Print 53 comment(s) - last by just4U.. on Jul 2 at 12:57 AM

EA was the latest victim of LulzSec. In the group's farewell hack it aired 550,000 users' information via torrent.  (Source: EA)

The group also grabbed 200,000 accounts from a popular hacker forum.
Group says they will continue operations under the name "AntiSec", but are retiring their moniker

LulzSec is gone -- for now.  The group on Sunday morning at 12:01 a.m. announced its surprise departure via a press release.  But they aren't really going anywhere, and they didn't "leave" their moniker without a parting shot -- they posted the results of their latest hacking campaigns to The Pirate Bay in a modest archive.

I. Bye Bye Birdie

LulzSec has been at it for 50 days now, hacking the planet.  They've hacked [1][2][3] Sony Corp. (TYO:6758).  They've DDoSed the CIA.  They've hacked the U.S. Senate and the Arizona state police.

But after all their fun, they say their bidding adieu to the LulzSec moniker -- for now.  On the anniversary of George Orwell's birthday, they write:
Friends around the globe,
We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

For the past 50 days we've been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others - vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It's what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.

While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn't that interesting to know? The mediocre painter turned supervillain liked cats more than we did.

Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we've gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don't stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.

So with those last thoughts, it's time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind - we hope - inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.

Let it flow...
Lulz Security - our crew of six wishes you a happy 2011, and a shout-out to all of our battlefleet members and supporters across the globe

The speech brings to mind the famous comedian Johhny Carson's farewell words in 1992 on his late night show:
I can only tell you that it has been an honor and a privilege to come into your homes all these years and entertain you. And I hope when I find something that I want to do and I think you would like and come back that you'll be as gracious in inviting me into your home as you have been. I bid you a very heartfelt good night.
Of course Johnny Carson went about spreading "lulz" in quite a different fashion.  And he hacked far less people.

II.  750,000 More People Exposed

The parting shot was no "Pentagon Papers", but it did have a bit of something for everyone.

Leading the way are internal mappings of AT&T Inc. (T) and AOL Inc.'s (AOL)  servers.  The group also posted a file entitled "Office networks of corporations.txt".  The hack brings to mind Adrian Lamo's watchdog side, from the 1990s.

But where Mr. Lamo never exposed a significant class of users, LulzSec takes joy in engaging in that activity as well.  Their biggest post was leaked info of 550k users of Electronic Arts, Inc.'s (ERTS) cartoony FPS game Battlefield Heroes.  At press time we have not yet obtained the full archive, so we're unable to ascertain what details were leaked.

EA appears to confirm the breach, writing:

Battlefield Heroes is Offline

We are currently investigating an apparent security breach related to our free-to-play Battlefield Heroes franchise. We are working to identify which accounts were affected and will take all precautions to ensure those players are notified as quickly as possible. We apologize for any inconvenience and hope to have the game back online shortly.

It also posted account information on 50k "random" game forum users.

The hackers also turned on their fellow novice brethren, publishing records on the users  of (they appear to have obtained this data via the tried and true method of SQL injection -- somewhat embarrassing for a self-proclaimed "hacking" site).  In total 200k accounts were reportedly compromised on the site (that's a lot of hackers!).

The forum writes:

All ub3r and l33t must do a password reset to their email. Use contact form if you do not get your password email reset or do not have access to the email on file.

Then there's 12k North Atlantic Treaty Organization e-book center usernames and passwords (somebody will have fun reading).  NATO more or less already confirmed this breach to be authentic, posting on Friday:
Probable data breach from a NATO-related website

Police dealing with digital crimes have notified NATO of a probable data breach from a NATO-related website operated by an external company. NATO’s e-Bookshop is a separate service for the public for the release of NATO information and does not contain any classified data. Access to the site has been blocked and subscribers have been notified.
The group also posted an image file entitled " owned.png", which we'll debrief you on shortly.

And then there's 29 emails and passwords [PasteBin] at P.I. Limited of Dublin.  It's always embarrassing when security professionals wind up in these releases.

Rounding off the release, there's a post detailing an apparent vulnerability [PasteBin] of an FBI web property involving the open source content management system Plone.  And there's a cool 2,454 IP addresses [PasteBin] that are listed apparently using "root" or "admin" as their password for the corresponding administrator/superuser account name.  Ouch. 

III. Why the Sudden Exit?

The sudden departure made us initially wonder if the awaited police axe finally fell upon the audacious crew.  However as of early this morning, one of the group's ringleaders, "Sabu", was still happily posting.

He writes:
Nobody is leaving. we're working on the #antisec movement.

If you read the statement your questions will be answered. There's only been one arrest; Ryan, and he isn't part of lulzsec.

No one is disappearing. find us all @ #antisec
According to the group, they're not ceasing their activities -- they're just dropping the "lulz" and getting serious about their campaign of "cyberwar" against the world's ruling powers.  And those powers still appears as helpless as ever to capture brains behind the group.

That said, there's one major outstanding question -- what happened to Topiary.  The hacker, allegedly a core member of Anonymous, fell silent last week.  His last Twitter post was dated June 17.  So it's possible there could be something more to this story -- though for now it's just an interesting observation.

Meanwhile, another 812,000+ users will wake up Sunday morning and groan.  They've yet again been the victim of poor IT management and the ever bolder presence of Anonymous and its affiliates -- LulzSec and AntiSec.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: To defeat them...
By wordsworm on 6/26/2011 7:09:51 AM , Rating: 2
I suppose that would be a bit like trying to put all the gas station and liquor store robbers in jail or passing more laws against those who commit them. No matter what, there's another piece of trash to take the last one's place. The solution must then be what? What can we do to prevent every rapist from raping? every murderer from murdering? every molester from molesting? every hacker from hacking?

I've heard lots of security experts say that there is no such thing as an absolutely secure network unless it's not connected to the Internet. So, aside from that solution, what do you think that they ought to do? I mean, aside from a blanket statement that they ought to be held accountable for the actions of others? ie, blame the child for the molestation, the murdered for the murder, and the raped for the rape? Is that the idea behind 'make corporations more accountable'?

Maybe the real trick is to force the adoption of new ip protocols. Assign every device that uses the Internet a number, and require that every Internet user be a registered Internet citizen with their own unique identity, have all devices be required to be registered to an Internet citizen. Make open Wifi portals illegal unless there is some kind of registration system where people are required to identify themselves for every bit of information that gets up- or down-loaded. That way, perhaps people could be identified more quickly for the crimes that they commit.

Whatever the case, the only way to become more secure is to give up our anonymity. Maybe that's the era that those Lulzers will help usher us into.

RE: To defeat them...
By freeagle on 6/26/2011 8:20:36 AM , Rating: 2
No, no registrations. That would create even more centralization. We, people, individuals, need to take control back to us, not give even more away.

The way we indetify ourselves on the internet is upside down. We take our usernames and passwords, give them to some authority and ask: "I have this and this. Am I me?". We give that which makes us to someone else. That's what's wrong.

RE: To defeat them...
By bodar on 6/26/2011 9:01:06 AM , Rating: 1
And you don't think these unique IDs will be spoofed by criminals and griefers? Keep dreaming. Now you're just eliminating online privacy for the illusion of security. Good job.

Yes, any system can be compromised given enough time, effort, and resources, but it is the job of IT security to use multiple layers of security to mitigate the damage of a breach. If management wants to skimp on the security then they simply don't deserve our business.

Would you give your bank a free pass if they locked the safety deposit room with a bike lock and called it a day? And after the robbery, they said "Oops, sorry we didn't protect your valuables better... here's a free toaster!" There are reasonable security measures (allegedly) NOT being taken here, like server patches.

RE: To defeat them...
By BugblatterIII on 6/27/2011 3:58:21 AM , Rating: 2
The point of accountability isn't to victimise companies; it's to make them responsible for taking reasonable precautions.

We've seen time and again that these hacks are being achieved with very simple attacks, e.g. SQL injection. There's no excuse for being vulnerable to that. These companies have a duty to take reasonable precautions to protect our data.

Who can determine what's reasonable? Since you have a judiciary that doesn't even know enough about tech to want the bigger gee bees that's a tricky one. However the situation should improve with time.

"We can't expect users to use common sense. That would eliminate the need for all sorts of legislation, committees, oversight and lawyers." -- Christopher Jennings

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki