LulzSec's Final Release
<a href="http://www.rockpapershotgun.com/2011/06/26/lulzsec-over-release-battlefield-heroes-data/" target="_blank">http://www.rockpapershotgun.com/2011/06/26...ld-heroes-data/</a>
<!--quoteo--><div class='quotetop'>QUOTE </div><div class='quotemain'><!--quotec-->LulzSec, the hacker group who have claimed responsibility for many of the high profile attacks on gaming companies, publishers, and even the CIA, have declared their work is done, their time is up, and they’re off. Apparently it was always intended to be a 50 day voyage aboard their Lulzboat, and it has come to an end.<!--QuoteEnd--></div><!--QuoteEEnd-->
<!--quoteo--><div class='quotetop'>QUOTE </div><div class='quotemain'><!--quotec-->booty/AOL internal data.txt 63.6 KiB
booty/AT&T internal data.rar 314.59 MiB
booty/<b>Battlefield Heroes Beta (550k users).csv</b> 24.67 MiB
booty/FBI being silly.txt 3.82 KiB
booty/Hackforums.net (200k users).sql 111.2 MiB
booty/Nato-bookshop.org (12k users).csv 941.8 KiB
booty/Office networks of corporations.txt 3.87 KiB
booty/Private Investigator Emails.txt 2.52 KiB
booty/Random gaming forums (50k users).txt 6.08 MiB
booty/Silly routers.txt 67.7 KiB
booty/navy.mil owned.png<!--QuoteEnd--></div><!--QuoteEEnd-->
Just a heads up for anyone to take a gander since I found my username/password on the list. The random gaming forums was clean for me, so they're probably only some real obscure boards.
<!--quoteo--><div class='quotetop'>QUOTE </div><div class='quotemain'><!--quotec-->LulzSec, the hacker group who have claimed responsibility for many of the high profile attacks on gaming companies, publishers, and even the CIA, have declared their work is done, their time is up, and they’re off. Apparently it was always intended to be a 50 day voyage aboard their Lulzboat, and it has come to an end.<!--QuoteEnd--></div><!--QuoteEEnd-->
<!--quoteo--><div class='quotetop'>QUOTE </div><div class='quotemain'><!--quotec-->booty/AOL internal data.txt 63.6 KiB
booty/AT&T internal data.rar 314.59 MiB
booty/<b>Battlefield Heroes Beta (550k users).csv</b> 24.67 MiB
booty/FBI being silly.txt 3.82 KiB
booty/Hackforums.net (200k users).sql 111.2 MiB
booty/Nato-bookshop.org (12k users).csv 941.8 KiB
booty/Office networks of corporations.txt 3.87 KiB
booty/Private Investigator Emails.txt 2.52 KiB
booty/Random gaming forums (50k users).txt 6.08 MiB
booty/Silly routers.txt 67.7 KiB
booty/navy.mil owned.png<!--QuoteEnd--></div><!--QuoteEEnd-->
Just a heads up for anyone to take a gander since I found my username/password on the list. The random gaming forums was clean for me, so they're probably only some real obscure boards.
Comments
Just a heads up for anyone to take a gander since I found my username/password on the list. The random gaming forums was clean for me, so they're probably only some real obscure boards.<!--QuoteEnd--></div><!--QuoteEEnd-->
Torrent has already been taken down, which is good/bad. I've been trying to keep up with their releases and would have liked to know if my information was leaked :(
Here's a text version of the BFH list. The password hashes were removed, just has usernames
<a href="http://www.mediafire.com/?6kj3rry07wxj6d9" target="_blank">http://www.mediafire.com/?6kj3rry07wxj6d9</a>
Which means I feature in none of their leaks from companies.. result.
--Scythe--
--Scythe--<!--QuoteEnd--></div><!--QuoteEEnd-->
Obviously Gizmodo is farming e-mail addresses to spam later.
Not because of the hacking(a generous term, they were script kiddies) or information leaks, rather because they say "lulz" unironically.
Somewhat related
I wish I knew the first thing about hacking. I don't get how brute forcing passwords works. Are servers really fast enough to accept 10 million password guesses per second, and dumb enough to not lock someone out after several failed guesses?
