You are viewing our Forum Archives. To view or take place in current topics click here.
Ancestory.com / WSJ.com / Vice.com / CNET.com ALL HACKED!
Posted:
Ancestory.com / WSJ.com / Vice.com / CNET.com ALL HACKED!Posted:
Status: Offline
Joined: Apr 23, 201014Year Member
Posts: 1,154
Reputation Power: 46
On July/12th/2014 a Twitter username by the Alias w0rm [@rev_priv8) started his rampage..
A Popular site by the name of CNET.com was breached Sunday evening by the alias w0rm,
[ Register or Signin to view external links. ]
w0rm then Tweeted on the 14th,
[ Register or Signin to view external links. ]
w0rm got away with 1 million username, emails and password from that attack but he didnt stop here...
CNET reports that W0rm tweeted on Monday that it will sell the database for 1 bitcoin - around $622 - but that a W0rm representative told them through a Twitter conversation that the group offered to sell the database to gain attention and "nothing more, and had no plans to decrypt the passwords or to complete the sale of the database.
w0rm didnt stop here.. On Tuesday the 21st he returned with another big name!
He claimed to have breached WSJ.com and Vice.com which are both another big names in the internet world..
Like usual he trys to sell both these DBs for one BTC, to the right person this could be an investment..
The attack was brought to the newspaper's attention by Andrew Komarov, chief executive of IntelCrawler, who says that the credentials w0rm is selling would allow a buyer to modify articles, add new content, insert malicious content in any page, add new users, delete users and more.
Komarov said that IntelCrawler has confirmed the vulnerability:
It's being reported that the attacker exploited an SQL injection vulnerability.
Although the screenshots show records returned from a database, that in and of itself doesn't explain how they were obtained - only that they were.
The tweet about the WSJ appears to show the command line interface for a database client accessing a database, but again, even if we take it to mean that the attacker(s) gained access to the WSJ database, it tells us nothing about how he broke in.
SQL injection is, though, an obvious candidate for how w0rm got in.
Databases are valuable and hence aren't typically accessible to the outside world directly, but public-facing websites are often plugged into those otherwise difficult-to-reach databases.
SQL injection attacks get at the database via the website.
It's a common form of attack, possibly the easiest way to get at a vulnerable database from the outside, but it's also very easy to defend against, Naked Security's Mark Stockley says.
He recommends that any website code that accesses databases should use parameterised queries to ensure that the database treats user inputs as data rather than code.
At any rate, this is the second time that the WSJ has been picked on in a week.
Malicious hackers broke into the media outlet's Facebook page on Sunday, soon after the shocking Malaysia Airlines plane crash, to post bogus news alerts about the US's Air Force One possibly crashing over Russian airspace.
W0rm previously used the handle "Rev0lver", Komarov said, and is the founder of Worm.in, a market for trading vulnerabilities.
Whatever the attacker calls himself, he's been busy.
Hes back this time only 30 minutes ago!! This time he went after a popular family tree search site ancestory.com
Sources -
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
A Popular site by the name of CNET.com was breached Sunday evening by the alias w0rm,
[ Register or Signin to view external links. ]
w0rm then Tweeted on the 14th,
[ Register or Signin to view external links. ]
w0rm got away with 1 million username, emails and password from that attack but he didnt stop here...
CNET reports that W0rm tweeted on Monday that it will sell the database for 1 bitcoin - around $622 - but that a W0rm representative told them through a Twitter conversation that the group offered to sell the database to gain attention and "nothing more, and had no plans to decrypt the passwords or to complete the sale of the database.
w0rm didnt stop here.. On Tuesday the 21st he returned with another big name!
He claimed to have breached WSJ.com and Vice.com which are both another big names in the internet world..
Like usual he trys to sell both these DBs for one BTC, to the right person this could be an investment..
The attack was brought to the newspaper's attention by Andrew Komarov, chief executive of IntelCrawler, who says that the credentials w0rm is selling would allow a buyer to modify articles, add new content, insert malicious content in any page, add new users, delete users and more.
Komarov said that IntelCrawler has confirmed the vulnerability:
We confirmed there is the opportunity to get access to any database on the wsj.com server, a list of over 20 databases hosted on this server.
