Slashdot Mirror

← Back to Stories (view on slashdot.org)

Royal Navy Website Hacked, Passwords Revealed

Posted by CmdrTaco on from the injection-infection dept.

An anonymous reader writes "The British Royal Navy's website has been suspended after a Romanian hacker exploited SQL injection vulnerabilities to gain access to the site. The hacker, named 'TinKode,' accessed usernames and passwords used by the site's administrators and published them on the web. TinKode's attack is 'particularly embarrassing for the British Ministry of Defence, as just last month protecting against cyber attacks was declared in the National Security Strategy to be a "highest priority for UK national security."'"

7 of 114 comments (clear)

  1. Re:Oops by Dancindan84 · · Score: 2, Informative

    More like:
    "Lieutenant and password = '*'; please report to the bridge."

    --
    "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
  2. Details by muckracer · · Score: 4, Informative

    http://pastebin.com/raw.php?i=M2MUEdv4

    Fire up your rainbow tables :-)

    1. Re:Details by Anonymous Coward · · Score: 3, Informative

      Wow, I haven't seen that ASCII art chick since the early 90s when I would hang out on questionable BBSs :)

    2. Re:Details by mattdm · · Score: 3, Informative

      It was probably not ppp, but a rather unfortunate password whose md5 is the same as for "ppp". I can't believe they'd actually put in a password like that.

      Since the former is statistically improbable to beyond-astronomical degrees, the latter is, unfortunately, more likely.

  3. that's not technically embarrassing by circletimessquare · · Score: 4, Informative

    it's an unimportant website

    now THIS is technically embarrassing

    http://www.bbc.co.uk/news/uk-scotland-highlands-islands-11605365

    this is a nuclear powered brand new stealth submarine, giving away its secret propulsion system as the tide lowers, because someone drove it into the beach. stealth beach? (slaps forehead)

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  4. Re:clear text passwords? by Grantbridge · · Score: 2, Informative

    If you look at the data they released, they only gave the password hashes, not the passwords themselves. There were no clear text passwords in the database. That said, one of them has been "cracked" to "ppp". Its an admin password, hopefully it required being logged in from the intranet or something.

  5. If they are anything like the US by orphiuchus · · Score: 3, Informative

    Then they have at least 4 levels of networks just for the military, 1 for the public(the recruiter websites), 1 for regular correspondence such as training and rosters(accessible by everyone in the military), 1 for things that may be considered secret but have fairly low impact if compromised(acceptable to everyone with a security clearance requiring a basic background check), such as deployment dates and reports from deployed units, and 1 for medium-high risk stuff like radio fill codes(available to people with extensive background checks and monitored closely). The networks that get compromised and make the news, at least in the US, are the first 3. Wiki-leaks stuff usually comes from the 3rd level there and tends to be stuff that a lot of people have access to. This compromise seems to be the very lowest level, as several people have pointed out, and I doubt if anyone in the royal navy is all that concerned about actual security. That doesn't mean its not embarrassing, because the public reaction is sure to be ill-informed and overblown, but the actual damage here is nil. The real secrets everyone wants to assume are stored on these websites, such as the black ops or alien autopsies, aren't actually anywhere. If the government actually does something super secret and potentially earth-shaking they don't write it down and file it. That wouldn't make any sense. Once you get past Grey-SOF level of secret stuff the paper trail pretty much needs to disappear.