News LulzSec targets EVE Online, Minecraft, League of Legends

Well when this first came about you had two groups Hackers (the good guys) and Crackers (the bad guys) but then it took one highly publicized news event and a wrong choice of words which in the end merged Hackers and Crackers together as a negative.

Then later in attempt to fix this, White Hat (good guys), Black Hat (bad guys) and Grey Hats (sits on the fence) was coined but hasnt really taken off in the eyes of the media...

 

agreed

 

I imagine they have a new target by now ...

 

loosers, it's easy to destroy something. Creation is difficult, I'd like to see them try and make something instead. I doubt they're up to the challenge.

 

Oh god I would love lulzsec to hit e-gay and cacktivision next.

Not that I agree with what they do, mostly, but some companies need their arses handed to them on a platter.

**** off and die origin, we want bf3 on steam. And would much prefer dedicated servers on cod.

/probably what was a rather childish rant

 

I know they are acting like a bunch of kids and it's annoying but I do wonder how many of these companies have had any form of penetration testing in the past? How about a security audit?

Has bit-tech been checked?

Sony certainly hadn't and they can afford the £1000+ a day a skilled penetration testing team can charge.

 

Huh - I just read that they allegedly attacked a CIA website. That may just be the start of them and their downfall.

I hope so!

 

Homeland Security is offering advice to financial institutions helping to protect them from hackers ... maybe they could fit in the CIA as well.

 

So they took down some websites. There are some things you can do to make a site resistant to DDoS attacks, but only so much. No matter how resistant a site is, if it gets hammered on enough it will go down. It takes processing/routing/firewall power to reject DDoS calls and accept legitimate calls. Of course it is infinitely worse if you have no DDoS protection and you accept DDoS calls as legitimate and you attempt to service thousands or hundreds of thousands of requests at a time.

Anyway, fart in the wind as they say. So far it sounds like they've "hacked" all of two sites using SQL injection attacks. Whoop-ty-do. SQL injection attacks are about as easy as you can manage (which makes having SQL injection vulnerabilities that much more bone headed) and frankly it isn't really much in the way of hacking. Its maybe a step up from script kiddy work, but only a baby step.

All it really does is give you access to information on the database that the form/field is linked to or others that it might have a union to. It isn't like you wield phenomenal cosmic power (have to deal with an itty bitty living space though) over the system.

 

If you look at their release site you will see that they have released information that suggests they have hacked a lot more than 2 sites: Most recently (from this past week) releasing internal code/data from
Senate.gov, Bethesda , Pron.com. Thats not to mention their various Sony site data and more..

Whether they are using DDoS, SQLi or more advanced techniques, I think companies should start taking notice.

 

Rumour is they've now released 62,000 username and password combinations from an unknown source ...

 

it was sql? be sad if it was ftp related.. yeah read about senate.gov but looks like they didn't get much farther than listing the contents of the apache server.. that's not that hard to do

what they did to bethesda is a full break.. metasploit used at it's finest including passing the hash and creating a pivot to get into boxes not connected.. pretty good stuff
I don't like the releasing of names/passwords.. getting out of hand xD

 

You would think that wouldn't you?

As with most things in security 'it depends'. In many cases you can use SQL injection, even blind SQL injection, to completely own a system. For a start that database will have credentials for the machine it's on, there are ways to ask the database what these are. You can often use a database to issue commands to the machine it's on too and since that database was install as an administrator (surprisingly common) your commands are executed with administrator privileges. You can upload your own programs (as in the end programs are just data) you could upload a webshell to make the hack easier, hell MS SQL comes out of the box with XP Command Shell which is basically an I win button if you can get to it.

 

they use meterpreter extensions.. then you really have unlimited access to the machine without the limits put on sh or cmd without creating a new process.. your executing in the process that was exploited- all in memory

avoids anitvirus like this too.. it's all part of metasploit

 

So ... All those who support and/or defend these dickheads seem to have gone pretty quiet ... is it possibly because releasing 62,000 persons details and the ensuing chaos it has caused is slightly indefensible?

Your heroes turn out to be villains. What a shocker.

 

http://twitter.com/#!/lulzsec
Sickening, people are getting blind robbed because of these guys, it's not just emails or whatever anymore, paypal accounts and stuff, no one can defend them now.

 

They must live a sad, pathetic life for doing stuff like this.

 

Im suprised their site and their twitter account have not been taken down yet.

 

Ugh. Isn't everyone bored of these fools yet?

 

I find them funny.. they had one about facebook being people's lives and how sad that it's over.. they are just doing what everyone wants to do but doesn't have the balls too