Slashdot Mirror
Hackers Breached US Army Servers
An anonymous reader writes "A Turkish hacking ring has broken into 2 sensitive US Army servers, according to a new investigation uncovered by InformationWeek. The hackers, who go by the name 'm0sted' and are based in Turkey, penetrated servers at the Army's McAlester Ammunition Plant in Oklahoma in January. Users attempting to access the site were redirected to a page featuring a climate-change protest. In Sept, 2007, the hackers breached Army Corps of Engineers servers. That hack sent users to a page containing anti-American and anti-Israeli rhetoric. The hackers used simple SQL Server injection techniques to gain access. That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches."
as usual, military contracting companies provided over-hyped shoddy work to the military, who either didn't know better or didn't care.
Of course, I thought it was going to be as simple as knowing that the password was "Joshua".
I am officially gone from
All your base are belong to us
You are wrong on so many levels. If you can't even bother to protect against simple things as SQL injection, I have a nasty feeling about the overall security.
Why aren't classified information on a separate network, not connected to the Net? Please: this is not 1980 anymore - protect critical information seriously.
If they want to prove a point they have to stop targeting US Defense facilities. Hack a serious portal like Slashdot if you can! Ha!
"Sum Ergo Cogito"
Pardon the rant, but can anyone tell me why we're still having people write code that is subject to SQL injection attacks?
I mean, sometimes potential buffer overflows in C/C++ programs can be tricky to notice. Writing threading code that's not subject to deadlock or starvation can often be a challenge.
But isn't code that's subject to SQL injection attacks just blindingly, amazingly obvious at first glance?
So much for Information Week being reasoned and sensible.
"Equally troubling is the fact that the hacks appear to have originated outside the United States. Turkey is known to harbor significant elements of the al-Qaida network. It was not clear if "m0sted" has links to the terrorist group."
Hooray for sensationalism!
I'm just playing devil's advocate but who puts their public website inside their defences?
I know it is an extremely common practice in this country to actually put sites like these on standard third party hosting services (e.g. Rackspace).
They set them up to be as secure as other e-commerce sites, so fairly secure, but without having to poke holes in a nice heavy firewall.
I didn't bother to RTFA, but summary is inflamatory at best.
A public-facing, high-profile (perception) server gets compromised? That's not news.
Let's say it is news for a minute. What was the budget for this public-facing project? This is not a "major Army security lapse" by any stretch of the imagination.
Of course, my line of thinking wouldn't be widely accepted because it ignores the emotional response that the summary probably provokes in most people.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
How do you know that classified intelligence was even obtained? Why are you even assuming that the security of these servers, an ammunition plant and the Army Corps of Engineers no less, will have the same security as that of the Pentagon? Did it ever occur to you that perhaps the Army would appropriate security based on how vital their assets are?
Why aren't classified information on a separate network, not connected to the Net
It is, in fact there are multiple, separate networks.
Other than the author repeating the word "sensitive" over and over again, there wasn't anything concrete in the article about whether the information was actually classified. I suspect it wasn't.
I think using SQL injection hasn't qualified as "hacking" since it showed up on XKCD.
Sensitive does not mean classified. Sensitive could be as simple as a change in the dinner menu at the chow hall, which could suggest the arrival of important personnel. Classified information would not even exist on networks accessible via the internet.
Apparently wizard is not a legitimate career path, so I chose programmer instead.
The US military is pretty much incapable of fighting a guerrilla war where the combatents are intermixed with civilians and civilian casualties are forbidden. It made Vietnam very difficult and it has made Iraq difficult as well.
What we have is a guerrilla war against hackers where they are effectiely shielded in most cases by the ISP and their own country's law enforcement. The end result is almost an unwinnable war.
We are winning in Iraq by ending the use of civilians as shields. We won in Vietnam by separating the combatants from the civilians. It is going to take that sort of effort to win against hackers, crackers and identity thieves. Unfortunately, right now the effort required to do this is intense enough that it is many, many times the losses so far. So I don't think they are going to do anything until the losses mount up a lot more.
