Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Sign in to follow this  
Csonicgo

PSA: Lulzsec doing it for the Lulz; Identity Theft; Fraud

Recommended Posts

http://www.pcworld.com/businesscenter/article/230523/fraud_starts_after_lulzsec_group_releases_email_passwords.html

Basically this Lulzsec Hacktivist group has released a shitload of email passwords, and since morons use the same password for EVERYTHING, they've gotten into amazon accounts, . watch it.

You can find if you were hacked by going here:

http://gizmodo.com/5812545/find-out-if-your-passwords-were-leaked-by-lulzsec-right-here

and put in your e-mail address.

These guys mean business. They're just random now. Choose passwords that are strong, for godssakes.

Share this post


Link to post

From what I understand so far, the majority of them are just skiddies who've made a name for themselves by using simple tools a 13 year old can use to hack into poorly secured websites. I think that the fact that they use twitter as one of their main forms of communication is proof of that. Also according to ED one of them already managed to get himself arrested so I wouldn't be surprised if a few others follow suit once authorities start giving a shit.

Share this post


Link to post
Csonicgo said:

Basically this Lulzsec Hacktivist group

They're not hacktivists because they're not activists. "Lulz" isn't a cause; to the contrary it's an empty word to mask their lack of a cause.

Share this post


Link to post

It may just be me, but there's no damn way I'm putting any of my email addresses into that search. Seems like if nothing I have has been hacked, just putting it into a search regarding hacked accounts will be hacked for the LULZ. Hack.

Getting sick of this shit now though. They're saying they're doing it to expose security flaws in systems, then putting up all the information they stole for all to view. I'm pretty sure if I turned off someone's security system, broke into their house, and stole everything I could grab with my chubby little nubbies and threw it in the street I wouldn't be hailed as a hero for exposing the security systems flaws.

Share this post


Link to post

I'm going to update my paypal, that's the only real thing they can fuck with. It looks like I'm ok, but I'm not fucking around. I'm going to come up with bat-shit insane passwords and write them down. I've used many passwords for close to a decade, so it's an eye opener to get my act together.

Share this post


Link to post
Jello said:

It may just be me, but there's no damn way I'm putting any of my email addresses into that search. Seems like if nothing I have has been hacked, just putting it into a search regarding hacked accounts will be hacked for the LULZ. Hack.



Pretty much the same here. I'm treating that search bar and my email address the same way I'd treat my cock and a meat grinder

Share this post


Link to post

I've changed PayPal, eBay and Face Book. Those are pretty much the only sources of information available of me that could be damaging. Changing passwords to internet forums aren't really of a concern.

Share this post


Link to post
Jello said:

It may just be me, but there's no damn way I'm putting any of my email addresses into that search. Seems like if nothing I have has been hacked, just putting it into a search regarding hacked accounts will be hacked for the LULZ. Hack.

I would have thought it was obvious that your email doesn't get "hacked" by typing your email address into a website. That's what passwords are for.

Share this post


Link to post
fraggle said:

I would have thought it was obvious that your email doesn't get "hacked" by typing your email address into a website. That's what passwords are for.

So I shouldn't feel stupid in doing it?

Share this post


Link to post
fraggle said:

I would have thought it was obvious that your email doesn't get "hacked" by typing your email address into a website. That's what passwords are for.


Yes, I'm well aware my email doesn't get 'hacked' by putting it into a website. You know, aside from the possibility of spam. My concern would be that the hackers in question would see a site that scans email addresses to see if they've been compromised and think "Hey, we should get those email addresses and see what we can find, for the LULZ." May be a minor annoyance, and it may not happen. But this is the internet, and one should always wear a lead coated condom or two.

Share this post


Link to post
Csonicgo said:

and since morons use the same password for EVERYTHING

I know people like that. Most believe they're living examples of "security through obscurity" in that they're not public figures, celebrities or wealthy - therefore no-one's going to be bothered hacking their online accounts.

Share this post


Link to post
fraggle said:

I would have thought it was obvious that your email doesn't get "hacked" by typing your email address into a website.


No, but the most likely outcome of giving out your email is this:

Subject: RE: Information YOU requested!

Best prices for v1agra l3v1tr4 c4ll1s cl1k h34r fag0t 0l0l0l0l


or this:

LAGOS, NIGERIA.

