"Team GhostShell said the online leaks, which are part of its Project Hellfire campaign, were made in protest against banks"
Hey there, lady trying to make a car payment! Hey, guy checking his balance before he buys groceries! Your bank's a dick, so we ruined your week. Hope that's okay.
Usually when these things are investigated it turns out the targeted company had obvious security vulnerabilities and were too obtuse to correct them. Consider a bank keeping their cash in an open box in the middle of the street. It's wrong to raid the box, but it's also irresponsible on them not to have good security in place.
Yes, and WhiteHats would raise those security concerns with the company, privately, and work with them to get it solved. If the company didn't work to fix them, that's when you raise it publicly.
This is the same leak that claimed to have "CIA records", which actually turned out to be from http://ciaservices.com/ instead of the government agency. There's a lot of hype surrounding this that seems to be total bullshit. The "1 million records/accounts" includes a lot of trivial, non-sensitive information, and the targets are mostly low-value to begin with. Seems like someone just ran a bunch of SQL injection attacks on random vulnerable websites and is trying to pass it off as grandiose political activism.
Semes like a linkbaiting headline (of the original article) once again...
Don´t see these "1 MILLION" accounts anywhere an neither the mentioned blog post [1] nor the original announcement at pastebin [2] does mention that. (EDIT: The pastebin statements indeed mentions "one million accounts/records leaked", buy thats not quite the same imho (emphasis on "records").
The blog post states explicitly that "a lot of the stolen content did NOT include any sensitive information".
Even if the original article capitalized the "million", it's good practice here to convert to regular capitalization when submitting. It just reeks of loudmouthed sensationalism and linkbaiting. I refuse to clickthrough on such submissions.
News stories like this are sometimes hyped but it's better to be safe than sorry.
I wonder if writing sky-is-falling style articles resonates more with people who would otherwise not treat their own online privacy/security as something to take seriously.
Ahhhh, we've come full circle. Back from the days when script kiddies would DoS a site or 'crack' a telnet password, then deface and claim they have street cred.
I would love to find someone who has actual street cred and had their account information released by these chuckleheads, and put them in a room together.
This isn't about politics. I doubt these losers even know anything about the companies they attacked. Fucking douchebags.
However, I should also blame the companies involved here. If they can afford $1000 for some kind of web app firewall they probably could have detected sqlmap raping their site with faulty queries.
That behavior never stopped, in fact it's so common that it's not news anymore which is probably why you haven't heard of it in a while. http://news.cnet.com/Defaced-site-archive-retires/2100-1001_... Who said it was about politics? I should also blame the companies involved... Exactly, this is about making unsafe companies feel unsafe.
I don't find their actions particularly praiseworthy, but if this can be done by a bunch of scriptkiddies, I'm not sure they did anything but slightly move up the inevitable, since organized criminal groups are also running similar scripts.
Organized criminal groups are more scrupulous. They just want your money, or to be information brokers. They won't publish your name, address, phone, social and god knows what else to the world.
I could give an extreme example and say that this kind of information disclosure puts stalking victims at risk, but there's a million more reasons we protect the privacy of individuals. Criminals simply have no reason to do this kind of thing, but the script kiddies think it's hilarious.
Your bank manager does not make IT policy. Please do not shout at him.
The lamers who released the information could have easily blacked out parts of all of any sensitive information, or disseminated other kinds of proof of their attack. Then you could still be angry at your bank without getting people's personal information.
If you naively depend on the client, sure, it will be game over, but that is true of any naive security.
Endpoint encryption does solve many problems, but it doesn't solve all of them. Take a bank case: sure, you could encrypt your account number and transfer amount on your machine, but the how is the bank supposed to do anything with these random bytes you've sent? If they have the keys (like they do with SSL), we aren't any better off.
With some complex public key crypto, you could maybe make things better, but you would be dependent on everybody treating their private keys well. I'm not convinced big companies could manage that, much less "Joe the Plumber".
Trusting the client is not the same as securing the client.
Edit: I didn't like my initial tone, so I backed off.
Encryption prevents leaked data from being meaningful. No amount of server-side security, including query parameterization, can guarantee the absence of leaks. Client-side encryption makes leaks much less devastating.
How encrypting user data in JS on the client is different from properly hashing user passwords in JS on the client? It is now accepted that sending and storing passwords in plaintext is bad practice; the logical next step is to encrypt not only passwords, but all data on the client.
Encrypting a password on the client-side means that all a cracker needs to login is the hashed password, which is exactly what they would get from a database dump, thereby bypassing the entire point of hashing the password in the first place. (Yes, I'm aware you could use a different salt on the server than the client, but that would require that the client-side encryption be reversible, which is perhaps even more problematic.)
Hey there, lady trying to make a car payment! Hey, guy checking his balance before he buys groceries! Your bank's a dick, so we ruined your week. Hope that's okay.