I hate how the news is talking about how LulzSec 'hacked' the CIA and other sites (). Saying that a DDoS attacker 'hacked' anything is like saying that some guy who super-glued a bank's doors shut pulled off a major heist. One requires actual skill to pull off, and can actually be very serious. The other is something a 10 year old can do, and isn't much more than an inconvenience. When it's only a few hours of downtime, as was the case with the CIA website, calling it 'hacking' is even more absurd.
Not to mention the fact that the CIA isn't even slightly inconvenienced by a temporary lack of a public website. Just look at the site, and you'll see that most of the content consists of information resources like the World Factbook, which are useful for the general public, but completely irrelevant to the Agency's day-to-day functionality. Nothing important goes on on the CIA's website, so all a DDoSer is really doing is shooting themselves in the foot (especially when one considers that one of the public resources taken down is the online FOIA archive).
Technically unimpressive and
functionally useless. What a pitiful combination the media is so enthralled by.
Originally Posted by ChAiNz.2da
Bunch of dumbass script-kiddies found themselves a new brute force toy
Tired of this crap.
Would be nice if companies would take further measures though before
Exactly. The scary thing here isn't the competence of the hackers. I wouldn't be surprised if most of them are just kids who've just discovered Metasploit or another program of that ilk, and that's for the actual cracking; the DDoSes aren't even worth mentioning.
What should scare people is how so many companies, especially technology ones, which you'd expect to have more security know-how, leave important information under such weak protection. Given how common password reuse is, even a simple list of usernames and passwords is quite valuable to certain people. And if a bunch of skiddies can get in this many places, you can bet your ass that the professional crackers working in the interests of foreign governments or organized crime can reach even more.
Hopefully all this activity will be a wake up call to both companies and users.
Originally Posted by Tommycat
There are other methods of protecting end user data. Just make sure you change your passwords regularly on anything you care if they get access to. You know... like financial stuff...
This. Also, people need to stop reusing the same password on everything, especially stuff they care about. Even on the stuff that doesn't matter, the closest I'd ever get to reusing a password would be having a 4-8 character prefix or suffix common to multiple sites and services, with the main portion of the password different.
Websites and services themselves also need to stop ****ing about with "no symbol" rules, lack of case sensitivity, and worst of all, maximum password lengths. It's not that hard to make a password system that can handle symbols, both cases of letters, and long passwords, and it seriously improves security. I know someone whose insurance company doesn't allow case-sensitivity or symbols, and has a 10 character password maximum. I would switch companies in that situation. If they're that clueless security wise with website security, god knows what their general network security is like. I wouldn't want to entrust all my insurance information to a company like that.