ATTENTION: THE PRESIDENT/CEO

DEAR SIR,

CONFIDENTIAL BUSINESS PROPOSAL

HAVING CONSULTED WITH MY COLLEAGUES AND BASED ON THE INFORMATION GATHERED FROM THE NIGERIAN CHAMBERS OF COMMERCE AND INDUSTRY, I HAVE THE PRIVILEGE TO REQUEST FOR YOUR ASSISTANCE TO TRANSFER THE SUM OF $47,500,000.00 (FORTY SEVEN MILLION, FIVE HUNDRED THOUSAND UNITED STATES DOLLARS) INTO YOUR ACCOUNTS. THE ABOVE SUM RESULTED FROM AN OVER-INVOICED CONTRACT, EXECUTED COMMISSIONED AND PAID FOR ABOUT FIVE YEARS (5) AGO BY A FOREIGN CONTRACTOR. THIS ACTION WAS HOWEVER INTENTIONAL AND SINCE THEN THE FUND HAS BEEN IN A SUSPENSE ACCOUNT AT THE CENTRAL BANK OF NIGERIA APEX BANK.


Any questions?

Share this post


Link to post

What you can do: re-paginationize all 120 pages of the listing, then hit Ctrl-F and enter your email address in your browser's own in-page search widget.

If you don't trust this either, you can try Ctrl-A/Ctrl-C then Ctrl-V in some text editor.

If you think Notepad will send you spam too, I'm afraid I have no further solution to suggest.

Share this post


Link to post

My result was "Your information has not been released to the public."

Which either means they have my info and haven't released it, or just don't have it. This is making me paranoid, I might go change my passwords.

Share this post


Link to post

Well, it's quite easy to get hold of the whole listing itself (which I did). Most stuff seems aol garbage anyway, there are several "password" passwords, and I was glad to see that there were very few e-mail addresses from Europe or universities, and none personal or of my close relatives. Most of the stuff was hotmail/gmail/aol. Again, I think that any value such a list can have is profitability. Hacking into some university's underground lunix admin Pentium II server with Minix won't quite yield the same monetary rewards as hacking into the b0x of some bozo who buys accessories for his pet in shitville on faceshit or whatever.

Share this post


Link to post

Paypal is pretty much the only critical account I have, and even that isn't too bad since I have only my credit card there, and the credit card company is responsible for all misuses. Yay.

Nevertheless, it pisses me off that Paypal still hasn't got those secure keys worldwide. Why the fuck do so many companies/banks insist on using nothing more than a user name/static password-pair for securing your money?

Share this post


Link to post
Jodwin said:

Why the fuck do so many companies/banks insist on using nothing more than a user name/static password-pair for securing your money?


No matter how complex encryption or authentication layers they use, you, as a user, will always gain access through a username and a password, and that's all an attacker needs.

Those passwords were probably gathered through social engineering (those "verify your account" scams), dictionary attacks etc. so in the end it always boils down to two human-readable strings of text: a username and a password. And all that, without even attacking ANY of the actual hosting services themselves (which none said they did, BTW).

Think about it: just how complex would you tolerate a sign-in system to be? E.g. 1 username and 10 distint passwords to be entered in the correct sequence? Three consecutive username-password pairs? The above, plus iris/fingerprint scans/hardware dongles/etc.?

Sure, those would be harder to give away by accident or because of being conned....but would you tolerate such a system for long? Most people would just use the same word for every field just out of frustration after a while!

Share this post


Link to post
Maes said:

No matter how complex encryption or authentication layers they use, you, as a user, will always gain access through a username and a password, and that's all an attacker needs.

Ever heard of TANs?

With TANs it doesn't matter if the hackers know your login or not, because they still can't log in since you and only you have the final authentication key on your person. And losing your TANs isn't a problem either unless you're a fucking idiot who writes his online banking login on the same paper/plastic card where your TANs are.

Share this post


Link to post
Jodwin said:

Ever heard of TANs?

However, as any TAN can be used for any transaction, TANs are still prone to phishing attacks where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against man-in-the-middle attacks where an attacker intercepts the transmission of the TAN and uses it for a forged transaction. Especially when the client system should become compromised by some form of malware that enables a malicious user, the possibility of an unauthorized transaction is high. It should be noticed that the remaining TANs remain uncompromised and can be used safely, even though action should be taken by the user as soon as possible.


Yeah, so in the end it's again one string (your username/password) and another string (one of your TANs). Any questions?

Share this post


Link to post
Maes said:

Yeah, so in the end it's again one string (your username/password) and another string (one of your TANs). Any questions?

The main concern was someone stealing your password and you being stupid enough to use it everywhere, from which TANs protect you perfectly. Now if you're a stupid fucking idiot enough to reply to a spam e-mail in your spam-box that asks you to write all 50 of your TANs then you deserve all you're going to get.

