Slashdot Mirror
Royal Navy Website Hacked, Passwords Revealed
An anonymous reader writes "The British Royal Navy's website has been suspended after a Romanian hacker exploited SQL injection vulnerabilities to gain access to the site.
The hacker, named 'TinKode,' accessed usernames and passwords used by the site's administrators and published them on the web. TinKode's attack is 'particularly embarrassing for the British Ministry of Defence, as just last month protecting against cyber attacks was declared in the National Security Strategy to be a "highest priority for UK national security."'"
"Lieutenant Droptables please report to the bridge".
we had this happen a few times and every time you go back to the developers who coded the website they always complained how it would take them too much time to change the code. even though changing the database permissions would be a snap
http://pastebin.com/raw.php?i=M2MUEdv4
Fire up your rainbow tables :-)
I don't understand why people need to deface sites just to show ... what ? their skillz ? the poor security of the website ?! This is beyond childish, and the "authors" are probably no more than script kiddiez.
As tinKode points out on his site, he wants to drive attention to security problems. In fact, if he wanted to do only that, he could privately inform the site owners about the problems he sees. He could make his own security company, and make some nice bucks out of doing this specific job he seems to enjoy.
But what he does now is no better than hooliganism, and I hope he will be tracked and serve some sentence for defacing of private property or anything similar.
Carefully crafted sig.
A useless PR website to a government agency was hacked! This is like when the RIAA home page gets hacked. No operations were actually effected, because no one goes there anyway. No shut down the email servers, thats something else.
It's okay! This was only a simulation, right?
That's not even enough time for them to schedule a meeting to determine when they're going to hold a meeting to deal with the meeting to find the people who will look for the people who will be in charge of finding the people who will be responsible for the people who have the task of finding the problems.
Really, it's just inconsiderate of this Romanian fellow. Why can't he be a sport and wait a bit?
Really?? I realize there are cases where it is useful and possibly even necessary, but the use of clear text passwords is just a bad idea. It amazes me that it continues to go on and on and on...
Embarrassing, sure. But it's just their website, and doesn't justify spending £500m on fighting "cyber-terrorism". By the way does anyone know what the £500m will actually be spent on? It *should* be spent on researching secure systems like BitC, SELinux, stack protection and so on. I bet it isn't.
eherr@quark:~$ HEAD http://royalnavy.mod.uk/
200 OK
Date: Mon, 08 Nov 2010 15:51:01 GMT
Accept-Ranges: bytes
ETag: "0ee7b62b67dcb1:7904"
Server: Microsoft-IIS/6.0
Content-Length: 70
Content-Location: http://royalnavy.mod.uk/index.html
Content-Type: text/html
Last-Modified: Sat, 06 Nov 2010 13:27:40 GMT
Client-Date: Mon, 08 Nov 2010 15:51:03 GMT
Client-Peer: 94.236.30.11:80
Client-Response-Num: 1
X-Powered-By: ASP.NET
"We can all be thankful that Tinkode's activities appear to be have been more mischievous than dangerous. If someone with more malice in mind had hacked the site they could have used it to post malicious links on the Navy's JackSpeak blog, or embedded a Trojan horse into the site's main page."
Giving anyone free reign to embed said trojans into the site is only marginally better. Assuming of course that it could be done with the exposed admin logins. Now they're forced to go through pretty much everything to make sure no such traps were placed or if information was stolen.
The mischevious option would have been to remain only parts of the passwords, or otherwise proving it and not leaking anything sensitive.
Not to worry however, I'm sure he'll get 60 years in jail without parole for embarrassing the wrong people.
I don't understand why people need to deface sites just to show ... what ?
They do it just to show how ignorant are the people who are supposed to manage those sites.
The Royal Navy used to be the defense of the UK against invaders. They were supposed to fight to the end, to resist against everyone. Yet, nowadays, some script kiddie is able to defeat the Royal Navy from his mom's basement? WTF???
The message is that the sites can be defeated very easily, that's all.
Better a harmless hacker does it than an enemy of Britain.
Although I can't think of any at the moment.
I'm not sure what is worse. The fact that they fell victim to an SQL injection attack, or the HTML source that is displayed on TFA is badly broken. A "centre" tag? And the closing HTML tag is broken. Someone put up that maintenance page in a mega hurry.
it's an unimportant website
now THIS is technically embarrassing
http://www.bbc.co.uk/news/uk-scotland-highlands-islands-11605365
this is a nuclear powered brand new stealth submarine, giving away its secret propulsion system as the tide lowers, because someone drove it into the beach. stealth beach? (slaps forehead)
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
a username like "Charles the rather large man"?
Sig?
HA HA!
It's cunningly disguised as a small island with a chimney on top
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
{html}
{centre}{img src="navysitedown.gif" alt=""/}{/centre}
{?html}
and even a ? instead of a / , they were obviously in quite a hurry to take it down... I'm also surprised it takes "centre"... silly brits and their proprietary english!
(you'd think by now slashdot wouldn't blow a gasket trying to use a less than or greater than symbol in the text of their post...)
I work for the Department of Redundancy Department.
327
Was only a matter of time, serves the right.
Lucky they don't use it for anything critical! Oh, wait:
http://www.theregister.co.uk/2008/12/16/windows_for_submarines_rollout/
Yes to save costs MS is now 'next' to the UK's most critical systems.
One usb drive/download away from ???? at sea.
Domestic spying is now "Benign Information Gathering"
If the navy's website was actually connected to any operational naval computer systems, yielded more than just the names and passwords of contractor web developers, housed actual classified operational information of the royal navy or was due to a flaw in a piece of software written by the navy for mission-critical systems then I MIGHT CARE.
But, it doesn't, so I DON'T.
