HackersBlog exposes BT.com vulnerability (updated)

“Unu” of HackersBlog reports that they have been able to access at least one of UK telecom BT’s databases through SQL injection: A faulty parameter, improperly sanitized opens the vault to the pretious databases. One can gain access to such ordinary things as personal data, login data, and the like. In the first syntax I concatenated the table names as well as the version and the user of the database. One of the screenshots from a subdomain on BT.com purportedly shows “login data and personal data (email, active, lastloggedin, firstname, surname, address, town, postcode, level, randomkey, password) for some of the registered users.” They indicate that they have more to report, but “…. first we need to see reported vulns patched. We don’t want to put BT clients in danger by providing sensitive informations and hints to a potential attacker.” Update of 3-11-09:  See BT.com’s rebuttal, which was provided to The Register.

Hong Kong Police site hacked, 45 credentials leaked

Today hackers from Portugal Cyber Army @Official_PCA announced a leak of data from the main Hong Kong police website (https://www.police.gov.hk). The leak was announced from the @Official_PCA twitter account in the early hours of the 20th. > Police of Hong Kong Database breaches pastebin.com/[email protected]_war_news @thehackersnews @illsecure @ehackernews @thehackersblog — Portugal Cyber Army (@Official_PCA) April 20, 2013 The leaked data has been posted to pastebin and contains no message attached to it. Leaked data is administrator account email addresses and encrypted passwords which all belong to the HK police. Recently the Portugal Cyber Army also leaked data from the Official dubai airports. Source: pastebin

Official Dubai Airport Site Hacked, Staff Credentials Leaked

This week hackers have announced a leak of data from the official Dubai Airport website (https://www.dubaiairport.com). The leaks have been claimed and leaked by Portugal Cyber Army & HighTech Brazil HackTeam who have announced it via social media by @Official_PCA. > Dubai Airport Database leaked pastebin.com/S6XjKULM @cyber_war_news @ehackernews @thehackersnews @thehackersblog @thehackerspost — Portugal Cyber Army (@Official_PCA) April 19, 2013 The leaked data has been posted to pastebin and contains 53 staff accounts with staff email addresses and encrypted passwords. Over the past few days @Official_PCA has been announcing a few other attacks from their twitter account. Source: Pastebin

UK Commonwealth Bank Site Hacked, Data Leaked

Tonight a hacker group using the handle @LatinHackTeamR have announced a leak of data from the commonwealth banks united kingdom branch (https://www.commbankuk.co.uk/). The announcement came about 2.30am Tuesday morning via twitter and the leak has been posted to anonpaste. > Commonwealth Bank of Australia DB #Leaked #LatinHackTeamReborn anonpaste.me/anonpaste2/ind… @cyber_war_news @ehackernews @thehackersblog — LatinHackTeam Reborn (@LatinHackTeamR) April 1, 2013 The commonwealth bank is one of australia’s largest banks and to see a breach like this happen shows just how much of a serious problem the world is facing with security. The leaked data contains 1900 email addresses, encrypted passwords and full names being leaked online. It is unsure exactly who these accounts belong to but either way it proves that they need to have a decent look into the security of customers information. The hackers are fairly well known for the defacement’s they have carried out in the past with this being one of the first database leaks from them.

Yemen Customs Portal Hacked, 622 staff and ser Credentials Leaked

Hacker @JokerCracker has been busy recently and despite it being new years eve/day across the world they are still leaking data. The latest leak comes from a Yemem Government Portal for the Customs authorities (https://www.customs.gov.ye). The leak was announced on twitter and posted to pastebin. > #YEMEN #Gov. #Hack by @jokercracker ->goo.gl/Xnpku ,@thehackersblog @cyber_war_news @ozdatacenta @hackread @sweetinfoop @hackfuse — JokerCracker (@JokerCracker) January 1, 2013 The leaked data contains basic server information as well as 622 accounts, some of which are administration of the customs website. all account credentials such as passwords appear to be encrypted. Other credentials are emails, usernames and ids. https://ozdc.net/archives.php?aid=4479

