief's and civil disobedience.
That is one possibility. Probably the more likely possibility. Sophos for example seems to be salivating every time lulzsecs does something.
The other option, that they are kids, being stupid, like most teenagers at time, confused, rebellious, is a possibility but unlikely. They probably know full well, that gaining such a high profile while not having any public support or even having the public against them means that they will crash down painfully to the bottom and remain there for years and years.
I'll finally finish this quite long comment by stating that if lulzsec is anything else than affiliated or corrupted, then they should know that they are tainting ideals with petty crimes.
If you didn't know that lots of people like to do mean, pointless things all day for no reason, then welcome to 4chan, you may or may not enjoy your stay.
That's the impression I have of a lot of contemporary political and business interests: "There are no ideals, and it's not a conspiracy. It's just business." Some do it for the lulz. Some do it for the bottom line.
LulzSec's tactics may be callous or juvenile, but they also somehow see a fitting expression for some of the inchoate disenchantment that I feel. When I pause to consider that I'm doing pretty well, all things considered, I can imagine the deeper chord they strike with others.
I've been curious about this feeling as it certainly seems to me that you're not alone. What is it that they've done that makes them hit a chord with you? What I see when I look at lulzsec is mostly behvior that hurts a random collection of common people - like dropping emails, hashes, personal info of people who just happened to be unlucky enough to make an account with one of their many targets. Or DDOS on small indie software developers to prevent their customers from playing their games for a bit. Are you disenchanted with gamers and people who sign up for a book forum and such?
I totally understand the appeal of the Anonymous DDOS's and HB Gary hack for example, so the whole thing isn't lost on me. But I just find lulzsec idiotic and grating.
The world is full of crazy laws and arbitrary rules which are frequently both boring and harmful. The only reasonable laws are ones that are purposeful and enforceable. If a law is stupid or if you can't enforce the law, we will break it at our whimsy, and if you don't like it, then you're the one that should change somehow, because anyone else could and probably should go break it too.
You could say that this is the grow-a-thicker-skin Internet philosophy. It's an idea that is appealing if you're young, moderately intelligent and computer-savvy, because your life has probably been filled with really stupid rules that are totally pointless and/or completely unenforceable, and you have no idea how to fix it, and you have probably never been on the other end of things.
As an American, I have a demoralizing sense that the country has given up on doing great things and, more specifically, turned its back on underdogs. I could make a more detailed case, starting with my view of human nature and extending to the latest Supreme Court decisions and the drivel I see nosing around Twitter and Facebook, but that would be sort of beside the point here.
Why gamers and book forum readers? I don't have anything against them personally and I agree there are probably more suitable targets. At the same time, obsessive game-players and score-keeping book-readers offer an obvious illustration for the kind of obliviousness and escapism that I can find symptomatic of larger social problems.
I suspect Lulzsec owes part of its style to The Joker from the last Batman movie. Remember that scene when the Joker lights the pile of money on fire? I agree Anonymous is a more constructive example of civil disobedience. But Lulzsec, in its aimlessness, may be the more potent symbol. I see it as a form of satire as much as anything.
Would my attitude would change if, say, they deleted my gmail account? Probably. But then maybe there would be something constructive in that, too.
I was thinking of saying something along the lines of I'd be surprised if they view their own actions so introspectively. Perhaps comparing it to the classic english teacher interpreting meaning behind a work for he class that the author never intended.
But I suppose it really doesn't matter - if people get something from a work it really makes no difference if the intent was there with the creation.
I've seen 4 chan. Its no more than the corner teenagers playing around. They may once in a while break a window, or inconvenience some person, but they do not go to steal banks, or hit a police officer. All that is metaphors obviously, perhaps imperfect metaphors.
All I am saying is that I, we, do not know who or what Lulsecs is. Anonymous is everyone. You can apparently just enlist your computer towards some action. Lulzsecs is who?
Considering what happened to wikileaks why is there no probability, though slight, that it may be some dirty trick?
For example, anonymous is everyone right? Yet this guy who has been arrested, the "lulzsec mastermind", is apparently someone who has connections with anonymous.
Moreover, since lulzec appears to logically have no motive to take such a grave risk, as shown by someone who just got arrested individual and may possibly rot in jail, but many groups have an interest to get rid of anonymous, thus would want to blur the lines and sway the public opinion, I think there is at least some probability that they have been either corrupted or are affiliated.
I'd rather keep an open mind. We'll probably learn much more once this Lulzsec guy goes to trial, hopefully here in Britain, rather than extradited to some extrajurisdictional American prison, or offered a job in some company.
- I don't know what the mystery is here about "who or what Lulzsec is" or about "Anonymous is everyone." It's a bunch of teenagers on IRC, not a shadowy order of the shadows. It's pretty much the same guys every time, with people popping in and out.
- What does this have to do with Wikileaks, even tangentially? The fact that it's on a computer and the government doesn't like it?
- It's surprising that LulzSec has "connections" with Anonymous? The name of their group is "LulzSec" and their Twitter mascot is the 4chan monocle guy! Where did you think they came from, thin air?
This whole thing looks so completely ordinary to me that I don't see any reason to postulate foul play.
Why do people insist on saying this? Yes, it might be the most likely reason, but Occam's Razor is not a law. It's more of a saying. Why are people repeating it as if it is always true?
That seems fantastically unlikely.