back to article 1 MILLION accounts leaked in megahack on banks, websites

Hacker collective Team GhostShell leaked a cache of more than one million user account records from 100 websites over the weekend. The group, which is affiliated with hacktivists Anonymous, claimed they broke into databases maintained by banks, US government agencies and consultancy firms to leak passwords and documents. Some …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    THE MOST BASIC FORM OF MIND CONTROL IS REPETITION

    http://vimeo.com/9532613

    1. RICHTO
      Mushroom

      Re: THE MOST BASIC FORM OF MIND CONTROL IS REPETITION

      Usual Open Source Swiss Cheese. All the urls have .PHP = LAMP stack being used.

      1. Destroy All Monsters Silver badge
        Trollface

        Re: THE MOST BASIC FORM OF MIND CONTROL IS REPETITION

        LAMP stack being used.

        You have mighty though possibly hasty access to reality-based truthiness, oh wise one. Might one inquire about how you obtain your amazing knowledge about the operating system, webserver and database used?

      2. Comments are attributed to your handle
        Facepalm

        Re: THE MOST BASIC FORM OF MIND CONTROL IS REPETITION

        Hey, that's the same extension as a PHP script on a WAMP stack! This must mean they're actually using a WLAMP stack!

        1. tomban
          Joke

          Re: THE MOST BASIC FORM OF MIND CONTROL IS REPETITION

          Na, they got bullied into submission, therefore it's a WIMP stack!

  2. Rick Giles
    Pirate

    Apoplectic

    Sweet Jesus, I figured El Reg would get it right, but noooo.... It is Cracker not Hacker. Just like they don't call them safe hackers. Be a trend setter by doing something right.

    As for the CRACKERS, they aren't really hurting banks in so much as they think, if they are leaking the banks customer info. That hurt s the average person that they should be helping to protect from the banks. If they want to do some good they need to expose the banks for the scam they are.

    1. Anonymous Coward
      Anonymous Coward

      Re: Apoplectic

      "Sweet Jesus, I figured El Reg would get it right, but noooo.... It is Cracker not Hacker. Just like they don't call them safe hackers. Be a trend setter by doing something right."

      Nope, they used SQL injection so the correct term is "script kiddies". This requires almost no skill on the part of the attacker, and confirms no skill on the part of the web developer.

      1. Rick Giles
        Linux

        Re: Apoplectic

        True.

        Now change my down vote using your scripts.

        1. Lusty

          Re: Apoplectic

          Are you implying that El Reg have SQL Injection vulnerabilities in their code?

          1. Yet Another Anonymous coward Silver badge

            Re: Apoplectic

            >Are you implying that El Reg have SQL Injection vulnerabilities in their code?

            No, el'reg runs on DBase II, dos batch files and a self aware BBC micro

      2. djack

        Re: Apoplectic

        Simply using a SQL injection infers very little skill on behalf of the attacker, true.

        However actually discovering the hole and performing the analysis in order to make it exploitable can be a task ranging from the nearly trivial to down-right infernal. Once you have done that, using SQLmap to slurp up all of the data is straight-forward.

        1. ed2020
          Thumb Down

          @djack

          Implies, not infers! It's not difficult.

      3. This post has been deleted by its author

    2. Comments are attributed to your handle
      Megaphone

      Re: Apoplectic

      That battle was lost years ago. Please move on, Rick.

  3. Turtle

    Oh good work.

    "Team GhostShell said the online leaks, which are part of its Project Hellfire campaign, were made in order to increase support for cops and government agents who want to enforce stricter police measures on the internet."

    Right.

    “All aboard the Smoke & Flames Train, Last stop, the penitentiary!" Team GhostShell wrote. "Two more projects are still scheduled for this fall and winter. It's the beginning of the end for us!"

    Don't you just know it.

  4. Anonymous Coward
    Anonymous Coward

    "security biz Imperva" have analysed the attacks, so why is there nothing mentioning any named organisation!

