Slashdot Mirror
Hackers Breached US Army Servers
An anonymous reader writes "A Turkish hacking ring has broken into 2 sensitive US Army servers, according to a new investigation uncovered by InformationWeek. The hackers, who go by the name 'm0sted' and are based in Turkey, penetrated servers at the Army's McAlester Ammunition Plant in Oklahoma in January. Users attempting to access the site were redirected to a page featuring a climate-change protest. In Sept, 2007, the hackers breached Army Corps of Engineers servers. That hack sent users to a page containing anti-American and anti-Israeli rhetoric. The hackers used simple SQL Server injection techniques to gain access. That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches."
when you are busy trying to defend against the most advanced crackers around, and whatever complex tools they are using, its probably easy to overlook the simpler stuff
as usual, military contracting companies provided over-hyped shoddy work to the military, who either didn't know better or didn't care.
Of course, I thought it was going to be as simple as knowing that the password was "Joshua".
I am officially gone from
All your base are belong to us
That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches.
Who know where these outward facing servers reside? Having outward websites vandalized says nothing about the security of an organizations networks.
love is just extroverted narcissism
The US Army uses Windows servers?
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
If they want to prove a point they have to stop targeting US Defense facilities. Hack a serious portal like Slashdot if you can! Ha!
"Sum Ergo Cogito"
Pardon the rant, but can anyone tell me why we're still having people write code that is subject to SQL injection attacks?
I mean, sometimes potential buffer overflows in C/C++ programs can be tricky to notice. Writing threading code that's not subject to deadlock or starvation can often be a challenge.
But isn't code that's subject to SQL injection attacks just blindingly, amazingly obvious at first glance?
So much for Information Week being reasoned and sensible.
"Equally troubling is the fact that the hacks appear to have originated outside the United States. Turkey is known to harbor significant elements of the al-Qaida network. It was not clear if "m0sted" has links to the terrorist group."
Hooray for sensationalism!
I'm just playing devil's advocate but who puts their public website inside their defences?
I know it is an extremely common practice in this country to actually put sites like these on standard third party hosting services (e.g. Rackspace).
They set them up to be as secure as other e-commerce sites, so fairly secure, but without having to poke holes in a nice heavy firewall.
I didn't bother to RTFA, but summary is inflamatory at best.
A public-facing, high-profile (perception) server gets compromised? That's not news.
Let's say it is news for a minute. What was the budget for this public-facing project? This is not a "major Army security lapse" by any stretch of the imagination.
Of course, my line of thinking wouldn't be widely accepted because it ignores the emotional response that the summary probably provokes in most people.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
A chain is not stronger than it's weakest link.
A simple and powerful principle when dealing with security, whatever side of the law or order you are.
1. good tactics
2. the ability to adapt new tactics as previously good tactics become irrelevant
one way a tactic becomes irrelevant is changing battlefield conditions. you don't fight in a swamp the way you fight in a desert, for instance
well, the internet is valid battlefield. and you fight on it with new tactics. it remains to be seen now if the us military understands that
1. it needs to take this battlefield seriously
2. it can develop good tactics to fight on this battlefield
but as it stands now, a bunch of teenagers are thoroughly and repeatedly trouncing the us military
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This is what you get when you recruit kids out of high school and renege on the promise of the money they will get for joining up. It is communism-on-a-stick. Where is the motivation to do well>
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
I think using SQL injection hasn't qualified as "hacking" since it showed up on XKCD.
By a mysterious terrorist collective that goes by the name of "mAkeslashd0teditorsl00kg00dbyc0mparis0n" who over hypes to the extreme while conflating sql injection attacks with the evil weapon of mass distruction SQL Server made by rogue nation-state Microsoft.
Hmm... Not surprised.
Makes my balls itch.
disinformation is a wonderful tool
Start by protecting against the simple stuff and work up.
Oh no, they redirected web users. My goodness, does this mean we'll see missles flying overhead soon? /. care about mediocre over-hyped news?