It's being reported that the attacker exploited an SQL injection vulnerability.
Although the screenshots show records returned from a database, that in and of itself doesn't explain how they were obtained - only that they were.
The tweet about the WSJ appears to show the command line interface for a database client accessing a database, but again, even if we take it to mean that the attacker(s) gained access to the WSJ database, it tells us nothing about how he broke in.
SQL injection is, though, an obvious candidate for how w0rm got in.
Databases are valuable and hence aren't typically accessible to the outside world directly, but public-facing websites are often plugged into those otherwise difficult-to-reach databases.
SQL injection attacks get at the database via the website.
It's a common form of attack, possibly the easiest way to get at a vulnerable database from the outside, but it's also very easy to defend against, Naked Security's Mark Stockley says.
He recommends that any website code that accesses databases should use parameterised queries to ensure that the database treats user inputs as data rather than code.
At any rate, this is the second time that the WSJ has been picked on in a week.
Malicious hackers broke into the media outlet's Facebook page on Sunday, soon after the shocking Malaysia Airlines plane crash, to post bogus news alerts about the US's Air Force One possibly crashing over Russian airspace.
W0rm previously used the handle "Rev0lver", Komarov said, and is the founder of Worm.in, a market for trading vulnerabilities.
Whatever the attacker calls himself, he's been busy.
Hes back this time only 30 minutes ago!! This time he went after a popular family tree search site ancestory.com
Sources -
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
The following 1 user thanked BKR for this useful post:
JRMH (07-29-2014)
#2. Posted:
Status: Offline
Joined: Oct 19, 201310Year Member
Posts: 2,119
Reputation Power: 62
I'm not gonna lie, when I see people that actually hack, I want to have a good conversation with them and ask them how they do it. Not these video game "hackers"
but for real, I hope he doesn't abuse these accounts he obtained.
but for real, I hope he doesn't abuse these accounts he obtained.
- 2useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Apr 23, 201014Year Member
Posts: 1,154
Reputation Power: 46
JRMH wrote I'm not gonna lie, when I see people that actually hack, I want to have a good conversation with them and ask them how they do it. Not these video game "hackers"
but for real, I hope he doesn't abuse these accounts he obtained.
In all honestly he has every right to its not his fault they have errors in code, dont get me wrong no code is perfect but seriously companies need to up security, use custom algorithm do something.
- 1useful
- 4not useful
#4. Posted:
Status: Offline
Joined: Dec 24, 201112Year Member
Posts: 2,859
Reputation Power: 99
BKR wroteWait what. He has every right to? You may need to check you morals.JRMH wrote I'm not gonna lie, when I see people that actually hack, I want to have a good conversation with them and ask them how they do it. Not these video game "hackers"
but for real, I hope he doesn't abuse these accounts he obtained.
In all honestly he has every right to its not his fault they have errors in code, dont get me wrong no code is perfect but seriously companies need to up security, use custom algorithm do something.
- 10useful
- 0not useful
#5. Posted:
Status: Offline
Joined: Apr 23, 201014Year Member
Posts: 1,154
Reputation Power: 46
NBC wroteBKR wroteWait what. He has every right to? You may need to check you morals.JRMH wrote I'm not gonna lie, when I see people that actually hack, I want to have a good conversation with them and ask them how they do it. Not these video game "hackers"
but for real, I hope he doesn't abuse these accounts he obtained.
In all honestly he has every right to its not his fault they have errors in code, dont get me wrong no code is perfect but seriously companies need to up security, use custom algorithm do something.
Yes he does, my morals are in check my stuff doesnt get leaked, all I can say is its sad how pathetic the companies take care of the customers all I gotta say.
- 0useful
- 5not useful
#6. Posted:
Status: Offline
Joined: Aug 24, 201310Year Member
Posts: 355
Reputation Power: 14
Status: Offline
Joined: Aug 24, 201310Year Member
Posts: 355
Reputation Power: 14
classic SQL injection, really such popular sites i would have thought to be protected. secrets out now though time for a new type of attack
- 0useful
- 0not useful
#7. Posted:
Status: Offline
Joined: Nov 20, 201112Year Member
Posts: 2,167
Reputation Power: 103
Status: Offline
Joined: Nov 20, 201112Year Member
Posts: 2,167
Reputation Power: 103
Why don't these companies hire these "hackers". I see far more of this happening.