    "banks, US government agencies and consultancy firms" - so WHICH banks, agencies and consultancies.

    Or is John Leydon to lazy to do some investigative work and is simply copying and pasting an article from somewhere else!

  5. mike acker

    SQL Injection

    SQL Injection is an old, known attack. the defense is (1) use only stored procedures and (2) sanitize input data.

    getting hacked via SQL Injection is simple negligence on the part of the system operations staff. they should incur the $$$ liability for this.

    1. Anonymous Coward
      Anonymous Coward

      @mike acker: Re: SQL Injection

      I don't know anything about this subject and so I don't really know if you are right or wrong. But I agree that there has got to be some kind of monetary liability in order to encourage companies and their IT departments to take sufficiently good care of their customers' data.

    2. john 112

      Re: SQL Injection

      unless your organization is retarded and has outlawed stored procedures.

    3. djack

      Re: SQL Injection

      Nope. Stored procedures can be vulnerable to injection attacks themselves. The solution is the use of parametrised queries (even within stored procedures). That way the server has no doubts over what is data and what is code.

      1. Captain Obvious
        Thumb Up

        Re: SQL Injection

        You are the only one seems to get it! Stored procedures STILL can be vulnerable to SQL Injection. It is ALL about checking the input!!!!

      2. Anonymous Coward
        Anonymous Coward

        Re: SQL Injection

        correct - if they're using PHP prepared statements are usually the way to go... that way the data is just read as "data"...

    4. wheelybird
      WTF?

      Re: SQL Injection

      Hey. Why are you blaming the systems operators? The blame here goes to the developers and management for not hiring whitehat pen testers. Systems staff rarely get a say in which software they run on their systems.

    5. Crisp
      Coat

      Re: SQL Injection

      Who doesn't sanitise their input data?;GO;DROP TABLE Users;GO;

      1. O RLY

        Re: SQL Injection

        obligatory XKCD

        http://xkcd.com/327/

  6. frank ly
    WTF?

    Again, the SQL injection attacks!

    How long has this been known of and standard measures to protect been available? - Years!

    WTF are these organisations doing with their IT budgets?

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Again, the SQL injection attacks!

      Buying iPads because their upper management has decided they need some new shiny?

    3. Anonymous Coward
      Anonymous Coward

      WTF are these organisations doing with their IT budgets?

      Many of them have funded both sides of major wars.

    4. OsamaBinLogin
      Holmes

      Re: Again, the SQL injection attacks!

      Laying off programmers so they can add another wing to their McMansions.

    5. Fatman
      FAIL

      Re: Again, the SQL injection attacks!

      Q: WTF are these organisations doing with their IT budgets?

      A: Probably paying out millions in executive bonuses; and shit for developers.

      WTF else is new?

    6. Michael Wojcik Silver badge

      Re: Again, the SQL injection attacks!

      How long has this been known of and standard measures to protect been available? - Years!

      Yes. SQL injection attacks became a common topic around 2001, and they were discussed before that, though they weren't prominent.[1] An example of an earlier discussion is Bugtraq BID 994 / Microsoft MS00-010 (February 2000), "Site Server Commerce Edition non-validated SQL inputs". The Bugtraq discussion describes modifying a URL to inject an additional subquery into a query, and includes the comment "I know this is possible on a number of large commercial sites".

      So we have a decade of widespread discussion, starting with a documented vulnerability and exploit for a Microsoft product (acknowledged by the vendor). There's absolutely no excuse for any organization of any size to be unaware of the problem.

      WTF are these organisations doing with their IT budgets?

      Well, they're clearly not buying their developers copies of The n Deadly Sins of Software Security[2], which does an excellent job of explaining this and other common vulnerabilities, how to find them in existing code, and how to remedy them. (There are other good books, but Deadly Sins is concise, clear and inexpensive.) I think it should be required reading for every professional programmer who works with any of the technologies it covers - which is pretty much everything outside some specialized domains.