What makes this worse is in order to effectively combat these people it is going to take either the cooperation of foreign law enforcement or just going around them. Neither one is going to make these other countries want to be our friends, but they seem to be happy with the hackers running around doing whatever.
This isn't too hard to find out. Look for GS military IT jobs, and see what they're hiring for. Lots of Windows crap. They still do have *nix positions, just not as many.
Of course, a 1 admin to 10 windows machine ratio is acceptable, as a 1 admin to 50 Linux machine ratio is acceptable. They have a LOT of workstations out there that need tending to.
Serious? Seriousness is well above my pay grade.
Yeah, I used to work at a defense contractor and classified systems are on separate networks, and to my knowlege are universally separate from anything connected to the internet. sensitive is the lowest (or maybe second lowest?) classification, so breaking into "sensitive" servers isn't a particularly big deal, although I guess they might eek something useful out of it. Is our biggest fear that attackers might learn the inner secrets of publicly available government websites? basically anything that they don't explicitly publish falls into this category as far as I can tell.
Ze Atomic Device! It iz Ztolen!
Again?
Slashdot requires you to wait longer between hitting 'reply' and submitting a comment.
It's been 17 seconds since you hit 'reply'.
Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.
So, what do I need to do, type really really slow?
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I don't know what I've been told
But Army server's are quickly pwned
You don't need some high-tech decryption machine
Just a string with a semi-colon in between
I don't know what I will find
When good Army hacker's have resigned
We'll have a good laugh when some bored kid in China
Posts photos of Gen. Petraeus with a vagina
I too can provide vague, uninteresting and falsified anecdotal evidence, look at me go!
the battle on the web is one of image and a communication capability and integrity. if the enemy can thoroughly trounce the image and capability of the military on the web, then that is a battlefield which is a valid battlefield and which has been won by the enemy. you thoroughly reject the validity of this battlefield. you are thoroughly wrong and woefully behind the times
your allegory of spraypainting graffiti on fences is inaccurate. it would be more accurate to say every flag in every corridor were turned into the nazi flag and every manual in every shelf were turned into mao's little red book, and every directive and nonsecure communication were replaced with the speeches of tokyo rose
the scale and the morale effect is a lot larger than you suppose, and the effect on nonessential, and sometimes even essential communication channels is game-changing
get with the times. it matters a hell of a lot more than you think and it will only continue to matter more. it is often said that the wars in the middle east are about winning hearts and minds. image control in that regard matters crucially. it does no good to project an image of incompetence, to give the enemy something to celebrate in terms of david beating goliath
and this isn't even a new concept. it is valid in a million examples pre-internet. for one, consider the doolittle raid on tokyo after pearl harbor: completely tactically pointless. but in terms of morale boost for the usa, and morale killer for the enemy, it was huge. this is the exact same dynamic going on with the ability of teenagers to deface the military's presence on the internet, nevermind their ability to infiltrate actual essential communication, which you don't even consider to be a possibility
well you can bet russia and china are considering that possibility, and may even have contingencies and capabilities in place to do exactly that while you snooze and act dismissive about what is going on here in terms of infiltration. you snooze you lose. right now, you are comatose
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Classified+ information isn't available off a webserver on the Internet. If it is, someone would be being headed to the military prison at Leavenworth for a very long time.
Ok so someone defaced a website used by the US Army. How do we know that the website is not hosted by a 3rd party provider? Also how are we sure that sensitive information and the website are on the same network? Also the army may not have codded the website so it could have just been piss poor coding by a 3rd party web developer and not the contractor who codes the programs that control the sensitive information.
In other words just because the front end website for the Army got defaced that means nothing. It is like defacing the IRS website. It means nothing till you have peoples tax returns being rerouted to your personal bank account.
I smoked pot once. But I DID NOT inhale. Will you hire me?
