LulzSec hacks US Senate
Bethesda also bashed in latest attack
Hacker tricksters LulzSec is baiting US lawmakers with its latest attack on the US Senate.
The hacking group posted what security experts Sophos characterised as "basic information on the filesystems, user logins and the Apache web server config files" of the Senate website on Wednesday morning.
The group also posted a directory listing in a post that ends with a brazen taunt to US authorities, referencing proposals by the Obama administration to make hacking critical infrastructure systems an act of war.
This is a small, just-for-kicks release of some internal data from Senate.gov - is this an act of war, gentlemen? Problem?
Under existing US computer crime law (specifically the Computer Fraud and Abuse Act) the hack might be punishable upon indictment and conviction by up to five years' imprisonment.
Lulz Security (LulzSec) has emerged from obscurity over recent weeks with attacks against PBS (over its documentary on Wikileaks), Sony and FBI-affiliated security organisations, among others. The group had a busy day on Monday: as well as stirring a potential hornet's nest in the Senate it also leaked potential sensitive data about video gaming outfit Bethesda Softworks, the firm behind Quake and Doom.
The cracktivists posted what appears to be source code and database passwords of Bethesda Softworks, a subsidiary of ZeniMax Media, onto pastern. LulzSec claims to have obtained the information and more after finding holes in Bethesda's systems while running a denial of service attack two months ago.
LulzSec, which claims to be fans of Bethesda, claimed to have data on more than 200,000 registered users of the game Brink. These claims remain unverified.
"We're going to release lots of Bethesda/ZeniMax data today - however we might not release their 200,000+ users as we love Call of Cthulhu," the group said via Twitter. "Bethesda, we broke into your site over two months ago. We've had all of your Brink users for weeks. Please fix your junk, thanks! ^_^"
LulzSec said it had resisted the temptation to release data on Brink users so as not to distract Bethesda from work on its forthcoming fantasy epic Skyrim.
The motives of the attack remain unclear, though pure mischief and perhaps hacking bragging rights seem to be part of the mix. ®
@John G Imrie
You're likening Lulzsec to Rosa Parks? Seriously?
For a start, and this is just a start, What Rosa Parks did was peaceful and didn't involve breaking into anything, threatening anyone or generally affecting anyone who wasn't involved in racist segregation. Lulzsec put innocent people's personal information onto the internet, break into and deface web sites and threaten the owners of said sites, all because they don't like being told that they're not allowed to hack/download for free/whatever else it is today.
It's not comparable. It's just not.
"Master password"? So you're saying that you use the same password for your online banking as for some random blog you want to post comment to? Nice.
Password re-use is bad practice but you should do some damage assessment should it be compromised. If, by getting your forums password all they can do is troll on some other forums/blog comments, then that wouldn't be of my concern. If on the other hand they could access my primary email or bank account or anything else that is important...
"the thing is i shouldnt need to."
No, you shouldn't. Sites which force users to log in with credentials should take the correct measures to protect that data. I completely agree with you on one aspect of this - you are an innocent third party but you bear a significant burden as the result of lazy, tight fisted and incompetent systems owners.
In some respects you should be pleased that the LulzSec losers did this - if it had been more malicious parties, you wouldnt even know you needed to change all your passwords so you would be surfing away in blithe innocence while your data was compromised.
If that bothers you less than the fact LulzSec hacked a site and told the world, then dont bother to change your passwords - it cant be that important to you.
The reality is companies of all size are cutting corners and saving money by not spending on security. When the hack happens they keep it quiet for as long as possible before saying it is all the eebul hackers fault. They dont admit to scrimping £50k on an IPS etc, instead it is down to the users, customers etc to bear some of the pain that they have effectively profited from.
Yes, what LulzSec et al do is wrong, but on the great continuum of wrong, its not very wrong.