      [1] RFP's paper on SQL injection was published in 2001. An example of a slightly earlier text in the field that doesn't mention SQL injection is A Complete Hacker's Handbook, published in 2000.

      [2] Where n is a value between 19 and 24, depending on which edition you buy.

  7. This post has been deleted by its author

  8. This post has been deleted by its author

  9. Ru
    Meh

    "affiliated with hacktivists Anonymous"

    Isn't almost everybody, these days?

    Honestly, what is this supposed to mean? "We don't know who they are, so they're clearly Anonymous, lol". Its like every terrorist group mentioned on the news having "links with al Quaida".

    1. Anonymous Coward
      Anonymous Coward

      Re: "affiliated with hacktivists Anonymous"

      IT'S TIME FOR A NEW BOGEYMAN ANYWAY

      The media could call them the Penis Disturbers; rumoured to remove your foreskin or if you dont have one they put some other guys on you. its all true.

    2. OsamaBinLogin
      Devil

      Re: "affiliated with hacktivists Anonymous"

      You see, terrorists and cr/hackers need to trademark their names; that way, if some loudmouth in Iraq declares he's a leader of Al Qaeda, the real Al Qaeda can sue him.

  10. ByeLaw101
    WTF?

    Hmph!

    "Team GhostShell said the online leaks, which are part of its Project Hellfire campaign, were made in protest against banks and in revenge for the rounding up of hacktivists by cops and government agents."

    So to get their revenge, they stole a million innocents people private data... cause that will only hurt the banks right?

  11. Anonymous Coward
    Anonymous Coward

    The developers of the compromised systems - dicks.

    Any pen-testers who worked on said systems - dicks.

    The fools who compromised said systems and subsequently plaster user data everywhere - prize dicks.

    Team GhostShell? This lot, l33t haxors? Don't make me laugh. Team Teen Penis morelike.

    1. Oliver Mayes

      I wouldn't blame the testers, they probably reported the vulnerabilities that they found and were ignored by the managers who saw the cost to close the holes.

      1. Anonymous Coward
        Anonymous Coward

        @Oviver

        Re: Pen testers

        You could be right, they may have reported vulnerabilities - in which case I would retract that one. But my comment was about pen testers was based on personal experience of 'reputable' London based companies. Sometimes they are not quite as good as they claim to be, even when they come with price tags of £10k's for small jobs. You may be surprised (or not) how many times I have seen costly invoices from pen testers for a report that simply dishes out recommendations in cases where no issues were found to exist, and yet gaping holes that should have been found never were.

        So I suppose my experience is that a large outlay does not necessarily buy decent pen testers - even where they do have a good reputation.

  12. Beachrider

    Doing Homeland Securit today, eh?

    Place banks in a financial-attack column, but Homeland Security's website is different.

    Hurricane victims TODAY and TOMORROW will be using HS's facilities. I hope that they get in.

    How does Anon not see that they would cause problems for victims like that?

    1. Anonymous Coward
      Anonymous Coward

      Re: Doing Homeland Securit today, eh?

      "How does Anon not see that they would cause problems for victims like that?"

      They are either - not without exception though - too stupid, or they simply don't care. I would guess it's generally a bit of both tinged with other excesses of youth.

      It's obvious by the actions of Anon and this bunch that ethics, morals, standards etc. are sorely lacking in their little lives. No doubt, there is some 'talent' out there in these groups. It's just a crying shame that the talented minority can't disengage from the lulz and the kewlz and do something productive.

    2. Destroy All Monsters Silver badge
      Big Brother

      Re: Doing Homeland Securit today, eh?

      "Hurricane victims TODAY and TOMORROW will be using HS's facilities."

      Because it's a good idea to amalgamate the guys fingering and checking your laptop under threat of an MP5 and the ones rescuing you when nature acts up.

      EVEN MORE DICKS.

