Given LulzSec seems to post their hacks on twitter, that there's no way of validating who posted the PasteBin item and that the Office of National Statistics hasn't reported the loss, its probably best to wait and see something a little more convincing.
I wrote the article and have been trying to trace the authenticity of the release. I am still waiting to hear back from the Office of National Statistics, which at the time were unaware of who LulzSec even were.
I contacted them a little over two hours ago, I haven't received a response, yet.
It also has the Bethesda and US senate links in the end, making this look more like copy-paste of an older release. This is inconclusive though since the real LulzSec might copy paste from an older release to get all the ascii art.
I've wondered how many individuals and groups out there post things in the name of other security groups to distract attention from (or direct it toward) themselves. Maybe everyone should start signing their releases with a private key.
I haven't seen "Census" mentioned in their twitter feed (yet), so as far as I know the only source is a bit of anonymous text on pastebin. Anyone could put that there.
This whole escalating security situation has me thinking that IT security is heading down the same path as the War On Drugs.
I wonder if ten or twenty years from now we'll see petitions to legalize hacking tools after we see a resurgence in security breaches following the criminalization of "hacking tools"...
I'm leaning toward "hoax." Lulzsec has been reasonably competent writers so far, and the bizarre placement of "blissfully" makes that either incompetent or some kind of steganography. That, added to the lack of tweet, makes me doubt.
Of course, it could still be some anon who actually does have the census data, and considers himself lulzsec-affiliated.
The writing style does seem different, sentences in this release aren't terminated in some cases, whereas those from officially corroborated releases always are.
If true, this will be a massive coup and regardless of how they obtained the records, LulzSec will get all of the significant negative attention they so badly crave.
I submitted my census info via the online form and given the amount of detail I included I would be terrified if that info was leaked.
Imagining that the release is true, this will do strange things for pay bargaining. Imagine if you could look up your colleagues before asking for a rise?
On the other hand, I don't recall anything really horrific on that form. Enough data to steal my identity and take out a mortgage in my name, yes. Enough to embarrass me? no...
So what's the worst possible outcome here in terms of the UK government's reactions? Fast-tracked arcane legislation to make security tools illegal like they are in .de ? Broadening the terms of hacking and increasing the legal penalties? If LulzSec aren't trolling the world and they do indeed have these records I would imagine there is going to be one hell of a shitstorm in the coming weeks.
It would be just another excuse to get the Internet ID implemented. MAFIAA has been pushing for Internet ID since years now and a number of politicians are in favour. Must admit that every time I read about the latest Lulsec activity I cannot help but think that MAFIAA is behind all this.
This was the first census where you could submit details online. I wonder if it was these records? Would be surprised if they had even finished scanning the paper ones yet, but the UK governments security record is not good. They contracted it to Lockheed Martin, who also do the US census, so presumably reused the software?
In all likelihood it was probably compromised through some other means than the software. I'm sure the software got a lot of attention in terms of security but surrounding systems were neglected.
With the amount of hacking that is flooding the news recently, I would like to learn about database security. What are some good books/tutorials/videos on how to make databases more secure?
I believe that most databases are secure, especially the open source ones.
What you should be careful about is the things surrounding the database: the .php files (or whatever) that read/write the database, and the system it is running on.
Basic security practice for the web: NEVER trust user input: check and recheck all the GET/POST variables, check that numbers are numbers, that strings are correct strings (they have no funny characters, such as " or ; (for databases) or <>"&' (for HTML) or . (for paths)). Check all input into the databases (to prevent SQL injections) and all output for to the user (for XSS).
Basic security practice for sysadmins: Use up-to-date OS and software. Use strong passwords. Almost never run root. Make remote access hard.
This seems easy, and for the most part, it is. It's just so many things that people forget to check for them all.
I wonder if they are using the same (undocumented) exploit for each of these attacks.
I am certainly no expert in this field, but I would have thought discovering new exploits and security holes would take time, yet these guys are hitting several major sites a week.
So, after I was strongarmed into filling out the damn thing, now all my identity data is in the wild. I will be joining in a suit of Lockheed if this is true.
Whats worrying about the apparent proliferation of security breaches like this is that as the attacks get more sophisticated, so do the prevention methods. This could get to the point whereby the skill level required to protect an application or server goes way higher than the skill level of many developers.
The result being that independent development is impossible as you would need to hire ever more expensive security consultants for anything that stores data.
"Biggest" only for the media coverage this could get, i would not be surprised if they had exploited a common vulnerability. At least when we are discussing about publicly accessible sites, "security-illiterate" is the perfect definition for these government agencies (and the external companies that realize the sites they need).
Will this kind of things make the general public at least a bit more security conscious?
It appears that LulzSec isn't directly responsible for this. Although, since they called for the hacking of every government agency in the world with their "anti-sec" call to arms it's a bit disengeneous for them to rock back on their heels in shock and confusion.
[+] [-] BasDirks|14 years ago|reply
Oh well, just because we want to waste government and local authority investigation time: we hacked every website in the world. Enjoy!