Btw, my bank issues TAN cards with 90 keys, each with a single use AND they are selected randomly at the time of use. So go ahead, phish that.

Share this post


Link to post
Jodwin said:

Now if you're a stupid fucking idiot enough to reply to a spam e-mail in your spam-box that asks you to write all 50 of your TANs then you deserve all you're going to get.


That's exactly what social engineering is all about, and that's how the staggering majority of these username/password pairs were obtained. No ub3r-1337 h4x0r1ng skillz into NSA-secured bunkers were required. And yeah, I do believe there are people gullible enough to give up all of their 50 or 90 or 100 TANs, so once again, we come to my initial point: no matter how many additional tiers of security you add, as long as they can be given up through social engineering, it's useless.

If that wasn't an actual concern, then username + password would be enough. I suggest that you read The Art of Deception: Controlling the Human Element of Security for a much better taken stance on the argument.

OK, there are some blatant cases (like Sony's recent fiasco) where the sensitive information was obtained by attacking a centralized source, but really, for how much of the total security leaks do such cases account for? Hackers/crackers will go through the path of least resistance, and more often than not, this is the final user.

Share this post


Link to post
Maes said:

That's exactly what social engineering is all about, and that's how the staggering majority of these username/password pairs were obtained. No ub3r-1337 h4x0r1ng skillz into NSA-secured bunkers were required. And yeah, I do believe there are people gullible enough to give up all of their 50 or 90 or 100 TANs, so once again, we come to my initial point: no matter how many additional tiers of security you add, as long as they can be given up through social engineering, it's useless.

If that wasn't an actual concern, then username + password would be enough. I suggest that you read The Art of Deception: Controlling the Human Element of Security for a much better taken stance on the argument.

OK, there are some blatant cases (like Sony's recent fiasco) where the sensitive information was obtained by attacking a centralized source, but really, for how much of the total security leaks do such cases account for? Hackers/crackers will go through the path of least resistance, and more often than not, this is the final user.

So all of the email/password pairs from this topic's hacking were just social engineered? Yeah right:

Article linked in the first post said:

It's not clear where all of the Lulzsec e-mail addresses and passwords came from. At least 12,000 of them, including Crowell's, were gathered from Writerspace.com, a discussion forum for readers and writers of mystery and romance novels. The site's technical staff is trying to figure out how they were stolen and is in the process of contacting victims, said Writerspace owner Cissy Hartley.

But whatever, you're free to live in a dream world where all of your personal information will be perfectly safe forever unless you reply to the Nigerian princes.

Share this post


Link to post
Jodwin said:

So all of the email/password pairs from this topic's hacking were just social engineered? Yeah right:


Some of them. You never received an "ALERT: VERIFY YOUR HOTMAIL ACCOUNT" phishing scam? These have been going on strong for almost a decade. Just statistically speaking, they must have collected tens or hundred of thousands of usable data.

And adding additional layers/tiers of security will only foil scammers or attackers that are unaware of them. E.g. if some dumb mugger just stole your debit card without knowing that these things need PINs to be used, then yeah, that would stop any further damage right there and then. If he DOES know it (like he'll realistically do) he'll try to coerce/find the PIN too.

If stealing or coercing credentials was not possible at all, then even an unique identifier would suffice (the so-called "prohibitionist drinking house security model", where illegal patrons would gain access just with a -supposedly secret- code word).

Share this post


Link to post

Well, that's boring. Even the fake account I use to sign up for shady things hasn't been compromised. Apparently I either sign up for websites with decent security or websites they haven't decided to poke at yet.

Share this post


Link to post

The dumb thing about Lulzsec is that they are going after companies that are picking on the consumers or whatever. Then after hacking said companies, the firs thing they do is RELEASE ALL THE PERSONAL INFORMATION STORED BY THOSE COMPANIES. Wow, way to help out your fellow man, there.

GreyGhost said:

I know people like that. Most believe they're living examples of "security through obscurity" in that they're not public figures, celebrities or wealthy - therefore no-one's going to be bothered hacking their online accounts.

I pretty much 2-3 passwords and variations thereof, just because I'm too dumb to remember anything else. It usually takes me about 10 minutes to cycle through all my variations when I forget which one I used, anyway. I used to keep a list, but people told me that was a bad idea.

Share this post


Link to post

I filled 2 8 1/2 x 11 sheets of paper with randomly generated passwords before I started using LastPass, the password to which I made extra long and used every type of character I could.

Just to be safe over this LulzSec stuff, I just changed my Facebook and Gmail. I checked mine in the Gizmodo thing, I'm not too worried about it. If they say they don't store my query I trust them.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×