  13. tkioz
    FAIL

    I'm sorry but "hacking" (not that this is hacking/cracking... bloody script kiddies) as a form of protest against "Big Brother" retaining private information and then releasing it is about as effective as fornicating for virginity.

    1. Piro

      Whatever it is

      To be honest, the fact that some of the data was obtained in an easy way is even better, it makes the point about how lousy security is in the real world.

    2. Anonymous Coward
      Anonymous Coward

      ----

      "fornicating for virginity"

      Well maybe so, but it _could_ be worth trying.

  14. Anonymous Coward
    Anonymous Coward

    Paged through some of the leaks a bit. I'm sure there's some sensitive info there but I didn't see anything earth shattering. It looks more like they found 100 random sites that were hackable and leaked some of their data of mixed importance. Sounded like a much bigger deal at first. I like how they started out with "CIA Services" in pastebin. That's not the same CIA you're thinking of.

  15. Anonymous Coward
    Holmes

    School of Meaningless "Statistics"

    "Some of the breached databases each contained more than 30,000 records."

    1. Pascal Monett Silver badge

      Seems to me that the "statistic" itself is proper reporting. What would be meaningless would be any conclusion derived from that figure.

  16. Joerg
    FAIL

    All these hacking groups are just a cover up for something else, obviously

    Either they are competitors or organized criminals or secret agencies.

    That is who really is behind all the hacking against corporations, banks, government servers.

    Then the population really believes that these groups would be 12 to 18 years old "genius hackers"...

    How gullible people are nowadays.

    1. Anonymous Coward
      Stop

      Re: All these hacking groups are just a cover up for something else, obviously

      "Then the population really believes that these groups would be 12 to 18 years old "genius hackers"...

      How gullible people are nowadays."

      I don't think anyone in their right mind would consider anyone perpetrating a SQL injection attack as a 'genius'. As for ages, some recent 'hacker' arrests:

      Raynaldo Rivera, 20

      Ryan Cleary, 19

      Jake Davis, 18

      Ryan Ackroyd, 25

      Unnamed, 17

      Unnamed UK schooboy, 16

      Greek national, 16

      Greek national, 17

      Greek national, 18

      The list goes on and on... and on. So, plenty of teens.

  17. Bradley Hardleigh-Hadderchance
    Headmaster

    @ Comments are attributed to your handle....

    When you say:

    And I quote your post here:

    --------------------------------------------

    Re: Apoplectic

    That battle was lost years ago. Please move on, Rick.

    ------------------------------------------------------------------------------

    You weren't referring to this, were you?

    ---------------------------------------------------------------------------

    We're no strangers to love

    You know the rules and so do I

    A full commitment's what I'm thinking of

    You wouldn't get this from any other guy

    I just wanna tell you how I'm feeling

    Gotta make you understand

    CHORUS

    Never gonna give you up,

    Never gonna let you down

    Never gonna run around and desert you

    Never gonna make you cry,

    Never gonna say goodbye

    Never gonna tell a lie and hurt you

    We've known each other for so long

    Your heart's been aching but you're too shy to say it

    Inside we both know what's been going on

    We know the game and we're gonna play it

    And if you ask me how I'm feeling

    Don't tell me you're too blind to see (CHORUS)

    CHORUSCHORUS

    (Ooh give you up)

    (Ooh give you up)

    (Ooh) never gonna give, never gonna give

    (give you up)

    (Ooh) never gonna give, never gonna give

    (give you up)

    We've known each other for so long

    Your heart's been aching but you're too shy to say it

    Inside we both know what's been going on

    We know the game and we're gonna play it

    ---------------------------------------------------------------------

    If you were old chap, couldn't agree more.

    1. Adze

      Re: @ Comments are attributed to your handle....

      Textual Rick Rolling, wish I'd thought of that, I read almost to the chorus before I realised what it was - I doff my cap to you sir!