Seriously, every department in the world has trojans in some form "inside the network". But retrieving the secretaries mail and retrieving classified information are different things. Albeit, redirecting users IS a mediocre risk, but since when does
It appears the servers in question were used for serving up web sites. Probably publicly-facing web sites. So, what sensitive information was at risk? There are already regulations about what content can be approved to sit on a DoD server with a publicly-facing web site.
In the same way I wouldn't consider a thief walking into your unlocked house, stealing all your stuffs breaking into your house
If you are stupid enough to not lock your doors...
I'm not saying that it isn't still illegal or wrong, but you can do things to protect yourself.
Cue a new cold war information protection policy! Dibs on the grey goo defense!
There are no perfect answers, only the right questions. More questions at http://foresightandhindsight.blogspot.com/
the goals in iraq and vietnam are different than that on the web. in irag and vietnam you have to go out there and police the countryside. on the web, you just have to hunker down and prevent intrusions. its the difference between riding out into the countryside and battening down the hatches on the castle. its a lot easier to secure a castle than police the entire countryside
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Again?
Slashdot requires you to wait longer between hitting 'reply' and submitting a comment.
It's been 17 seconds since you hit 'reply'.
Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.
So, what do I need to do, type really really slow?
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Sounds like little more than defacing public military websites to boost their "1337" egos. The real hacks, the serious ones, are the ones you never hear about because the perpetrators are smart enough to not go around publicly proclaiming that they broke in.
I don't know what I've been told
But Army server's are quickly pwned
You don't need some high-tech decryption machine
Just a string with a semi-colon in between
I don't know what I will find
When good Army hacker's have resigned
We'll have a good laugh when some bored kid in China
Posts photos of Gen. Petraeus with a vagina
Meh. Locking your doors only means paying to replace a broken window along with your missing stuff. If the thief is determined, that is.
the battle on the web is one of image and a communication capability and integrity. if the enemy can thoroughly trounce the image and capability of the military on the web, then that is a battlefield which is a valid battlefield and which has been won by the enemy. you thoroughly reject the validity of this battlefield. you are thoroughly wrong and woefully behind the times
your allegory of spraypainting graffiti on fences is inaccurate. it would be more accurate to say every flag in every corridor were turned into the nazi flag and every manual in every shelf were turned into mao's little red book, and every directive and nonsecure communication were replaced with the speeches of tokyo rose
the scale and the morale effect is a lot larger than you suppose, and the effect on nonessential, and sometimes even essential communication channels is game-changing
get with the times. it matters a hell of a lot more than you think and it will only continue to matter more. it is often said that the wars in the middle east are about winning hearts and minds. image control in that regard matters crucially. it does no good to project an image of incompetence, to give the enemy something to celebrate in terms of david beating goliath
and this isn't even a new concept. it is valid in a million examples pre-internet. for one, consider the doolittle raid on tokyo after pearl harbor: completely tactically pointless. but in terms of morale boost for the usa, and morale killer for the enemy, it was huge. this is the exact same dynamic going on with the ability of teenagers to deface the military's presence on the internet, nevermind their ability to infiltrate actual essential communication, which you don't even consider to be a possibility
well you can bet russia and china are considering that possibility, and may even have contingencies and capabilities in place to do exactly that while you snooze and act dismissive about what is going on here in terms of infiltration. you snooze you lose. right now, you are comatose
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
come on people, sql injection attack == hackers? plz web server defraud is only for even more sad audience who thinks its a form of haking
Thanks for the info, Turkish crackers, I didn't know the Army had an ammo plant in OK. That will be useful info.
Ok so someone defaced a website used by the US Army. How do we know that the website is not hosted by a 3rd party provider? Also how are we sure that sensitive information and the website are on the same network? Also the army may not have codded the website so it could have just been piss poor coding by a 3rd party web developer and not the contractor who codes the programs that control the sensitive information.
In other words just because the front end website for the Army got defaced that means nothing. It is like defacing the IRS website. It means nothing till you have peoples tax returns being rerouted to your personal bank account.
I smoked pot once. But I DID NOT inhale. Will you hire me?
After the Decepticons hacked in and stole all that info from Captain Witwicky, that they would secure their information better.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
SQL *Server* injection attacks? /. doesn't know the difference between SQL and SQL Server, really?
Turkish hackers are well known to compete on mass defacement contests.
When preparing a contest, they scan all IPs to locate vulnerable sites.
When the contest starts, they deface the maximum number of sites in a given amount of time (probably one hour in this case).
They always go for the quickest way to hack a site, and so, they are not really hackers but script-kiddies.
TFA is completely bullshit, since the hackers don't care about the content of the sites.
BTW, why does the army still keeps vulnerable Windows servers reachable on the Internet ?
Web server page redirection? Should that scare me? I mean, it's not quite as if somebody smuggled munitions or fired a weapon.
"Oh...but the breach reveals the military's vulnerability."
Does it? To what?
Answer: To webserver page redirection.
Might there be greater risk here? Perhaps. But no evidence was presented to indicate that. Get back to me when you've identified a MATERIAL RISK, not merely a TECHNICAL VULNERABILITY.
As for those of you who have hopes and expectations that ALL THINGS MILITARY will be secure...WTF?
Users attempting to access the site were redirected to a page featuring a climate-change protest.
OHNOES! They breached the admin net!
There's a reason why the protected A/B network is accessible to the intarwebs and the L2 or higher networks are not. This may be interesting from a hacktivism standpoint... but it's not terribly newsworthy... or, at least, it's not got nearly as much shock value as the summary purports it to have.
Oh god, that woman is John Romero!
Some companies do not consider you to have done due diligence if you do not lock up. That is why I always lock the doors of rental cars, even though I don't lock my car's doors. I would also check your homeowners insurance policy for door locking.
they hacked the gibson...
*plays the Apogee theme song music*
I'm hardly one to defend MS products, but come on.
SQL injection is hardly "a security vulnerability in Microsoft's SQL Server database." SQL injection is a result of badly written code. Nothing more. There is never an excuse for that to occur, even in environments where security isn't the top priority.
The whole article feels a bit off to me. I get the sense it was written by somebody with little technical cluefulness. I particularly like the line about "sophisticated Defense Department tools and procedures designed to prevent such breaches" followed by a sentence identifying AV software. Written by a dummy, for similarly intelligent people, perhaps?
Hackers have resorted to climate change and anti-war propaganda for their defacing of websites? What ever happen to "FREE KEVIN MITNICK!" .. now there was a message worth listening to ;).
I don't lock my doors as night, but I do consider my security system secure. If anyone touches the door handle after 8:00pm, it triggers a shotgun that blows their head off. You wouldn't believe the piles of dead robbers we have in my garage!
I am the richest astronaut ever to win the superbowl.
Yeah. If you read about all of the shit the military keeps secret for decades, something tells me that information week wasn't able to pull something the military didn't want to give.
So, what would you do if you wanted to learn the technical capabilities of the enemy? Try to hack into their location, or set up some seemingly vulnerable services and watch what they do? Double bonus: "leak" the break-in (wink wink) to Information Week and see what kind of celebration activity you can see on the lines. Hell, I'd be setting up false gold mines all over the place, and some with false information you know have been leaked through double agents already.
It's better for the military to see an attack vector earlier rather than later.
you consider the battlefield invalid and low-priority
strange how people are so hard at work on this unimportant nonbattlefield, eh?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
But I'm really hoping that "mosted" translates into something really awesome, because in English, it just sounds pretty gay...
Xaotik Designs
Turkey fell for this US Army honeypot. And Slashdotters play the game. Oops!
Slashdot, fix the reply notifications... You won't get away with it...
Changing wording to create fiction in the hope that somebody gullible will hand over some cash is not the way to fight this increasingly organised and increasingly common criminal activity, but unfortunately that is how the current head of the NSA and others scrambling for funding are doing it. One such idiot full of cyberhype recently showed he knew less about Trojans than anyone with even a passing knowlege of european culture let alone a computer professional (ie. the Trojan horse lets the other nasty stuff in). Forget the "guerrilla war against hackers" bullshit since the people we really want to catch are fraudsters, money launderers and the occassional trespasser onto military networks which makes them a spy and not some "cyberterrorist". When we escalate the words into the realm of fantasy you end up with pointless running around in circles trying to catch fantastic supervillians that may not exist instead of looking at reality and catching those that do exist.
I use to work for one of the larger defense contractors and the information that was considered vital to system to design or classified as at least secret were usually on separate servers that were not connected to the internet. I know on several occasions when sensitive information was sent across the internet it was done on a special computer. I've also seen instances where the information was not allowed to be on a computer at all.
I couldn't think of anything witty to say, so...you're stuck with this.
http://www.nytimes.com/2009/05/29/us/politics/29cyber.html
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Anti-climate change and anti-Israeli sites? Why didn't they at least do something funny, like redirect to goatse? This story would be so much better if it were 'Hackers Rick-Roll US Army Servers' or something along those lines.
where $X = {"nuclear missle", "strategic bomber", "wmd", "UAV", "cyberspace"};
Remember Citiziens, your duty is to cower at all time and pay your tithes to your feudal masters.
Remember Citizens, thinking is for anti-State terrorists, so report all thinkers to your local Homeland Security officer.
Army's McAlester Ammunition Plant in Oklahoma ... Users attempting to access the site were redirected to a page featuring a climate-change protest.
Who the hell would visit a Ammunition Plant website?
Shouldn't that be "crackers" or "cyber-criminals"?
Are we giving up on resisting the bastardization of the word hacker?
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
Also annoying is that recently the "Moderate" button no longer appears when I use Firefox (which is all the time) It's there if I use IE but if you thing I'm using that rubbish to surf the web you're crazy! It's only a bloody HTML button for "Bob"s sake!
So for the third week running here I am browsing away with 20 moderator points ready for use but, without using IE, no way to use them.
Bring back the old Slashcode that's what I say - or at least the good bits.
but sir we are upgrading your systems to windblast 7
anyway I say good, buy some more of microsoft so you will be hacked to hell you army morons
And, how do they taste barbecued?
I have personal experience with DoD networks and there is nothing particularly sophisticated about their tools and procedures. Security of classified material comes from keeping it offline altogether and there is a difference between "sensitive" and "classified" material.
This was nothing more than a simple-minded attack on a handful of public websites containing NO classified data.
The U.S. military follows a rigid security discipline of having separate network for secure ("black") and non-secure ("red") traffic. There is NO PHYSICAL CONNECTION between these networks, and there is NO connection between the black networks and the Internet.
This article was right up there with Swine Flu II: Pure sensationalism.
Regards;
Nuclear Silos! I really hope not. But this so called cyberwarfare that previous posters are talking about that requires outlandish budgets because it's supposedly more dangerous than real warfare is only dangerous when you link weapons to computers. And here we are sitting on top of tens of thousands of nuclear bombs controlled by computers, and building airplanes and tanks and robots with guns. It doesn't matter if they're linked to the internet or not. The fact remains they have radio receivers that can give commands to shoot and kill people. Please stop listing cyber-graffiti and start talking about the serious problems.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
1) Get query data from user.
2) Wrap query data in proper SQL statement AS TEXT STRINGS.
3) Execute SQL statement.
4) Return results to user.
Any SQL injection exploits are treated as 'search text' so should be harmless, right?
If they had TSA agents standing at all the firewalls, making each packet take off it's shoes before proceeding - this could have been stopped.
Which part of the: "The Pentagon plans [emphasis mine] to create a new military command for cyberspace, administration officials said Thursday, stepping up preparations by the armed forces to conduct both offensive and defensive computer warfare," — did you miss? I mean, come on, it is the first paragraph of your own link!
In Soviet Washington the swamp drains you.