Somewhat related<!--QuoteEnd--></div><!--QuoteEEnd-->
Damn... That's impressive. I knew my 5770 had quite some bang for the buck, but that's just wow.. And 33.1 billion MD5 password hashes / second?!
Security, where have you gone?
So since it can't be THAT simple, what am I missing?
Edit: Hell even simpler: One wrong password triggers a two second lockout. Unimportant for legitimate users, crippling for people trying to brute-force. Spend 209 years to try 3.3 billion passwords. Have fun. Hope I don't change my password in the meantime. Or, you know, the system gets replaced completely. Or you DIE.
Seriously, where's the weakness? How would these simple measures not make brute-forcing completely useless?
They are sensible measures that would work. The other option is like Google Accounts which, if you put in the wrong password five times, requires a difficult captcha alongside the correct password. Suddenly the processing requirements have jumped up a lot. Hell, those Google Captchas are the hardest I've seen, I generally have to cycle through until I find one that isn't impossible.
Nobody really brute forces passwords by having a script enter them into a website's login. The only place that happens is on poorly-monitored shell logins on servers.
When you create an account with a website you enter your username and your password. If the site is staffed by ignorant buffoons, they'll store your username and password in the same database, in plaintext. Johnny Nastyhax then logs into their database and syphons off all the goods quick-smart. If they're half-competent they'll take a hash of your password and store that instead. A hash is is a one-way conversion of your password. Next time you log into your account it takes a hash of the contentents of the password box and compares it to the stored hash. If they match, you're allowed to log in. A hash cannot be decyphered back into your password. Except it can, with enough processing power, or a pre-computed lookup of ALL hashes, called a rainbow table.
If they're verging in on full-competent, they'll hash your password with a salt, which means they tweak the hash process slightly such that the resulting hashed password won't appear in any rainbow table not made for that specific salt value.
This is why some of the leaks weren't so bad, because only the hashed passwords were stored, and those were probably salted.
--Scythe--
Imo the big threat is in the hands of the people you trust your information with. As Scythe said, either they store it wisely and you shouldn't be too worried, or they don't. In that case, it could spread out in similar ways to LulzSec's releases, or I don't know, maybe someone buys that kind of information. Once they're done with the brute-forcing offline, they try to log into popular websites etc. So, in a way, the threat is partially about server security, but also about the end-user and what he/she decides to put on the interwebs, and if he/she chooses to use the same "qwe123" password everywhere or create unique passwords for every site they visit.
I think what this means though is that "strong" passwords like we know them just aren't that strong anymore.
Given sufficient computing power, salted hashes could be decoded. It would be made easier if you made a bunch of accounts with known passwords, and then compared the hash to what you know you set your password as. That would atleast give you something to start on.
This could then ofcourse be beaten by a clever administrator who has the salt value modified according to something arbitrary (the date and time your account was created for example) or a combination of values. Even if computing power is increasing, it's not difficult to just heap on more and more levels of encryption. It is foolish to assume security practices of 5 years ago are still going to be effective today.
The success of lulzsec is due solely to the poor security practices of certain businesses and websites. Lulzsec used known exploits (that they probably just looked up on google, hence why I label them as script kiddies) to take advantage of websites that were running outdated software/had lazy administrators.
Though I guess if their entire purpose was to bring these kinds of problems out into the open, I would say they were successful. There are certainly still websites that are susceptible to things like SQL injection, even though it's a very simple exploit that is well known. It just comes down to poorly educated and/or lazy web developers.
OR had stingy leaders. The IT industry is rife with tales of critical updates/upgrades not being done because "it's too expensive and not really necessary," over the objections of lower-ranked people who actually know the technology and are fully aware that it's pretty damn necessary, but can't get the budget for it approved.
politics come into play alot, people don't want their fiefdoms intruded upon yet it's not about intruding it's about keeping the network up to date
The problem is that an MBA does NOTHING to qualify you for decision-making about physical or virtual security, and yet that's the qualification somebody who's in charge of the security budget is likely to have. In other words, no qualification whatsoever.
And these are the people we entrust critical information to. Christ.
Funnily this is actually one of the best approaches to network security, don't connect your sensitive data to the network.
As a whole, humanity always seems to learn things the hard way. The pitfalls of lax cyber security seem to be no exception to this rule. Lets just hope all the media attention will wake people up.