Slashdot Mirror
Hackers Breached US Army Servers
An anonymous reader writes "A Turkish hacking ring has broken into 2 sensitive US Army servers, according to a new investigation uncovered by InformationWeek. The hackers, who go by the name 'm0sted' and are based in Turkey, penetrated servers at the Army's McAlester Ammunition Plant in Oklahoma in January. Users attempting to access the site were redirected to a page featuring a climate-change protest. In Sept, 2007, the hackers breached Army Corps of Engineers servers. That hack sent users to a page containing anti-American and anti-Israeli rhetoric. The hackers used simple SQL Server injection techniques to gain access. That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches."
as usual, military contracting companies provided over-hyped shoddy work to the military, who either didn't know better or didn't care.
Of course, I thought it was going to be as simple as knowing that the password was "Joshua".
I am officially gone from
All your base are belong to us
That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches.
Who know where these outward facing servers reside? Having outward websites vandalized says nothing about the security of an organizations networks.
love is just extroverted narcissism
You are wrong on so many levels. If you can't even bother to protect against simple things as SQL injection, I have a nasty feeling about the overall security.
Why aren't classified information on a separate network, not connected to the Net? Please: this is not 1980 anymore - protect critical information seriously.
If they want to prove a point they have to stop targeting US Defense facilities. Hack a serious portal like Slashdot if you can! Ha!
"Sum Ergo Cogito"
Pardon the rant, but can anyone tell me why we're still having people write code that is subject to SQL injection attacks?
I mean, sometimes potential buffer overflows in C/C++ programs can be tricky to notice. Writing threading code that's not subject to deadlock or starvation can often be a challenge.
But isn't code that's subject to SQL injection attacks just blindingly, amazingly obvious at first glance?
So much for Information Week being reasoned and sensible.
"Equally troubling is the fact that the hacks appear to have originated outside the United States. Turkey is known to harbor significant elements of the al-Qaida network. It was not clear if "m0sted" has links to the terrorist group."
Hooray for sensationalism!
I'm just playing devil's advocate but who puts their public website inside their defences?
I know it is an extremely common practice in this country to actually put sites like these on standard third party hosting services (e.g. Rackspace).
They set them up to be as secure as other e-commerce sites, so fairly secure, but without having to poke holes in a nice heavy firewall.
I didn't bother to RTFA, but summary is inflamatory at best.
A public-facing, high-profile (perception) server gets compromised? That's not news.
Let's say it is news for a minute. What was the budget for this public-facing project? This is not a "major Army security lapse" by any stretch of the imagination.
Of course, my line of thinking wouldn't be widely accepted because it ignores the emotional response that the summary probably provokes in most people.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
How do you know that classified intelligence was even obtained? Why are you even assuming that the security of these servers, an ammunition plant and the Army Corps of Engineers no less, will have the same security as that of the Pentagon? Did it ever occur to you that perhaps the Army would appropriate security based on how vital their assets are?
1. good tactics
2. the ability to adapt new tactics as previously good tactics become irrelevant
one way a tactic becomes irrelevant is changing battlefield conditions. you don't fight in a swamp the way you fight in a desert, for instance
well, the internet is valid battlefield. and you fight on it with new tactics. it remains to be seen now if the us military understands that
1. it needs to take this battlefield seriously
2. it can develop good tactics to fight on this battlefield
but as it stands now, a bunch of teenagers are thoroughly and repeatedly trouncing the us military
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Why aren't classified information on a separate network, not connected to the Net
It is, in fact there are multiple, separate networks.
Other than the author repeating the word "sensitive" over and over again, there wasn't anything concrete in the article about whether the information was actually classified. I suspect it wasn't.
This is what you get when you recruit kids out of high school and renege on the promise of the money they will get for joining up. It is communism-on-a-stick. Where is the motivation to do well>
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
I think using SQL injection hasn't qualified as "hacking" since it showed up on XKCD.
Sensitive does not mean classified. Sensitive could be as simple as a change in the dinner menu at the chow hall, which could suggest the arrival of important personnel. Classified information would not even exist on networks accessible via the internet.
Apparently wizard is not a legitimate career path, so I chose programmer instead.
disinformation is a wonderful tool
Start by protecting against the simple stuff and work up.
Oh no, they redirected web users. My goodness, does this mean we'll see missles flying overhead soon? /. care about mediocre over-hyped news?