When will sites learn not to store actual passwords and to just store a hash of the password.
if they followed the recomendations and use stored procs and passed parameters to them, data would be automatically cleaned to block sql Injection attacks. As usual, its the programmer, not the tools.
I think this particular instance was more a matter of poor security practices in web development than underlying OS or web server, but it does seem a bit odd that a military branch would use Microsoft/IIS vice using a Unix or Linux platform. It appears that the U.S. Navy is also running IIS for their primary public site.
200 OK
Cache-Control: max-age=334
Connection: close
Date: Mon, 08 Nov 2010 16:56:47 GMT
ETag: "8094fdaf44cc81:287"
Server: Microsoft-IIS/6.0
Content-Location: http://www.navy.mil/usnhome.html
Content-Type: text/html
Last-Modified: Thu, 11 Oct 2007 20:24:13 GMT
Client-Date: Mon, 08 Nov 2010 16:56:48 GMT
Client-Peer: 96.17.8.152:80
Client-Response-Num: 1
Header: US Navy
X-Powered-By: ASP.NET
"it would take them too much time to change the code...unless you choose to value their extra work and pay them for it, instead of expecting to piggy-back it onto the previous job."
Fixed that for you.
You're assuming there was an MD5 collision for some other relatively short length password. Ok I guess I can buy that. Here's my question though, does it matter? If there is in fact a collision, won't typing ppp when prompted for the password still get hashed and compared and validated as the same?
the Queen's not getting on Facebook then, hugh?
A little inaccuracy sometimes saves tons of explanation.
Actually, no, the server hacked was RHEL:
Server : Apache/2.2.3 (Red Hat) DAV/2 PHP/4.4.9 Machine : i686
System User : amax_navy@192.168.10.17
OS : redhat-linux-gnu
IP : 94.236.30.85
It is dangerous to be right when the government is wrong.
Ah. My bad. I just read the exploit summary.
Then they have at least 4 levels of networks just for the military, 1 for the public(the recruiter websites), 1 for regular correspondence such as training and rosters(accessible by everyone in the military), 1 for things that may be considered secret but have fairly low impact if compromised(acceptable to everyone with a security clearance requiring a basic background check), such as deployment dates and reports from deployed units, and 1 for medium-high risk stuff like radio fill codes(available to people with extensive background checks and monitored closely). The networks that get compromised and make the news, at least in the US, are the first 3. Wiki-leaks stuff usually comes from the 3rd level there and tends to be stuff that a lot of people have access to. This compromise seems to be the very lowest level, as several people have pointed out, and I doubt if anyone in the royal navy is all that concerned about actual security. That doesn't mean its not embarrassing, because the public reaction is sure to be ill-informed and overblown, but the actual damage here is nil. The real secrets everyone wants to assume are stored on these websites, such as the black ops or alien autopsies, aren't actually anywhere. If the government actually does something super secret and potentially earth-shaking they don't write it down and file it. That wouldn't make any sense. Once you get past Grey-SOF level of secret stuff the paper trail pretty much needs to disappear.
Your government knows best. Really!
SQL injections, which were apparently used, have nothing to do with the operating system the system is running on; rather, they exploit errors in (usually) custom-built applications mixing up data and code before sending it to the database (which cannot really distinguish an SQL injection from an actual command). Thus, posting this is really a bit misleading; a huge number of things are Microsoft's fault, but this is probably not one of them.
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Yeah. I had not read the exploit. It was apparently a Linux box that was compromised.
their steering system got hacked for just this result.
Moderate this funny not informative.
I've been trying to get Google to fix this phishing page for months.
Someone discovered a neat hack - they can store a phishing page in Google Storage, and link to it from Google Sites. Google's abuse system doesn't comprehend that you can leverage an attack through Google Storage, so there's no way to get that phishing page taken down.
(The basic problem is that if you offer free hosting or URL redirection, and don't validate your users, you will be used to host attacks. "TinyURL" is good at catching this. "bit.ly", not so much. "t35.com" (free hosting) works hard to kick the phishers off manually, but their abuse guy gets a week or two behind at times. "piczo.com" (blog hosting for teenage girls) doesn't seem to try very hard, and phishing pages stay live there for months. We track this automatically, so we get to watch the major sites throw out the trash. Major sites that don't automate phishing and hostile code detection, constantly reading the PhishTank and APWG lists to see if one of their pages made the list, get pwned regularly.)
Actually, no, the server hacked was RHEL:
Server : Apache/2.2.3 (Red Hat) DAV/2 PHP/4.4.9 Machine : i686
System User : amax_navy@192.168.10.17
OS : redhat-linux-gnu
IP : 94.236.30.85
Try to go to a random page, anything will do, just type some nonsense. May I suggest http://www.royalnavy.mod.uk/blah
See the Microsoft IIS error.
There is no cannibalism in the royal navy. By "none", we mean none to speak of. (Camera pans to sailor eating a human leg.)
They're sacrificing chickens at the alter of biofuels.
How deliciously accurate. They've admitted biofuel are a desperate, unsupportable hail mary to the Gods.
The British national navy later released a statement saying "Damnit, we knew password1 was a bad password. But it was so easy to remember."
Wrong thread.
That is a common tactic to mitigate attacks: let them try to attack software that you aren't running. It's an Apache config option.
It is dangerous to be right when the government is wrong.
These guys are script kiddies. For those with SQL you may see someone with a scanner trying every version known to man within the first 3 seconds. After an unsuccessful results....crap. ".../woot**woot.Romanian*****Sec"
This was from 2 months ago so maybe they've improved greatly within that time
I checked everything and then initiated a Deep Freeze rollback on the boxes.
Sorry Royal Navy. Shoulda check your logs friend.