      1. Bradley Hardleigh-Hadderchance
        Holmes

        Re: @ Comments are attributed to your handle....

        NO. They can't ban us for that!

        That's one form of freedom we have left.

        <james bond>

        For now....

        </james bond>

  18. Anonymous Coward
    Anonymous Coward

    Payback will be Hell

    I can imagine the prison sentences these hackers are going to enjoy for this hack.

    1. Pascal Monett Silver badge

      Indeed.

      "It's only the beginning" of the FBI hunt for your sorry collars.

      And they will be felt, little ones, they will be. Nobody attacks the banks, boys. Not even the government.

  19. heyrick Silver badge

    Um... hang on...

    Isn't El Reg supposed to be above the likes of The Daily Mail?

    How about we start with a list of compromised (or suspected compromised) banks, so we can know if we ought to start shouting, or to leave it to somebody else?

  20. dlc.usa
    Boffin

    Am I The Ony Person Around Here...

    ...who continues to marvel how clearly John Brunner was looking into the future when he wrote "The Shockwave Rider" that was copyrighted in 1975?

    1. Bradley Hardleigh-Hadderchance

      Re: Am I The Ony Person Around Here...

      Er. Yes, I think you are.

      Still I will look it up just to humour you and secondly check that you are not mad.

      If I don't get back by the morning, Lock all the doors.

    2. Destroy All Monsters Silver badge
      Trollface

      Re: Am I The Ony Person Around Here...

      > copyrighted in 1975

      Downloading now.

  21. TheGentlemanHacker
    Devil

    Teach every developer to use SLQMap...

    and smash the site in at preproduction.

  22. TheGentlemanHacker
    Trollface

    who gives a sh*t what it's called

    Did they get in ? did they steal data?

    this is getting out of hand like music genres.

    1. Bradley Hardleigh-Hadderchance

      Re: who gives a sh*t what it's called

      No, unfortunately they also have a bad sense of humour.

      They stole STOCK, AITKEN, UNT WATERMAN'S master tapes.

      Unfortunate Aliens on another planet shall be rick-rolled. It shall be several centuries before they learn the technique of text-rolling. All that wil happen is another civilisation shall fall into decline. No good shall be served.

      SAW's record sales shall go up. Rick shall date even more preposterously beautiful girls We shall be so jealous, some of us develop congenital diseases....

      Life shall go on.

      And when I wake up in the morning, I shall be greeted by this insanity before my yearning for bacon or even eggs:

      Never gonna give you up (hipswing)

      Never gonna let you down (hips other way)

      I pray the rest of my species do not befall my fate.

      (Ripley - Alien 2012)

      There is only one thing left to do. And you know what I all mean.

      This is what makes me proud to be human.

  23. toadwarrior

    This why we need to punish companies (not the developers) that released shit code.

    Considering how often data gets breached and how often a company is punished why would you pay decent wages for decent developers, test the code properly and take the time to do it right.

    There's very little reason for so many systems to still be susceptible to SQL injection attacks.

    Or stuff like Tesco sending plain text passwords. This stuff shouldn't be happening but there is no real reprecussions for producing a poor product.

    1. Destroy All Monsters Silver badge
      Pint

      OTOH, no-one wants to pay for a Good Product (really, any spare change will go to gold-plating the UI which can then be abused by guessing the URLs.... and that's kinda normal because WHO WANTS TO BUY A WEB 1.0 INTERFACE THAT IS SECURE?

      So Poor Product it shall be.

      Needs a Gallic Shrug Icon.

  24. OsamaBinLogin
    Mushroom

    attacks will continue

    israelis: The helicopter attacks will continue until the missle attacks stop.

    palestinians: The missle attacks will continue until the helicopter attacks stop.

    hacktivists: The bank breakins will continue until the banks stop rounding us up.

  25. Mark Allread

    "Team GhostShell is lead by"

    led by, surely?

  26. SiCo FR34K

    GITS

    Motoko?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020