That is not true. When you work for a military contractor you would be amazed at the amount of classified information which is available on the shared drives.
No--it is not directly available to the internet, but how many exploits does it take to hijack a browser and gain a command prompt or a vector to the injection of bytecode? How about hijack a browser and progressively insert holes in the compromised system until a backdoor can be opened? Sure, going to www.military-contractor.com and trying to force a way from their web server to their firewall to the internal network is difficult (though still not impossible), it is much easier to lace the 'net with booby traps. Think joke sites, humor sites, sites with flashplayer or java games or comics or even seemingly legitimate business presentations. How many exploits have we seen in codecs for music, even?
Classified information may not exist on systems you think are accessed from the internet--but classified information sure as heck exists on the drives shared to systems which are used as clients to the internet. There really is no difference once the fiber (or copper) is connected.
the NPG electrode was replaced with carbon blac
Um, I'd say that any website from a personal website with nothing terribly important on it to the system used to launch nuclear weapons should guard against something as simple as SQL injection. Now, you might not want to have passwords 468000 characters long for a lower security website, but surely blocking SQL injection is something all websites should guard against.
Taxation is legalized theft, no more, no less.
The US military has a (well, many) classified network and an unclassified network. All computing equipment has a little sticker on it that says that equipment is used for which (classified or unclassified) purpose. I'm sure that the hacked web servers all have a little blue sticker with white text that says that the server is to only work with unclassified info (websites, most likely). I wouldn't really call this a security breach any more than I'd call shoplifting a robbery. While yes, the web servers were indeed "hacked", its not like that webserver was hosting top secret plans in pdf form for distribution purposes.
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
Web server page redirection? Should that scare me? I mean, it's not quite as if somebody smuggled munitions or fired a weapon.
"Oh...but the breach reveals the military's vulnerability."
Does it? To what?
Answer: To webserver page redirection.
Might there be greater risk here? Perhaps. But no evidence was presented to indicate that. Get back to me when you've identified a MATERIAL RISK, not merely a TECHNICAL VULNERABILITY.
As for those of you who have hopes and expectations that ALL THINGS MILITARY will be secure...WTF?
Don't you mean "Windows For Warcraft"?
I'm hardly one to defend MS products, but come on.
SQL injection is hardly "a security vulnerability in Microsoft's SQL Server database." SQL injection is a result of badly written code. Nothing more. There is never an excuse for that to occur, even in environments where security isn't the top priority.
The whole article feels a bit off to me. I get the sense it was written by somebody with little technical cluefulness. I particularly like the line about "sophisticated Defense Department tools and procedures designed to prevent such breaches" followed by a sentence identifying AV software. Written by a dummy, for similarly intelligent people, perhaps?
Correct, Sensitive is specifically interpreted to mean non-classified information that is exempt from FOIA release, data such as SSN's and unit rosters and the like.
I'm too lazy to compose a creative sig.
I don't lock my doors as night, but I do consider my security system secure. If anyone touches the door handle after 8:00pm, it triggers a shotgun that blows their head off. You wouldn't believe the piles of dead robbers we have in my garage!
I am the richest astronaut ever to win the superbowl.
Sorry Charlie, but clients with classified data are physically separated from the public internet. USB ports and other sneakernet outlets are 9should be) disabled. The folks that take care of the important stuff aren't stupid and are highly paranoid.
I have something in common with Stephen Hawking...
I use to work for one of the larger defense contractors and the information that was considered vital to system to design or classified as at least secret were usually on separate servers that were not connected to the internet. I know on several occasions when sensitive information was sent across the internet it was done on a special computer. I've also seen instances where the information was not allowed to be on a computer at all.
I couldn't think of anything witty to say, so...you're stuck with this.
The folks that take care of the important stuff aren't stupid and are highly paranoid.
Not sure where you're getting your facts from, but from my years in the military I'd venture to say that you're a bit overconfident. There are plenty of ways for sensitive data to find its way into the hands of outsiders.