11 minutes ago
LulzSec The Lulz Boat
I'm not seeing "we hacked the UK census" on our twitter feed or website... why does the media believe we hacked the UK census? #confusion
13 minutes ago
LulzSec The Lulz Boat
Not sure we claimed to hack the UK census or where that rumour started, but we assume it's because people are stupider than you and I.
[+] [-] Peroni|14 years ago|reply
Just saw the pastebin of the UK census hack. That wasn't us - don't believe fake LulzSec releases unless we put out a tweet first.
[+] [-] someone13|14 years ago|reply
See:
https://twitter.com/#!/LulzSec/status/83168314527981568
https://twitter.com/#!/LulzSec/status/83167715799470080
EDIT:
Those tweets were deleted. Here's the official word:
"Just saw the pastebin of the UK census hack. That wasn't us - don't believe fake LulzSec releases unless we put out a tweet first."
https://twitter.com/#!/LulzSec/status/83172089711964161
[+] [-] joejohnson|14 years ago|reply
I'm just curious, because Lulzsec posts frequently and I wonder if law enforcement could subpoena twitter in attempts to catch these people.
[+] [-] pavel_lishin|14 years ago|reply
[+] [-] ElliotH|14 years ago|reply
[+] [-] m4tt|14 years ago|reply
I contacted them a little over two hours ago, I haven't received a response, yet.
[+] [-] mikle|14 years ago|reply
[+] [-] nitrogen|14 years ago|reply
[+] [-] ZeroMinx|14 years ago|reply
[+] [-] gazrogers|14 years ago|reply
[+] [-] click170|14 years ago|reply
[+] [-] antihero|14 years ago|reply
[+] [-] estel|14 years ago|reply
[+] [-] khafra|14 years ago|reply
Of course, it could still be some anon who actually does have the census data, and considers himself lulzsec-affiliated.
[+] [-] Fjolle|14 years ago|reply
[+] [-] mjhall|14 years ago|reply
[+] [-] StavrosK|14 years ago|reply
[+] [-] Peroni|14 years ago|reply
I submitted my census info via the online form and given the amount of detail I included I would be terrified if that info was leaked.
[+] [-] shubble|14 years ago|reply
[+] [-] jodrellblank|14 years ago|reply
[+] [-] patrickod|14 years ago|reply
[+] [-] sunchild|14 years ago|reply
[+] [-] crocowhile|14 years ago|reply
[+] [-] gaius|14 years ago|reply
[+] [-] justincormack|14 years ago|reply
[+] [-] crocowhile|14 years ago|reply
[+] [-] BrianLy|14 years ago|reply
[+] [-] pedrokost|14 years ago|reply
[+] [-] Joakal|14 years ago|reply
Not in any order of popularity:
1. Brute-force (or not) cracking of weak or default usernames/passwords
2. Privilege escalation
3. Exploiting unused and unnecessary database services and functionality
4. Targeting unpatched database vulnerabilities
5. SQL injection
6. Stolen backup (unencrypted) tapes
http://mobile.darkreading.com/9289/show/8506121498da7d8ae483...
[+] [-] estel|14 years ago|reply
[+] [-] tomp|14 years ago|reply
What you should be careful about is the things surrounding the database: the .php files (or whatever) that read/write the database, and the system it is running on.
Basic security practice for the web: NEVER trust user input: check and recheck all the GET/POST variables, check that numbers are numbers, that strings are correct strings (they have no funny characters, such as " or ; (for databases) or <>"&' (for HTML) or . (for paths)). Check all input into the databases (to prevent SQL injections) and all output for to the user (for XSS).
Basic security practice for sysadmins: Use up-to-date OS and software. Use strong passwords. Almost never run root. Make remote access hard.
This seems easy, and for the most part, it is. It's just so many things that people forget to check for them all.
[+] [-] odiroot|14 years ago|reply
[+] [-] Simon_M|14 years ago|reply
I am certainly no expert in this field, but I would have thought discovering new exploits and security holes would take time, yet these guys are hitting several major sites a week.
[+] [-] mike-cardwell|14 years ago|reply
Most websites seem to have at least one XSS or SQL injection hole. Nearly all have CSRF flaws.
[+] [-] binarymax|14 years ago|reply
[+] [-] arethuza|14 years ago|reply
http://www.ico.gov.uk/upload/documents/library/data_protecti...
[+] [-] mike-cardwell|14 years ago|reply
[+] [-] crocowhile|14 years ago|reply
[+] [-] beseku|14 years ago|reply
The result being that independent development is impossible as you would need to hire ever more expensive security consultants for anything that stores data.
[+] [-] acron0|14 years ago|reply
https://twitter.com/#!/LulzSec/status/83164092998758400
[+] [-] drtse4|14 years ago|reply
Will this kind of things make the general public at least a bit more security conscious?
[+] [-] iamichi|14 years ago|reply
[+] [-] InclinedPlane|14 years ago|reply
[+] [-] JackWebbHeller|14 years ago|reply
http://content.met.police.uk/News/eCrime-unit-arrest-man/126...
[+] [-] evolution|14 years ago|reply