- 1useful
- 1not useful
#8. Posted:
Status: Offline
Joined: Jan 03, 201113Year Member
Posts: 1,165
Reputation Power: 56
Status: Offline
Joined: Jan 03, 201113Year Member
Posts: 1,165
Reputation Power: 56
BKR wroteNBC wroteBKR wroteWait what. He has every right to? You may need to check you morals.JRMH wrote I'm not gonna lie, when I see people that actually hack, I want to have a good conversation with them and ask them how they do it. Not these video game "hackers"
but for real, I hope he doesn't abuse these accounts he obtained.
In all honestly he has every right to its not his fault they have errors in code, dont get me wrong no code is perfect but seriously companies need to up security, use custom algorithm do something.
Yes he does, my morals are in check my stuff doesnt get leaked, all I can say is its sad how pathetic the companies take care of the customers all I gotta say.
How your morality and the security of your files are linked is something I'll never understand. When you walk into a store, just because you can grab something off the shelf without being noticed and "bypass" the in-store security i.e cameras, loss prevention, etc. doesn't make it yours. Finding a weakness in a security system that guards something does not make the item yours if exposed. Might need to re-align your moral compass pal.
- 1useful
- 0not useful
#9. Posted:
Status: Offline
Joined: Apr 23, 201014Year Member
Posts: 1,154
Reputation Power: 46
Mensch wroteBKR wroteNBC wroteBKR wroteWait what. He has every right to? You may need to check you morals.JRMH wrote I'm not gonna lie, when I see people that actually hack, I want to have a good conversation with them and ask them how they do it. Not these video game "hackers"
but for real, I hope he doesn't abuse these accounts he obtained.
In all honestly he has every right to its not his fault they have errors in code, dont get me wrong no code is perfect but seriously companies need to up security, use custom algorithm do something.
Yes he does, my morals are in check my stuff doesnt get leaked, all I can say is its sad how pathetic the companies take care of the customers all I gotta say.
How your morality and the security of your files are linked is something I'll never understand. When you walk into a store, just because you can grab something off the shelf without being noticed and "bypass" the in-store security i.e cameras, loss prevention, etc. doesn't make it yours. Finding a weakness in a security system that guards something does not make the item yours if exposed. Might need to re-align your moral compass pal.
The companies make millions a year and cant hire someone to do a proper coding job? its pathetic, ur analogy its plan stupid tbh, thats not even accurate to what i am saying minus it being about stealing
- 1useful
- 0not useful
#10. Posted:
Status: Offline
Joined: Apr 28, 201112Year Member
Posts: 844
Reputation Power: 40
Status: Offline
Joined: Apr 28, 201112Year Member
Posts: 844
Reputation Power: 40
BKR wroteMensch wroteBKR wroteNBC wroteBKR wroteWait what. He has every right to? You may need to check you morals.JRMH wrote I'm not gonna lie, when I see people that actually hack, I want to have a good conversation with them and ask them how they do it. Not these video game "hackers"
but for real, I hope he doesn't abuse these accounts he obtained.
In all honestly he has every right to its not his fault they have errors in code, dont get me wrong no code is perfect but seriously companies need to up security, use custom algorithm do something.
Yes he does, my morals are in check my stuff doesnt get leaked, all I can say is its sad how pathetic the companies take care of the customers all I gotta say.
How your morality and the security of your files are linked is something I'll never understand. When you walk into a store, just because you can grab something off the shelf without being noticed and "bypass" the in-store security i.e cameras, loss prevention, etc. doesn't make it yours. Finding a weakness in a security system that guards something does not make the item yours if exposed. Might need to re-align your moral compass pal.
The companies make millions a year and cant hire someone to do a proper coding job? its pathetic, ur analogy its plan stupid tbh, thats not even accurate to what i am saying minus it being about stealing
It is all about what you are saying. You are basically saying as long as you can do it, you have a right to. His analogy was spot on and don't even try to argue against it. Your morals are wrong and just because somebody has the power to hack into a website, doesn't mean "he has every right to"
- 0useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.