Seriously, every department in the world has trojans in some form "inside the network". But retrieving the secretaries mail and retrieving classified information are different things. Albeit, redirecting users IS a mediocre risk, but since when does
This isn't too hard to find out. Look for GS military IT jobs, and see what they're hiring for. Lots of Windows crap. They still do have *nix positions, just not as many.
Of course, a 1 admin to 10 windows machine ratio is acceptable, as a 1 admin to 50 Linux machine ratio is acceptable. They have a LOT of workstations out there that need tending to.
Serious? Seriousness is well above my pay grade.
It appears the servers in question were used for serving up web sites. Probably publicly-facing web sites. So, what sensitive information was at risk? There are already regulations about what content can be approved to sit on a DoD server with a publicly-facing web site.
Yeah, I used to work at a defense contractor and classified systems are on separate networks, and to my knowlege are universally separate from anything connected to the internet. sensitive is the lowest (or maybe second lowest?) classification, so breaking into "sensitive" servers isn't a particularly big deal, although I guess they might eek something useful out of it. Is our biggest fear that attackers might learn the inner secrets of publicly available government websites? basically anything that they don't explicitly publish falls into this category as far as I can tell.
Ze Atomic Device! It iz Ztolen!
Cue a new cold war information protection policy! Dibs on the grey goo defense!
There are no perfect answers, only the right questions. More questions at http://foresightandhindsight.blogspot.com/
the goals in iraq and vietnam are different than that on the web. in irag and vietnam you have to go out there and police the countryside. on the web, you just have to hunker down and prevent intrusions. its the difference between riding out into the countryside and battening down the hatches on the castle. its a lot easier to secure a castle than police the entire countryside
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Again?
Slashdot requires you to wait longer between hitting 'reply' and submitting a comment.
It's been 17 seconds since you hit 'reply'.
Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.
So, what do I need to do, type really really slow?
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I don't know what I've been told
But Army server's are quickly pwned
You don't need some high-tech decryption machine
Just a string with a semi-colon in between
I don't know what I will find
When good Army hacker's have resigned
We'll have a good laugh when some bored kid in China
Posts photos of Gen. Petraeus with a vagina
Meh. Locking your doors only means paying to replace a broken window along with your missing stuff. If the thief is determined, that is.
I too can provide vague, uninteresting and falsified anecdotal evidence, look at me go!
the battle on the web is one of image and a communication capability and integrity. if the enemy can thoroughly trounce the image and capability of the military on the web, then that is a battlefield which is a valid battlefield and which has been won by the enemy. you thoroughly reject the validity of this battlefield. you are thoroughly wrong and woefully behind the times
your allegory of spraypainting graffiti on fences is inaccurate. it would be more accurate to say every flag in every corridor were turned into the nazi flag and every manual in every shelf were turned into mao's little red book, and every directive and nonsecure communication were replaced with the speeches of tokyo rose
the scale and the morale effect is a lot larger than you suppose, and the effect on nonessential, and sometimes even essential communication channels is game-changing
get with the times. it matters a hell of a lot more than you think and it will only continue to matter more. it is often said that the wars in the middle east are about winning hearts and minds. image control in that regard matters crucially. it does no good to project an image of incompetence, to give the enemy something to celebrate in terms of david beating goliath
and this isn't even a new concept. it is valid in a million examples pre-internet. for one, consider the doolittle raid on tokyo after pearl harbor: completely tactically pointless. but in terms of morale boost for the usa, and morale killer for the enemy, it was huge. this is the exact same dynamic going on with the ability of teenagers to deface the military's presence on the internet, nevermind their ability to infiltrate actual essential communication, which you don't even consider to be a possibility
well you can bet russia and china are considering that possibility, and may even have contingencies and capabilities in place to do exactly that while you snooze and act dismissive about what is going on here in terms of infiltration. you snooze you lose. right now, you are comatose
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The Royal Navy now uses Windows for Warships :-(
If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
Classified+ information isn't available off a webserver on the Internet. If it is, someone would be being headed to the military prison at Leavenworth for a very long time.
I doubt there is anything beyond general secret at McAlester. Those bomb designs are older than anybody on /.
Ok so someone defaced a website used by the US Army. How do we know that the website is not hosted by a 3rd party provider? Also how are we sure that sensitive information and the website are on the same network? Also the army may not have codded the website so it could have just been piss poor coding by a 3rd party web developer and not the contractor who codes the programs that control the sensitive information.
