Bored script kiddies?
Or just vindictive nerds?
The latest victim of a large scale attack is Sega Corp, which has admitted that security of its Sega Pass website database in Europe had been compromised. The personal information on all of its 1,290,755 registered users has been stolen. Sega sent an email on Friday alerting the affected users, who are mostly based in Europe …
If the Pentagon, Mossad and CIA can't secure themselves, what hope does a commercial enterprise have?
It doesn't matter the operating system or security software you run, given enough time they'll break in. It doesn't matter if how many published vulnerabilities there are, always new vulnerabilities can be found.
If MacOS, Unix, Linux or a completely unique operating system was any better against focused attacks don't you think those with unlimited funds and allegiances only to their own organization would be using them?
The only preventative is tracking the black hats down and locking them up while they are in the conspiring and experimental stage.
Snowy got voted down, but I see an interesting angle here. Storing all information in a database in an encrypted format piques my curiosity.
I suspect a minor misunderstanding here when speaking of encrypted passwords. These are actually hashed, which is a one-way operation. In doing so, the hashed password is (theoretically) unobtainable. The hashing is generally done using something like MD5 (which has an online rainbow table) or SHA1, both better when salted.
You cannot simply hash user details as these must be retrievable.
Given this, it might not be overly far-fetched to use a secondary system, which is not directly accessible via Internet or query, to process a put-fetch request from a web application, acting as a front-end to encrypted database information. Maybe even within the database application itself -- I admit that I do not know if any encryption facilities exist in available database engines.
None the less, the problem exists of spoofing a valid query and/or identification of the original web application. As I sit here writing this out, the scenario continues to expand in my mind to an ever complex array of applications, networks, engines, and keys. Somewhere within this complexity may just exist a simple solution.
The simplest solution may be to properly sanitize user-provided values, whether PUT, GET, or in a cookie. On the surface, anyway. Perhaps sanitizing at the database engine, rejecting any query which follows a bad query, such as an incomplete or insane query, or use of a kind-of query sequencing.
In short, I do not think Snowy's notion is dunce-worthy, just potentially impractical at this time. Though I suspect there are much smarter people than I pursuing this very goal.
Paris, she probably does it for the lulz, too.
With encrypted passwords, you re-encrypt each password attempt and see if it matches the existing encrypted key. Nobody but the user ever needs to know the password.
With the rest of the account information that little trick doesn't work, because you need to know the information for billing, delivery, etc.
So you then need to store the encryption keys, and if they can get the data, they can get the decryption keys.
The use of 'Kiddies' seems to be an attempt in hoping that they will go away as they'll get bored and that it's just a bunch of disaffected teenagers. I'm not sure that those hopes wiil be met.
If they are just 'Kiddies' then they may well be a lot more savvy than the apparent grown-ups who post here. The 'kiddies' thing has become more of a wailing plead rather than denegration, the desparation is showing is some voices. It may well be coming from many who are not really interested that they might have lost personal data but are so hooked on the on-line experience that it's all they realy care about.
Now that Sega has been got at it's about time those voices that assume it's a bunch of yoofs got real - it takes a little bit more than a few 'kids' to break in to the servers.
It's not going to go away once dismissed as being 'stupid boys'.
It looks like it's time the adults grew up (again, and again and again) and if it just is kids after all -- be very, very afraid.
Whoever they are I'm pretty sure they're lapping up the free advertising and publicity the media are giving them by announcing their name.
IMHO the names of the those responsible and their motives should never be published, denying them their "jolt of satisfaction" or at least notereity.
Whoever they are, kids or pro's they're still just pathetic bullies causing trouble because they can, yes it does highlight the utter incomptetence of the biggest names' attempts at cyber security but it's still no more than online happy slapping.
What an utter bunch of hypocrites LulzSec are. They merrily hack a bunch of targets, and that's ok, cuz it's 'for the lulz', but when someone else hacks a company they like, they're 'going down'. I mean, obviously twats like don't have much of a moral compass in the first place, but that's some f*cked up logic right there.
... rise to the bait, but ...
These Lulz kids really are a bunch of F*cking Retards. What the f*ck do they teach in schools these days? Anything?
( ... and yes, I know that once you use the 'F' word you lose the argument, but what the hell. It made me feel better, momentarily)
"The group claims that its havoc-chasing is just a natural phenomenon to emerge out of the internet generation which is “attracted to fast-changing scenarios, we can't stand repetitiveness, and we want our shot of entertainment or we just go and browse something else, like an unimpressed zombie.”"
Text book definition of psychopaths.