Biotectix hacked, defaced for #OpBigBrother

Not to long ago anonymous hacktivist kicked up an operation against surveillance system and the company’s that provide these services in many different forms, that operation was named OpBigBrother. Today a hacker who uses the handle @DARWINARE has announced an attack on the BioTectix (https://www.biotectix.com) site which is being used as a press released and operation release page for the operation OpbigBrother and sports the following message. > ║█║▌║█║▌│║▌ ‏@DARWINARE @TheHackersBlog @Cyber_War_News @OpBigBrotherhttps://www.biotectix.com/news_details.php?news_id=46 … I haven’t forgot about you bro. 12/08/12 Deface was still active at time of publishing below is a text version of the defacement. Current Op Of Interest: #OpBigBrother ====================================== Why this op ?========================================= For years, Governments worked on various projects and laws designed to control populations. All around the world, they prepare a new way of modern slavery. USA : Echelon, attacks against Wikileaks, Trapwire, CISPA, SOPA, PIPA… Canada : CETA, Law 78… Russia : Global censorship (special think to the Pussy Riot…) China : Global censorship European area : ACTA (out)–> CETA, INDECT, FP7, attacks against Demonoid… Arab World : ROMAS/coin (mass surveillance of individuals by government of the United States of America) Panama : Copyright law in progress Privacy of the people all over the world is suffering more and more outrages. We should not tolerate it. Cameras are everywhere even in our sky, and robots are used to gather and treat information collected through Internet spying. If Governments and corporations reach their goal to use network surveillance technologies to take control of our world, they will clear Freedom from both the real life and the Internet. We think the problem of the surveillance of the citizens is a global one. Every new project or law will be made to work and be crossed with the other ones. We don’t want to speak about plot because it may be not, we just want to keep our eyes opened on new happening and keep critical mind on informations given by governments and lobbies… We invite you to act against this surveillance. Job : collecting official information, IRL protest, spreading informations, videomaking, designing, collecting unofficial information and defacing… Everyone can act against this world we don’t want… Global informations on ops : https://pastebin.com/PgbvQrt8 Even if it’s a blocked pastebin (problem with trolls on first pad opened…), this is yours ! Do not hesitate to pm an op on the chan to ask him to add targets or informations on this pad. General Video of the Op : https://www.youtube.com/watch?v=WR52NgUN41g Video for Worldwide protest of October the 20th : https://youtu.be/F56MY73M8aQ ============================= INFORMATIONS ON GLOBAL SURVEILLANCE =========================== https://bluecabinet.info https://bluecabinet.info/wiki/Blue_cabinet https://bluecabinet.info/wiki/Blue_cabinet#How_To_Participate_in_the_Blue_Cabinet_Wiki_Project https://bluecabinet.info/wiki/Blue_cabinet/HoneyDo https://wiki.echelon2.org/wiki/Main_Page https://wiki.echelon2.org/wiki/Romas/COIN https://www.eff.org/ https://www.eff.org/about/history https://wikileaks.org/The-Spyfiles-The-Map.html https://wikileaks.org/gifiles/docs/745547_re-ct-tactical-palantir-software-.html https://wikileaks.org/wiki/Mind_Your_Tweets:_The_CIA_Social_Networking_Surveillance_System https://www.myfoxny.com/story/19139331/nypd-to-launch-surveillance-software-system-to-track-crime https://www.thebureauinvestigates.com/2012/08/03/global-surveillance-industry-gets-a-new-toy/ https://www.palantir.com/what-we-do/ https://www.palantir.com/labs/ https://wikileaks.org/spyfiles/docs/alcatel-lucent/81_alcatel-lucent-1357-ulis-unified-lawful-interception-suite.html FP7 / INDECT https://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2010-1385&language=EN https://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2010-1332&language=EN https://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2010-2186&language=EN https://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2010-3191&language=EN https://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2010-1004&language=EN https://www.derwesten.de/politik/eu-erforscht-an-hollands-grenze-die-totale-videoueberwachung-id6939916.html https://ec.europa.eu/enterprise/magazine/articles/industrial-policy/article_7080_fr.htm https://www.antennabruxellesbasilicata.it/antennaBruxelles-cma/files/docs/DOCUMENT_FILE_101796.ppt https://www.edri.org/edrigram/number8.17/indect-secrecy-privacy-ethics https://ec.europa.eu/research/fp7/pdf/advisory-groups/security-sixteenth-meeting.pdf https://ec.europa.eu/research/fp7/pdf/advisory-groups/security-sixth-meeting.pdf https://ec.europa.eu/enterprise/policies/security/files/esrif_final_report_en.pdf https://www.eurosfaire.prd.fr/news/consulter.php?id=1128 https://www.edps.europa.eu/EDPSWEB/edps/lang/fr/EDPS/Dataprotection