In other words just because the front end website for the Army got defaced that means nothing. It is like defacing the IRS website. It means nothing till you have peoples tax returns being rerouted to your personal bank account.
I smoked pot once. But I DID NOT inhale. Will you hire me?
That is not true. When you work for a military contractor you would be amazed at the amount of classified information which is available on the shared drives.
No--it is not directly available to the internet, but how many exploits does it take to hijack a browser and gain a command prompt or a vector to the injection of bytecode? How about hijack a browser and progressively insert holes in the compromised system until a backdoor can be opened? Sure, going to www.military-contractor.com and trying to force a way from their web server to their firewall to the internal network is difficult (though still not impossible), it is much easier to lace the 'net with booby traps. Think joke sites, humor sites, sites with flashplayer or java games or comics or even seemingly legitimate business presentations. How many exploits have we seen in codecs for music, even?
Classified information may not exist on systems you think are accessed from the internet--but classified information sure as heck exists on the drives shared to systems which are used as clients to the internet. There really is no difference once the fiber (or copper) is connected.
the NPG electrode was replaced with carbon blac
Um, I'd say that any website from a personal website with nothing terribly important on it to the system used to launch nuclear weapons should guard against something as simple as SQL injection. Now, you might not want to have passwords 468000 characters long for a lower security website, but surely blocking SQL injection is something all websites should guard against.
Taxation is legalized theft, no more, no less.
Um, sensitive information is on a seperate network.
http://en.wikipedia.org/wiki/SIPRNET
I work at a network node for the U.S. Army. The security procedures that come down from the top are focused on preventing abusive access by employees. The various applications that we use to "prevent" malicious outside access are pretty trivial to defeat. It's no surprise when the lowest bidder gets to produce and/or implement the procedures and software.
Unless of course that weakest link lies outside of the circle of trust, making it just like any other link not part of the chain, whereby breaking said link in no way negatively affects the structural integrity of the aforementioned chain.
After the Decepticons hacked in and stole all that info from Captain Witwicky, that they would secure their information better.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
Turkish hackers are well known to compete on mass defacement contests.
When preparing a contest, they scan all IPs to locate vulnerable sites.
When the contest starts, they deface the maximum number of sites in a given amount of time (probably one hour in this case).
They always go for the quickest way to hack a site, and so, they are not really hackers but script-kiddies.
TFA is completely bullshit, since the hackers don't care about the content of the sites.
BTW, why does the army still keeps vulnerable Windows servers reachable on the Internet ?
http://en.wikipedia.org/wiki/SIPRNET http://en.wikipedia.org/wiki/NIPRNET
The US military has a (well, many) classified network and an unclassified network. All computing equipment has a little sticker on it that says that equipment is used for which (classified or unclassified) purpose. I'm sure that the hacked web servers all have a little blue sticker with white text that says that the server is to only work with unclassified info (websites, most likely). I wouldn't really call this a security breach any more than I'd call shoplifting a robbery. While yes, the web servers were indeed "hacked", its not like that webserver was hosting top secret plans in pdf form for distribution purposes.
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
Web server page redirection? Should that scare me? I mean, it's not quite as if somebody smuggled munitions or fired a weapon.
"Oh...but the breach reveals the military's vulnerability."
Does it? To what?
Answer: To webserver page redirection.
Might there be greater risk here? Perhaps. But no evidence was presented to indicate that. Get back to me when you've identified a MATERIAL RISK, not merely a TECHNICAL VULNERABILITY.
As for those of you who have hopes and expectations that ALL THINGS MILITARY will be secure...WTF?
Users attempting to access the site were redirected to a page featuring a climate-change protest.
OHNOES! They breached the admin net!
There's a reason why the protected A/B network is accessible to the intarwebs and the L2 or higher networks are not. This may be interesting from a hacktivism standpoint... but it's not terribly newsworthy... or, at least, it's not got nearly as much shock value as the summary purports it to have.
Oh god, that woman is John Romero!
Don't you mean "Windows For Warcraft"?
Some companies do not consider you to have done due diligence if you do not lock up. That is why I always lock the doors of rental cars, even though I don't lock my car's doors. I would also check your homeowners insurance policy for door locking.
they hacked the gibson...
*plays the Apogee theme song music*
I'm hardly one to defend MS products, but come on.
