Slashdot Mirror

← Back to Stories (view on slashdot.org)

Royal Navy Website Hacked, Passwords Revealed

Posted by CmdrTaco on from the injection-infection dept.

An anonymous reader writes "The British Royal Navy's website has been suspended after a Romanian hacker exploited SQL injection vulnerabilities to gain access to the site. The hacker, named 'TinKode,' accessed usernames and passwords used by the site's administrators and published them on the web. TinKode's attack is 'particularly embarrassing for the British Ministry of Defence, as just last month protecting against cyber attacks was declared in the National Security Strategy to be a "highest priority for UK national security."'"

13 of 114 comments (clear)

  1. Oops by 16Chapel · · Score: 5, Funny

    "Lieutenant Droptables please report to the bridge".

  2. i bet changing the code was too much trouble by alen · · Score: 3, Insightful

    we had this happen a few times and every time you go back to the developers who coded the website they always complained how it would take them too much time to change the code. even though changing the database permissions would be a snap

  3. Details by muckracer · · Score: 4, Informative

    http://pastebin.com/raw.php?i=M2MUEdv4

    Fire up your rainbow tables :-)

    1. Re:Details by Anonymous Coward · · Score: 3, Informative

      Wow, I haven't seen that ASCII art chick since the early 90s when I would hang out on questionable BBSs :)

    2. Re:Details by mattdm · · Score: 3, Informative

      It was probably not ppp, but a rather unfortunate password whose md5 is the same as for "ppp". I can't believe they'd actually put in a password like that.

      Since the former is statistically improbable to beyond-astronomical degrees, the latter is, unfortunately, more likely.

  4. From TFA by contra_mundi · · Score: 3, Interesting

    "We can all be thankful that Tinkode's activities appear to be have been more mischievous than dangerous. If someone with more malice in mind had hacked the site they could have used it to post malicious links on the Navy's JackSpeak blog, or embedded a Trojan horse into the site's main page."

    Giving anyone free reign to embed said trojans into the site is only marginally better. Assuming of course that it could be done with the exposed admin logins. Now they're forced to go through pretty much everything to make sure no such traps were placed or if information was stolen.
    The mischevious option would have been to remain only parts of the passwords, or otherwise proving it and not leaking anything sensitive.
    Not to worry however, I'm sure he'll get 60 years in jail without parole for embarrassing the wrong people.

  5. Why hire dumbfucks? by mangu · · Score: 4, Insightful

    I don't understand why people need to deface sites just to show ... what ?

    They do it just to show how ignorant are the people who are supposed to manage those sites.

    The Royal Navy used to be the defense of the UK against invaders. They were supposed to fight to the end, to resist against everyone. Yet, nowadays, some script kiddie is able to defeat the Royal Navy from his mom's basement? WTF???

    The message is that the sites can be defeated very easily, that's all.

  6. Re:Why !? by phyrexianshaw.ca · · Score: 4, Insightful

    Have you ever found a glaring security hole in a major website for a major company?
    do you know how hard it is for somebody to even begin reporting something like that?

    if you are a young adult (aged 12-24) and you find a security hole, do you know how few people will take you seriously? it's amount to telling your teacher there's a problem in every copy of a textbook: they'll just laugh at you and tell you "you just don't know any better".

    Yes, I completely agree that there ARE BETTER WAYS to disclose: but by not making them easy enough for a youngster to understand: you prevent people from reporting in the first place.

  7. that's not technically embarrassing by circletimessquare · · Score: 4, Informative

    it's an unimportant website

    now THIS is technically embarrassing

    http://www.bbc.co.uk/news/uk-scotland-highlands-islands-11605365

    this is a nuclear powered brand new stealth submarine, giving away its secret propulsion system as the tide lowers, because someone drove it into the beach. stealth beach? (slaps forehead)

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  8. Re:Why !? by Monkeedude1212 · · Score: 4, Insightful

    By making a public display of low security standards - you impact more people.

    Could he have told the ONE administrator of the site about the vulnerability, and HOPED that the Sysadmin would take the time out of the day to fix it - and not completely disregard his advice? Yeah, he COULD have done that, but that doesn't guarantee results or get the message to as many people.

    Don't get me wrong, we just had to deal with the hooligans ourselves in my company, and it is a bit of a piss off to have to deal with it. However, I can say for a fact we're much better with our security standards now than we ever were before. And on top of that - anyone who finds out might think "Jeez, that kind of stuff is on the rise, maybe I should get to that update I've been sitting on".

    It sucks if it happens to you - but its one of those things that seems necessary to keep things in line. I'd rather we be too secure as a society as opposed to being all willy nilly.

  9. Re:Oh Noes by tlhIngan · · Score: 3, Insightful

    A useless PR website to a government agency was hacked! This is like when the RIAA home page gets hacked. No operations were actually effected, because no one goes there anyway. No shut down the email servers, thats something else.

    You're assuming that no one ever puts anything else up in a hidden directory on a website, do you? Just because it's a fluff website doesn't mean there isn't anything else behind those pages. At the very least, an exploited script could be running a simple fileserver on it for dropping off warez and pr0n and other stuff. Hell, the webmaster and his friends might've put up files there on behalf of some higher up who needs a large file sent somewhere.

    Wasn't there that funny anti-piracy site that was DoS'd and ended up revealing a pile of hidden files containing emails and such?

    You might think that such entities would use super-secret encryption and file transfer methods, but you'd be surprised to find out most still use common FTP and HTTP.

  10. Re:something for nothing by IshmaelDS · · Score: 4, Insightful

    "it would take them too much time to change the code...that should have been coded properly to begin with." Fixed that for you.

    --
    letting an idiot know they are an idiot is not a game... it's a responsibility. - by Kristopeit, M. D. (1892582)
  11. If they are anything like the US by orphiuchus · · Score: 3, Informative

    Then they have at least 4 levels of networks just for the military, 1 for the public(the recruiter websites), 1 for regular correspondence such as training and rosters(accessible by everyone in the military), 1 for things that may be considered secret but have fairly low impact if compromised(acceptable to everyone with a security clearance requiring a basic background check), such as deployment dates and reports from deployed units, and 1 for medium-high risk stuff like radio fill codes(available to people with extensive background checks and monitored closely). The networks that get compromised and make the news, at least in the US, are the first 3. Wiki-leaks stuff usually comes from the 3rd level there and tends to be stuff that a lot of people have access to. This compromise seems to be the very lowest level, as several people have pointed out, and I doubt if anyone in the royal navy is all that concerned about actual security. That doesn't mean its not embarrassing, because the public reaction is sure to be ill-informed and overblown, but the actual damage here is nil. The real secrets everyone wants to assume are stored on these websites, such as the black ops or alien autopsies, aren't actually anywhere. If the government actually does something super secret and potentially earth-shaking they don't write it down and file it. That wouldn't make any sense. Once you get past Grey-SOF level of secret stuff the paper trail pretty much needs to disappear.