The Digital TV Blog ...

Aller au contenu | Aller au menu | Aller à la recherche

Tag - LulzSec

Fil des billets - Fil des commentaires

mardi 27 septembre 2011

Hide My Ass defends itself over “LulzSec Fiasco”

Par Bruno le mardi 27 septembre 2011, 11:30

A UK VPN provider has defended handing over logs relating to a member of LulzSec after it was ordered to by the courts.

In a blog statement entitled “LulzSec Fiasco”, Hide My Ass said that it had previously come to its attention that a member of the hacktivist group was using the service, following the leak of some IRC chat logs.

However, the company took no action at the time as there was no proof of any wrongdoing, nor was there any indication which services were being used by which accounts.

“At a later date it came as no surprise to have received a court order asking for information relating to an account associated with some or all of the [...] cases,” the firm said.

Hide My Ass offer a range of services that enable users to surf anonymously, including VPN and web proxies.

However, it is stated in the organisation’s privacy policy that this is not intended to help those who choose to break the law, and that they will cooperate should they receive an order from a UK court.

“It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences,” the company further pointed out.

It went on to say that any such service that refuses to cooperate with the authorities on matters such as this are likely to “have their entire VPN network monitored and tapped by law enforcement, thus affecting legitimate customers.”

VPNs are often used by companies who have employees who work from different locations in order to ensure their data remains secure.

They can also be used to secure data whilst connected to an unsecured Wi-Fi network or access television services in other countries which would otherwise be blocked, ideal for ex-pats.

Hide My Ass can also bypass censorship in other countries and the company initially founded the service with this in mind in 2005.

“We truly believe the worldwide-web should be worldwide and not censored in any way,” the company blog states.

The firm’s services were used by protestors during the uprising in Egypt, to spread their message through sites such as Twitter, Facebook and Youtube, which were blocked by the Egyptian government.

Hide My Ass further defends its service by stating that they don’t log any users activity online.

Whilst they do keep track of when an account logs in and out, they “do not log in any shape or form your actual internet traffic.”

This enables them to be able to keep track of “abusive users” such as spammers and ensure that their existing customer base is protected.

This is essential for the service the company provides and as they point out, they would quickly lose their reputation if they allowed illegal activities to be carried out and could not track such users.

Whilst they will comply with UK court orders, the company says that they will not respond to requests for information from overseas unless they are carried out through channels which will require them to provide evidence by UK law.

It seems that the company has come under some criticism for handing over the LulzSec info, more than likely by the remaining members of the group and their supporters.

However, should they have defied the court order, Hide My Ass would have been liable for prosecution themselves and most likely would have been forced out of business.

The company provides a legitimate service which has also been used to help further free speech in countries under a dictatorship, so it seems somewhat childish to accuse them of hypocrisy in this case.

mardi 21 juin 2011

LulzSec denies “mastermind” has been arrested, and census hack

Par Bruno le mardi 21 juin 2011, 13:39

The story about the arrested nineteen-year-old alleged hacker from Essex we’ve just written about has just been commented on by LulzSec on the group’s Twitter feed.

Some sources have reported that the chap in question was a “mastermind” or key figure in the LulzSec group, but the organisation has denied this.

They tweeted: “Seems the glorious leader of LulzSec got arrested, it’s all over now… wait… we’re all still here! Which poor bastard did they take down?”

Police have said the arrest is in connection with the DDoS attacks on the SOCA website last night, which took the site down, and LulzSec claimed responsibility for.

No doubt more details in the bigger picture will emerge in due course. LulzSec hasn’t yet commented on the other big story which hit the headlines today, namely that they’ve managed to steal 2011 census data from the UK government.

This revelation was made on Pastebin, but hasn’t yet been officially confirmed or denied by the hacking organisation.

UPDATE: LulzSec has just now denied that it hacked the UK census data on its official Twitter feed: “Just saw the pastebin of the UK census hack. That wasn’t us – don’t believe fake LulzSec releases unless we put out a tweet first.”

Although the group did add: “But hey, if someone out there hacked the UK government in the name of #AntiSec, well done sirs!”

Could LulzSec have pinched UK census data?

Par Bruno le mardi 21 juin 2011, 12:05

No one will be surprised to see LulzSec’s name hitting the headlines again – only this morning we wrote about operation AntiSec and the hacking activist group downing the SOCA website.

And now there’s a story doing the rounds on the net about LulzSec having stolen the 2011 census data from the UK government.

However, this hasn’t been mentioned on the LulzSec Twitter feed yet, just on a message posted to Pastebin which read: “We have blissfully obtained records of every single citizen who gave their records to the security-illiterate UK government for the 2011 census.”

“We’re keeping them under lock and key though… so don’t worry about your privacy (…until we finish re-formatting them for release).”

Of course, anyone could have posted that up there, so odds are it’s a hoax. If it is true, however, then it’s a mind-boggling security failure for the government and Lockheed Martin, the arms giant paid £150 million to run the census.

In other news, a nineteen-year-old alleged hacker from Essex has been arrested, with much speculation that he is a prominent LulzSec member. Apparently the e-Crime unit worked in conjunction with the FBI to apprehend him, so he’s certainly not a minor target.

All eyes are on LulzSec’s Twitter feed for confirmation of the census claim and reaction to the arrest. It hasn’t been updated for the last eight hours, but doubtless we can expect an update fairly soon.

LulzSec and Anonymous pair up for operation AntiSec

Par Bruno le mardi 21 juin 2011, 08:22

The two most renown Internet activist groups of the past year have teamed up in what they’ve billed operation Anti-Security, or AntiSec for short.

LulzSec and Anonymous are to combine their hacking skills (and DDoS organising firepower) to hit “government and whitehat security terrorists across the world [who] continue to dominate and control our Internet ocean.”

The LulzSec statement announcing the operation encourages anyone to join in the anti-security company and government agency campaign, defacing sites with the word “AntiSec” to mark an attack as part of the scheme.

LulzSec notes that the major goal is to “steal and leak any classified government information, including email spools and documentation.” Prime targets are mentioned as banks and other “high-ranking establishments”.

The first victim which appears to have been claimed is SOCA or the Serious Organised Crime Agency. Last night, LulzSec posted on its Twitter feed: “Tango down – soca.gov.uk – in the name of #AntiSec.”

This morning the SOCA website remains down. LulzSec also noted: “DDoS is of course our least powerful and most abundant ammunition. Government hacking is taking place right now behind the scenes.”

“Our next step is to categorize and format leaked items we acquire and release them in #AntiSec ‘payloads’ on our website and The Pirate Bay.”

We get the feeling some serious manure is about to get lodged in the air-conditioning, particularly if the banking industry is going to be fully targeted.

vendredi 10 juin 2011

LulzSec gives NHS security warning

Par Bruno le vendredi 10 juin 2011, 08:01

Hacking group LulzSec is fast becoming the focus of a growing number of news stories with its network breaching shenanigans.

Previously the group has announced successful hacking forays onto the Sony Pictures website – where they reportedly made off with at least 50,000 customer details – and also Nintendo, who they said they didn’t mean any harm (and no data was taken anyway).

And now LulzSec has hit the NHS, although again, the group said it didn’t mean any harm to the organisation, and was merely informing it of network weaknesses.

LulzSec wrote on its Twitter feed: “Subdomain NHS access compromised 5 core admins and contact info of several affiliates. Luckily they stored nothing of importance on that DB.”

Other tweets noted that “no, we never planned to exploit those passwords” because “if we [censored] over those that give health, people would literally die laughing at our antics”.

The stolen info is linked to on the group’s Twitter feed, but sensitive details are blacked out “until they fix the problem”, which presumably the NHS is now doing or has done.

For its part, the NHS was quick to make it clear that no patient data files had been compromised.

lundi 6 juin 2011

Nintendo also suffered hack attack, but no data stolen

Par Bruno le lundi 6 juin 2011, 10:46

Nintendo has come forward and said that its servers have also been under assault from LulzSec, after the hacking group hit Sony Pictures.com last week and extracted huge gobs of reportedly unencrypted customer data.

Nintendo’s data peaches, however, weren’t ripe for the picking. The company said the attack happened a couple of weeks back, but no data was stolen.

Nintendo issued a statement which read: “The server contained no consumer information. The protection of our customer information is our utmost priority.”

Yesterday, LulzSec posted on its Twitter account: “Re: Nintendo, we just got a config file and made it clear that we didn’t mean any harm. Nintendo had already fixed it anyway.”

Slightly later another user added: “They love N64 too much to cause any real harm”.

At any rate, Nintendo’s security looks considerably more bullet-proof than Sony, and if anything the incident just casts further bad light on Sony, with PSN and now Sony Pictures.com falling, the latter apparently to a simple SQL injection attack.

Sony Pictures confirms website hacked, apologises “deeply”

Par Bruno le lundi 6 juin 2011, 09:39

Just before the weekend, Sony Pictures issued a statement to confirm it did indeed have its website compromised by hackers last week.

As we reported last week, hacker group LulzSec accessed the SonyPictures.com database and a million customer details, making off with at least 50,000 of them and data including emails, home addresses, passwords, dates of birth and so on.

This is doubly embarrassing for Sony given that it follows the PSN hacking incident which saw its PS3 gaming network down for nearly a month.

Chairman and CEO Michael Lynton along with Co-Chairman Amy Pascal issued a statement which read: “The cybercrime wave that has affected Sony companies and a number of government agencies, businesses and individuals in recent months has hit Sony Pictures as well. [Last Thursday] afternoon a group of criminal hackers known as ‘LulzSec’ claimed to have breached some of our websites.”

“We have confirmed that a breach has occurred and have taken action to protect against further intrusion. A respected team of outside experts is conducting a forensic analysis of the attack.”

Sony has contacted the FBI (again) and “deeply regrets and apologizes for any inconvenience caused to consumers by this cybercrime”.

What Sony hasn’t mentioned is the data, and indeed passwords, were reportedly unencrypted, a shameful state of security – and the attack was facilitated by a simple SQL injection.

If this is true, quite why the site had such pitiful security measures in place is what customers are really waiting for an explanation about. And if it isn’t true, you’d assume Sony would have mentioned that in the official statement.

vendredi 3 juin 2011

Sony Pictures website hacked, embarrassed faces all round

Par Bruno le vendredi 3 juin 2011, 06:47

After Sony finally fully recovered from the PSN hacking incident – reinstating the PlayStation Store yesterday – the company seems to have suffered another embarrassing security breach.

This time it’s the Sony Pictures website which has been compromised by the group known as LulzSec, with rather breathtaking results.

LulzSec claims it accessed the details of a million customers on the SonyPictures.com site, including emails, home addresses, passwords, dates of birth and other info, of which it copied at least 50,000 and then released them onto the net. They also made off with a number of music coupons and codes.

Of course the personal information is the critical part, but the breathtaking aspect is that according to the organisation, the data – including passwords – wasn’t encrypted.

LulzSec wrote: “Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”

“What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.”

Indeed, that is unbelievable, particularly seeing as Sony has evidently had a target painted on its back for hackers since its PS3 legal action began.

After the PSN and Sony Online Entertainment hacks, you’d think the company would be taking time to go around tightening up all its online security. But no, apparently we have flimsy safeguards and passwords stored in plaintext…

Sony hasn’t provided a response yet, but we can expect a surge in online fraud with the many compromised people who use the same passwords for all their accounts.