SQL injection is hardly "a security vulnerability in Microsoft's SQL Server database." SQL injection is a result of badly written code. Nothing more. There is never an excuse for that to occur, even in environments where security isn't the top priority.
The whole article feels a bit off to me. I get the sense it was written by somebody with little technical cluefulness. I particularly like the line about "sophisticated Defense Department tools and procedures designed to prevent such breaches" followed by a sentence identifying AV software. Written by a dummy, for similarly intelligent people, perhaps?
Correct, Sensitive is specifically interpreted to mean non-classified information that is exempt from FOIA release, data such as SSN's and unit rosters and the like.
I'm too lazy to compose a creative sig.
I don't lock my doors as night, but I do consider my security system secure. If anyone touches the door handle after 8:00pm, it triggers a shotgun that blows their head off. You wouldn't believe the piles of dead robbers we have in my garage!
I am the richest astronaut ever to win the superbowl.
"most advanced" and Microsoft? Giggles :) Gary McKinnon showed the way in :)
Domestic spying is now "Benign Information Gathering"
Yeah. If you read about all of the shit the military keeps secret for decades, something tells me that information week wasn't able to pull something the military didn't want to give.
So, what would you do if you wanted to learn the technical capabilities of the enemy? Try to hack into their location, or set up some seemingly vulnerable services and watch what they do? Double bonus: "leak" the break-in (wink wink) to Information Week and see what kind of celebration activity you can see on the lines. Hell, I'd be setting up false gold mines all over the place, and some with false information you know have been leaked through double agents already.
It's better for the military to see an attack vector earlier rather than later.
You sir are an ignoramus on so many levels. It was just a web server. It wasn't a classified server which is IN FACT kept on a separate network.
you consider the battlefield invalid and low-priority
strange how people are so hard at work on this unimportant nonbattlefield, eh?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The important part was "Beyond the redirects, it's not clear whether the group was able to obtain sensitive information from the Army's servers. "
They didn't get any "sensitive" information. Sure as heck they didn't get any classified information. They breached a public web site, hosted on a public network. I seriously doubt the server was even physically close to any classified information, much less attached to a network with any, or contained any itself.
They screwed with the gov't, which still makes them fair game for jail time, but I'm sure they didn't get troop movements, nuclear launch codes, or the base commander's daughters cell number. :)
Serious? Seriousness is well above my pay grade.
i work at a network hub for the army, and we have a sun server that runs part of the satellite comms. when the current company's contract expires, and GD takes over, everything's going to windows. in my last unit, the unix box we were using for battlefield awareness got replaced by a server 2003 box. *nix/everything except windows is slowly going away as time goes on.
Sensitive information is likely FOUO and definitely NOT classified. As others have already pointed out, if a user somehow posted classified information on that server, they would find their ass in a sling PDQ. Classified information is always always always on a separate network. Because the most secure network is one that cannot communicate with the outside world.
Sorry Charlie, but clients with classified data are physically separated from the public internet. USB ports and other sneakernet outlets are 9should be) disabled. The folks that take care of the important stuff aren't stupid and are highly paranoid.
I have something in common with Stephen Hawking...
It's sad the the Microsoft sales people are better.
People bitch about the MS tax, and go pirate Windows and Office for their home computers, but that doesn't even make a dent in their income. They make HUGE money off government and corporate contracts.
Serious? Seriousness is well above my pay grade.
But I'm really hoping that "mosted" translates into something really awesome, because in English, it just sounds pretty gay...
Xaotik Designs
Turkey fell for this US Army honeypot. And Slashdotters play the game. Oops!
Slashdot, fix the reply notifications... You won't get away with it...
Changing wording to create fiction in the hope that somebody gullible will hand over some cash is not the way to fight this increasingly organised and increasingly common criminal activity, but unfortunately that is how the current head of the NSA and others scrambling for funding are doing it. One such idiot full of cyberhype recently showed he knew less about Trojans than anyone with even a passing knowlege of european culture let alone a computer professional (ie. the Trojan horse lets the other nasty stuff in). Forget the "guerrilla war against hackers" bullshit since the people we really want to catch are fraudsters, money launderers and the occassional trespasser onto military networks which makes them a spy and not some "cyberterrorist". When we escalate the words into the realm of fantasy you end up with pointless running around in circles trying to catch fantastic supervillians that may not exist instead of looking at reality and catching those that do exist.
yup. that, and overall, as much as i hate MS, they're overall easy to use. easy for the people who don't really know computers to pick up on, as opposed to *nix.