https://www.consilium.europa.eu/homepage/showfocus?lang=en&focusID=63038 https://europa.eu/legislation_summaries/energy/european_energy_policy/i23022_en.htm https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006D1982:EN:NOT https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=en&type_doc=Decision&an_doc=2003&nu_doc=1151 https://europa.eu/legislation_summaries/information_society/internet/l24190_en.htm https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006D0971:EN:NOT https://ec.europa.eu/enterprise/policies/security/indect/index_en.htm ftp://ftp.cordis.europa.eu/pub/fp7/docs/financialguide_en.pdf https://www.hyperion.ie/fp7grantwebsites.htm ftp://ftp.cordis.europa.eu/pub/fp7/security/docs/securityresearch_catalogue2010_2_en.pdf https://www.scribd.com/doc/102305059?secret_password=1g2vlr4t51hbmcaqmlvb https://scic.ec.europa.eu/str/indexh264.php?sessionno=687fd5c7e0142dfb2da70e5083b3c6a7# CleanIT : https://www.scribd.com/doc/106582878/EUROPE-CleanIT-LEAK-large-scale-undemocratic-surveillance-of-all-communications-OpBigBrother Panama : https://infojustice.org/archives/27344 ================================ Objectives of the operation ================================ The first objective of this op is to inform people on what our governments and the lobbies will do for our future : they want to make us modern slaves… Spread the word everywhere you can ! Video : https://youtu.be/WR52NgUN41g Pix : https://img15.hostingpics.net/pics/221701surveillangepercu.png & https://opgraffiti.deviantart.com/gallery/ To make people understand our mind, we’ll must give them proofs we can’t find only on official websites. We must find and collect those proofs directly on source (see targets). In function of informations found, we’ll determinate all together on chan what to do with those documents (spreading or not) and what to do on the site (deface or not). So let’s we remember the global objectives of the actions : 1. Collect informations and databases from targets 2. Communicate 3. Defacement -> Deface model page https://pastehtml.com/view/c9b5qjvgz.html => Governements, Universities and Big Corps involved in surveillance research -> Deface model page https://pastehtml.com/view/cbr100fm2.html => Private compagnies selling CCTVs and other BigBrother tools. =================================== Security and tools ====================================== DO NOT DO ANYTHING WITHOUT PROTECTION (VPN or TOR). DO NOT USE FREE VPN : https://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/ For help : #opnewblood / #opnewblood.fr For your safety, we recommend you to not act on targets from your country. ======================================= TARGETS ============================================= This list will be completed in function of works realized – We must fight on all project or law on security treating with our freedom. Do no hesitate to give your own targets to an OP on the chan. Create a pad and put in it the scan report, informations and db found… GIVE RESULTS TO AN OP CHAN (SOP or AOP) For target regarding Trapwire : go on #OpTrapwire Press release : https://pastebin.com/fkzhxLf9 https://pastehtml.com/view/c9bpnzjpv.html ASIO : https://au.news.yahoo.com/latest/a/-/article/14603870/asio-chief-warns-of-cyber-threats-to-big-business/ (AU) https://www.asio.gov.au/ TURKEY : https://www.hurriyetdailynews.com/ministry-plans-to-form-cyber-team-to-fight-hackers.aspx?NewsCatID=338&nID=28141&pageID=238 All next targets are partners of FP7 project (Security section) : For more informations of this project : https://cordis.europa.eu/fp7/home_en.html << don’t trust on all informations given : see the real sense behind the words… Source : ftp://ftp.cordis.europa.eu/pub/fp7/security/docs/securityresearch_catalogue2010_2_en.pdf Part of project FP7 which is treating on privacy (They are projects but may be crossed between them) : – ABADTS – Automatic detection of anormal behaviour and threats in crowded spaces : must defined suspects behaviour to implement it on an algorithm to run on commercialy issue on surveillance – INDECT – Intelligent Information system supporting observation searching and detection for security of citizens in urban environment : will create a system based on nodes and a program to collect informations from web and from engines like drones (UAV)… – CPSI – Changing perception of security and interventions : create a methodology to collect quantify organize query analyze interpret and monitor data on actual and perceived security… – CREATIF – Related testing and certification facilities / a networking strategy to strengthen cooperation and knowledge exchange within Europe : in charge to harmonize all security program from all members – CRESCENDO – Coordination action on risks, evolution of threats and context assessment by an enlarged network for an R&D road-map : analyze threat and risk situation, changing providers of security with a balance between civil liberties and security (how will it be determinate ?) – ESCoRTS – European network for the security and the control and […]

Unu is back! 8.000.000 is the magic number – gamespot.com

From Hackers Blog: “Unu”, the ex HackersBlog member that stole the spotlight with his findings in internet security has come up with a new, very interesting finding. He gained access to personal data of a very large website. According to unu, over 8.000.000 (that 8 followed by 6 zeros!! 8 Millions) member accounts of gamespot.com have been at the mercy of anyone who could take advantage of them by means of SQLi. In the mail sent to us, “unu” says that using that SQLi anyone could extract client details such as: home address, DOB, email, and more. He backs up his claims with screenshots on personal deatils of user 2.800.000. Passwords were not in plain sight in this case so gamespot.com users can feel safe (sic). I don’t see any statement on gamespot.com. Gunter Ollman also notes the absence of a statement confirming or denying the problem on his blog.

BT rebuts vulnerability claims

(This is a follow-up to a story reported here). Today, John Leyden of The Register reports that BT.com claims that the flaws HackersBlog reported only involved test systems and that no customer data were at risk. Whether BT’s statement was issued before or after HackersBlog published more about the alleged vulnerability and databases they were able to access is unknown at this time.

Telegraph.co.uk hacked, SQL injection (updated)

The HackersBlog crew, who had previously exposed vulnerabilities in a number of security vendor sites and a social networking site, now reports that they were able to exploit an SQL injection vulnerability to access The Telegraph‘s databases, including one that has 700,000 email addresses and passwords of those receiving the paper’s newsletter. Given how many people continue to use the same password for multiple purposes, Telegraph readers who signed up might want to use this as a wake up call to change their passwords on other accounts. The blog points to a Trend Micro blog entry by Rik Ferguson for advice on passwords. So far, I do not see any acknowledgement or mention of the hack on The Telegraph‘s site. Update 3-09-09: John Leyden of The Register reports: In a statement, Paul Cheesbrough, chief information officer for Telegraph Media Group, said the attack affected a partner site and not the main Telegraph website. “The hack interrogated database tables behind one of our partner sites – search.property.telegraph.co.uk – and exposed a weakness in the way that particular site had been coded,” Cheesbrough said. “The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting, but the Telegraph Media Group does take anything that potentially compromises the security of our site and the data that we hold extremely seriously. We immediately took the impacted site down on Friday, and the two-year-old third party code is being re-written to eliminate the issues that hackersblog.org brought to our attention.”

StayFriends members’ personal info exposed by SQL injection

The same individual, “unu,” who has been exposing other web sites vulnerable to SQL injection, has issued some screen shots showing how the German site, StayFriends, left its over 7 million users’ personal information vulnerable to exposure or access. According to the account of the hack, the exposure involved names, email addresses, passwords, some credit card data, and social security numbers. The site was secured before “unu” published the screenshots. There does not appear to be any statement on the StayFriends.de home page about the incident or allegations.