I use to work for one of the larger defense contractors and the information that was considered vital to system to design or classified as at least secret were usually on separate servers that were not connected to the internet. I know on several occasions when sensitive information was sent across the internet it was done on a special computer. I've also seen instances where the information was not allowed to be on a computer at all.
I couldn't think of anything witty to say, so...you're stuck with this.
http://www.nytimes.com/2009/05/29/us/politics/29cyber.html
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Anti-climate change and anti-Israeli sites? Why didn't they at least do something funny, like redirect to goatse? This story would be so much better if it were 'Hackers Rick-Roll US Army Servers' or something along those lines.
The folks that take care of the important stuff aren't stupid and are highly paranoid.
Not sure where you're getting your facts from, but from my years in the military I'd venture to say that you're a bit overconfident. There are plenty of ways for sensitive data to find its way into the hands of outsiders.
Traditionally, the stunt-double, when it comes to responsibility being assigned is Gary McKinnon.
Requiem for the American Dream
Shouldn't that be "crackers" or "cyber-criminals"?
Are we giving up on resisting the bastardization of the word hacker?
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
And, how do they taste barbecued?
They just dont care, the give the semblance of caring, but its just a facade
This was nothing more than a simple-minded attack on a handful of public websites containing NO classified data.
The U.S. military follows a rigid security discipline of having separate network for secure ("black") and non-secure ("red") traffic. There is NO PHYSICAL CONNECTION between these networks, and there is NO connection between the black networks and the Internet.
This article was right up there with Swine Flu II: Pure sensationalism.
Regards;
Nuclear Silos! I really hope not. But this so called cyberwarfare that previous posters are talking about that requires outlandish budgets because it's supposedly more dangerous than real warfare is only dangerous when you link weapons to computers. And here we are sitting on top of tens of thousands of nuclear bombs controlled by computers, and building airplanes and tanks and robots with guns. It doesn't matter if they're linked to the internet or not. The fact remains they have radio receivers that can give commands to shoot and kill people. Please stop listing cyber-graffiti and start talking about the serious problems.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
1) Get query data from user.
2) Wrap query data in proper SQL statement AS TEXT STRINGS.
3) Execute SQL statement.
4) Return results to user.
Any SQL injection exploits are treated as 'search text' so should be harmless, right?
Agreed.
However, from my years in the military working in G-6 and G-2 (Communications and Intelligence) I can tell you that the penalties are quite severe for handling classified materials in a manner inconsistent with control protocols. That was my main argument against outsourcing the data comm portion of our infrastructure. This (at the time) was to include portions of the SIPR net. Depending on the classification of the data it may not be able to be on any network that reaches outside the vault in a SCIF.
Most of the data that is leaked is sensitive in nature but not so much that it is immediately actionable or significantly changes the conclusions one could draw from information that would be much easier to garner.
The largest leaks that occur are usually with outsiders that are not inculcated into the culture of the military and it's purpose ie civilian contractors.
This website breach was something that a wee little hacker with a wee little ego can brag about because it has the US Army stamp on it, not because the data could cause harm to the Army or any of its operations.
If they had TSA agents standing at all the firewalls, making each packet take off it's shoes before proceeding - this could have been stopped.
Which part of the: "The Pentagon plans [emphasis mine] to create a new military command for cyberspace, administration officials said Thursday, stepping up preparations by the armed forces to conduct both offensive and defensive computer warfare," — did you miss? I mean, come on, it is the first paragraph of your own link!
In Soviet Washington the swamp drains you.
Interesting. Lemme just say that while deployed as an info assurance / security manager for a small unit working directly under a major Army command, I dealt with spillage (processing of classified information on unclassified systems) on a monthly, if not weekly basis. I lost count of how many customers were sending 8-digit grid coordinates over the NIPR, even though it is supposed to be common knowledge that information like that is to be protected from disclosure over unsecured comms. Furthermore, although the G2 was well prepared to provide support for mitigation procedures and sanitization, punishment for the crime was often delegated to the individual commander--at which point "penalties" becomes a relative word.
Mods: I don't think this is flamebait; or at least, I never intended it to be. I'm just surprised... generally organizations that care about security above other issues tend to go with a Unix-based system. I never said there wasn't a place for Windows servers, just that I'm kinda surprised that the army apparently prefers them over *nix.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs