Compromised Government and Military Sites For Sale

← Back to Stories (view on slashdot.org)

Compromised Government and Military Sites For Sale

Posted by Soulskill on Friday January 21, 2011 @09:49AM from the your-tax-dollars-at-derp dept.

Khopesh writes "Imperva blogged today about the sale of compromised .gov, .mil, and .edu sites, illustrating that cyber-criminals are getting bolder. Krebs on Security has an unredacted view of the site list. Perhaps the biggest threat is yet to come; if an industrious criminal can break into top government and military sites, so too can government-backed teams, proving that GhostNet and Stuxnet are just the beginning."

51 comments

Min score:

Reason:

Sort:

Obvious by TaoPhoenix · 2011-01-21 09:51 · Score: 3, Informative

Wikileaks.mil!

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
1. Re:Obvious by rtfa-troll · 2011-01-21 10:07 · Score: 1
  
  I think as a special exception in this particular case I can fill in 2 for you.
  2.0 Make a site about a new Congressional initiative to privatize Nuclear war.
  2.1 provide demos for small money with hacked Nuclear bombs
  2.2 embezzle the billions the enemy give you to destroy Tashkent
  alternatively.
  2.0 put up government policies for sale
  2.1 actually implement the policies via hacked congress/senate computers
  2.2 get awards and celebrity for improving government transparency
  2.3 use new found celebrity to get on TV in China or elsewhere outside the US and earn hard currency.
  
  --
  =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
2. Re:Obvious by dgatwood · 2011-01-21 11:23 · Score: 1
  
  2.0 put up government policies for sale
  Too late.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Obvious by i_want_you_to_throw_ · 2011-01-21 09:52 · Score: 1

1. Buy commerce.gov
2. ?????
3. Profit!!!
Not just .gov by OverlordQ · 2011-01-21 09:52 · Score: 1

More then half of those listed are from other countries are not not all US .gov and .mil sites.

--
Your hair look like poop, Bob! - Wanker.
1. Re:Not just .gov by pitchpipe · 2011-01-21 10:09 · Score: 0, Troll
  
  More then half of those listed are from other countries are not not all US .gov and .mil sites.
  Yeah well my state is listed (http://www.utah.gov/) with full site admin control, so I guarantee a bunch of my info is up for sale. It's probably because the state government here usually pays it's workers poorly, and I'm sure that goes for their IT people, so most likely you aren't getting the best candidates.
  It's the Republican's philosophy at work: pay the absolute bare fucking minimum no matter the cost.
  
  --
  Look where all this talking got us, baby.
2. Re:Not just .gov by QuantumLeaper · 2011-01-21 10:14 · Score: 0
  
  You also forgot to say, they try to the dumbest people for those jobs too.
3. Re:Not just .gov by tukang · 2011-01-21 10:23 · Score: 0
  
  Why would any of your info be on the utah.gov web server?
4. Re:Not just .gov by peragrin · 2011-01-21 10:27 · Score: 2, Informative
  
  Exactly. most of these websites are on random hosted providers anyways.
  Now if they got IRS.GOV I might be concerned.
  
  --
  i thought once I was found, but it was only a dream.
5. Re:Not just .gov by QuantumLeaper · 2011-01-21 10:28 · Score: 1
  
  Hire the dumbest....
6. Re:Not just .gov by Anonymous Coward · 2011-01-21 10:37 · Score: 0
  
  Whereas the Democrat's philosophy is to pay out the ass to as many workers as possible...i.e. San Francisco City/County gov't, a $6.5billion budget for 49 square miles and 800K residents. Over 1 in 3 of the 27K city/county employees are making over $100K.
7. Re:Not just .gov by Anonymous Coward · 2011-01-21 10:43 · Score: 0
  
  I work somewhere for a Utah state agency as an IT guy - I can guarantee that the state pay for IT personnel is a joke since we use the same pay scale as the state. We mostly look at it as a place to get some good experience in order to get better paying jobs. I'm just barely able to afford a 2 bedroom apartment that my wife and I rent from my parents.
8. Re:Not just .gov by aztracker1 · 2011-01-21 11:05 · Score: 1
  
  I would say, how does that compare with the private sector residents... Having city employees make roughly what the residents do isn't a bad thing. It's good to be able to have your city employees, you know, live in the city they work for. I find it hard to believe people can afford to live in SF on under $100K.
  
  --
  Michael J. Ryan - tracker1.info
9. Re:Not just .gov by pitchpipe · 2011-01-21 11:06 · Score: 0
  
  Over 1 in 3 of the 27K city/county employees are making over $100K.
  I think that ALL of them should make over $100k a year! If we could stop this fucking MASSIVE wealth redistribution from the middle class and the poor to the super rich (not paying sufficiently for work done by the sweat of the brow is just as bad if not worse than having to pay a little back in tax) we could afford something like this AND balance the budget. But sadly no. Republicans believe that they acquired their wealth with the help of NO ONE ELSE. Isn't that weird?
  Hmm. How did that stuff arrive for this factory that I built? Oh yeah, no thanks to the fucking government, it arrived magically. Hmm... where did that turd go that I flushed down the toilet? Oh that's right it magically floated away and was eaten by that toxic shit that I dump into the river last year. I'm such a fucking genius! God damn we need a smaller gubmint.
  
  --
  Look where all this talking got us, baby.
10. Re:Not just .gov by Bing+Tsher+E · 2011-01-21 12:07 · Score: 1
  
  You're right. Everybody should make... (pinky to cheek) One Million Dollars per day.
  That wouldn't create incredible inflation; everybody would still show up every day and get their jobs done and the entire economy wouldn't fail.
11. Re:Not just .gov by Anonymous Coward · 2011-01-21 15:41 · Score: 0
  
  right you mean like the 54 million dollar seat that is owned by none other than Michelle Obama for none other than Whole Foods Corp.
  Or the loans approved by activists placed at fannie and freddie on behalf of obama,
  barney frank and the rest of the angels.. Yeah, I see what you are talking about.. Why democrats are angels, they do no wrong and
  they side with tech and green technologies, fairy dust, blah blah blah.. Whatever....
  How about Acorn for their stellar record under the obama's watch, or BP for funding the obama campaign for 20 years even when barak was a activitst
  in that slum, sanctuary city chicago. Looks like that oil spill is forgotten by alot of idiots..
  Grow up and lose the bias views and political party BS..
  You guys need to spin your political views a little more clearly on this site. I can pick out the CNN junkies in a millisecond..
  There is 2 sides to a coin!! look at both sides and judge both sides fairly!
  Oh almost forgot 'ZING' the biggest problem with city, state, government employees is 'drum roll' The huge bloated salaries and Pensions they get 'just sayin'
12. Re:Not just .gov by Anonymous Coward · 2011-01-22 03:33 · Score: 0
  
  You guys need to spin your political views a little more clearly on this site. I can pick out the CNN junkies in a millisecond..
  Try MSNBC, moron. CNN is fairly centrist by comparison.
  
  Oh almost forgot 'ZING' the biggest problem with city, state, government employees is 'drum roll' The huge bloated salaries and Pensions they get 'just sayin'
  My salary is certainly not bloated (61k for an enterprise admin where the norm in the private sector here even now is 90k), and the only reason that I'm working for the state is that they actually have a pension fund, unlike the gutted soulless corporations.
13. Re:Not just .gov by Anonymous Coward · 2011-01-24 11:08 · Score: 0
  
  If you would have looked at the actual post and done 30 seconds of research you would have seen that they are false. It is a sub-domain of utah.gov called utahsown.utah.gov.
  So, unless you have registered personal information with the Utah state department of agriculture you should be fine. But, thanks for making this about you and politics instead of seeing the lie this wannabe hacker is pushing to scam $$ out of people.
  Take care.
Compromised Government and Military Sites For Sale by Anonymous Coward · 2011-01-21 09:54 · Score: 0

The sites aren't the only thing for sale.
In Soviet U.S.A, by Anonymous Coward · 2011-01-21 09:55 · Score: 0

Government and military sites sell YOU !
Yours In Washington, D.C.,
Kilgore Trout, C.I.O.
Re:Compromised Government and Military Sites For S by Anonymous Coward · 2011-01-21 09:56 · Score: 0

like your mother?
no need to worry by Lord+Ender · 2011-01-21 10:01 · Score: 0, Troll

Selling off control of government and military websites is all part of the new Republican program to shrink the government and balance the budget.

--
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Simple economic solution by jeffmeden · 2011-01-21 10:05 · Score: 1

Is it sad that my first thought was "good, now they can just buy the control back!"
Not only do they get to find out what sites have vulnerabilities, but they can use the exchange to try to track down the perps at the same time.
Cabsec can fix this by ka9dgx · 2011-01-21 10:07 · Score: 4, Interesting

Capability based security (Cabsec) can provide OS with no exposed vulnerabilities. It's based on an L4 proven microkernel. The only problem is that it's vaporware.
It doesn't have to be. The parts are starting to fall into place, but the open source community has to be made aware of the fact that it is possible to solve computer security, instead of patching it with layers of band-aids.
1. Re:Cabsec can fix this by Anonymous Coward · 2011-01-21 10:32 · Score: 0
  
  What about MULTICS? It was an OS with security built-in on all levels. It was abandoned b/c of it's complexity, but nowadays, should be no problem. Why don't they just revive MULTICS?
2. Re:Cabsec can fix this by Cyberax · 2011-01-21 10:37 · Score: 3, Informative
  
  Nope, it won't help.
  Capability-based security omits one liiiiiiiittle detail: initial capability distribution. That's why most (all?) of proves of capability based security omit the initial image set up. That's the case with CoyotOS and other OSes. Or in other words, the question is: should IAmEvilExecutable get CAP_ALL_ACCESS permission if user starts it and grants it this permission?
  Another problem is that if I somehow inject myself into, say, web server then I'll get access to all capabilities granted to this webserver. Which is usually more than enough. The only 'fix' on the horizon for this problem is fully managed code (see: Singularity OS).
3. Re:Cabsec can fix this by ka9dgx · 2011-01-21 11:42 · Score: 1
  
  A web server process should only require:
  Read access to web content
  Read/Write access to an already opened internet connection
  Write access to a logging system process.
  If it only has those things, it can't do anything else, no matter how you crash the stack, etc.
  Capabilities aren't the same as priviliges or SU flags... they are per resource, not levels.
4. Re:Cabsec can fix this by ka9dgx · 2011-01-21 11:47 · Score: 1
  
  Fully managed code is an interesting idea, but requires you to trust the code to do it's job, and ONLY it's job... it doesn't protect against design flaws, or the confused deputy problem.
  The only code that should be trusted in any computer is the microkernel in the OS.
5. Re:Cabsec can fix this by currently_awake · 2011-01-21 14:17 · Score: 1
  
  If you are a large corp then you can afford to security audit your basic apps. If you run everything in a sandbox, with only the permissions it needs then the scope of problems is very small.
6. Re:Cabsec can fix this by Cyberax · 2011-01-21 21:12 · Score: 1
  
  Web server will also require access to database which is more than enough for attacker. So attacker then can request http://your.server.com/IHaveHackedThisBox.html and get a full database dump.
  In practice, your webserver will probably also need permissions for outgoing connections. So if it's hacked then your computer can be a part of DDoS'ing botnet.
7. Re:Cabsec can fix this by Cyberax · 2011-01-21 21:15 · Score: 1
  
  Why? Capability-based security is trivial with the managed code. You just need to get rid of global shared resources and that's it.
  And since it's easy to verify managed code for correctness (i.e. that no buffer overflows or type confusions are possible), you can be sure that capabilities won't fall into wrong hands.
8. Re:Cabsec can fix this by dkf · 2011-01-21 21:38 · Score: 1
  
  In practice, your webserver will probably also need permissions for outgoing connections. So if it's hacked then your computer can be a part of DDoS'ing botnet.
  That's actually pretty easy to manage: you firewall outgoing connections using a firewall that isn't on the same machine — actually, using a device whose management port isn't on the same network is most advisable — so that the webserver can only make outgoing connections to whitelisted sites. Typically, none of those need to be exposed to the outside world. If there's a need to support things like outgoing SMTP from the httpd, you use tricks like a firewall rule that rewrites all those connections so they go to a special local mail router, so making it really easy to track who's sending what and spot problems that way.
  Of course, this does mean that some crappy web2.0 webapps won't work. But that's really the fault of the developers of those webapps being security-ignorant numpties.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
9. Re:Cabsec can fix this by Anonymous Coward · 2011-01-22 01:47 · Score: 0
  
  It's not vaporware.
  http://ertos.nicta.com.au/research/l4/
  
  Our embedded version of L4 was successfully commercialised, initially via direct engagement with QUALCOMM and other companies. This lead to spinning out our development team into the new company Open Kernel Labs (OK Labs). OK Labs has further developed L4-embedded into what is now called OKL4, and provides products and services based on this system.
Obvious Scam is Obvious by phantomcircuit · 2011-01-21 10:14 · Score: 2, Insightful

So either they actually have compromised all of those sites, OR they're phishing... hmm I wonder which it could be....
1. Re:Obvious Scam is Obvious by pitchpipe · 2011-01-21 10:30 · Score: 1
  
  Obvious didn't RTFA is obvious.
  From TF Krebs A: I've seen some of the back-end evidence of his hacks, so it doesn't seem like he's making this up.
  
  OR they're phishing... hmm I wonder which it could be....
  Do you, perchance, work for the government?
  
  --
  Look where all this talking got us, baby.
2. Re:Obvious Scam is Obvious by Anonymous Coward · 2011-01-21 11:10 · Score: 2, Informative
  
  Here is the google cache of [hack_addicted.pt]'s forum post that shows you how to break into all the sites listed by Srblche by using HA's Online SQLi scanner.
  http://webcache.googleusercontent.com/search?q=cache:XU6t4iPLZLAJ:www.hackforums.net/showthread.php%3Ftid%3D977900+http://www.srblce.com&cd=6&hl=en&ct=clnk&gl=us
  I think the value of those 'hacked sites' just dropped by a few hundred dollars.
Seen on US Forest Service site by RobertB-DC · 2011-01-21 10:35 · Score: 1

I tried to look up information on the Ouachita National Forest last year, and was warned by Google Chrome that the site was a potential malware host, with parts of the site coming from a .cn domain. I didn't push forward to the site to find out exactly what part of a .gov site would require .cn content.
It looks like they've fixed it now, though I'm really not sure... this sensible URL expands to a hundred character monstrosity that's just begging for a reverse-engineering attack.

--
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Disturbing... by Sooner+Boomer · 2011-01-21 10:37 · Score: 3, Interesting

I don't know which is more worrying - that some of these sites are for sale, or how cheaply they're going for...

--
Chaos maximizes locally around me.
heh.. not by Anonymous Coward · 2011-01-21 10:41 · Score: 0

http://www.srblche.com/
this
1. Re:heh.. not by Anonymous Coward · 2011-01-21 11:36 · Score: 0
  
  Just for fun, I compiled some info:
  srblche.com /video /exploit /demo /admin /alerts /blackmarket.html /prices.html /deals.html /logins.html /payment.html /proof.html
  srblche.com:2082/
  last login from 80.184.107.167 - The [h|cr]acker in question is from Kuwait, using Zajil International Telecom
  http://www.srblce.com:2082/frontend/x3/index.html
  he browses with firefox
  HOME - http://www.sa3ti.com
  his native language is arabic
  his english isn't great, but it'll do (I'm sure he can get by)
  www.qsl.com.wa
  www.alraialaam.com
  www.adilqurban.com - his lawyer?
  I would guess that he has an account on www.sh3lls.net
  He might use that for IRC
  he likes scarface quotes
  he listens to Rihanna
  He records his demos with Camtasia
  I have a picture of his desktop
  There is a file on the desktop called "us govs.txt"
  some others:
  PFPortChecker
  natural-ess...
  UtahsOwnE... (excel database)
  SqlInjector (link)
  SQLi Scanner by hack_ad... ----- srblche is a pussy
  russia-flag.jpg
  cc.txt
  root.txt
  testing.txt
  zag.txt
  rawr.txt
  conn.php
  sh3lls.net (shortcut)
  Shortcut to JSky.exe
  JSky.Enter...
  driveby2 (folder)
  test.jpg
  New Cpanels.txt
  info.txt
  CreditCards Dorks.txt
  Exploits.txt
  rth.txt
  new.jpg
  LOTS of HAVIJ - sql injection stuff (multiple pro and free versions) ... there are more
Adding capabilities to an OS by Anonymous Coward · 2011-01-21 11:09 · Score: 1

Capability based security (Cabsec) can provide OS with no exposed vulnerabilities. It's based on an L4 proven microkernel. The only problem is that it's vaporware.
It doesn't have to be. The parts are starting to fall into place, but the open source community has to be made aware of the fact that it is possible to solve computer security, instead of patching it with layers of band-aids.
There's a research project that managed to add it to FreeBSD fairly easily:
http://www.cl.cam.ac.uk/research/security/capsicum/
It's not a full blown system, but a userland library (with some kernel code) that allows applications to drop privileges/capabilities it does not need (e.g., gzip does not need to talk to the network or do I/O if it detects it's in the middle of CLI pipe stream; tcpdump generally doesn't need to fork(2); etc.).
This is the hacker's site: by Anonymous Coward · 2011-01-21 11:24 · Score: 3, Informative

The hacker's site is http://www.sbrlche.com/.
Quite easily googleable from the phrases in the screenshots!
Waaaaait. by Anonymous Coward · 2011-01-21 11:37 · Score: 0

Hold on a sec, here. DoD pharmacoeconomic server? That sounds like it could be nasty.
Spamvertising, internal trust by Khopesh · 2011-01-21 13:23 · Score: 2

TLDs like .gov and .edu get a massive multiplier in Google's PageRank. Spamvertising effectiveness is therefore amplified in kind.
On a more alarming note, the system may have been blessed in some manner that might make it useful as a launching point for attacking a more important site which might implicitly trust the hacked server due to its ownership or similar relationships. The most sensitive systems are completely firewalled and therefore inaccessible from the outside, and these systems might extend a level of trust to servers like those for sale on this list. Of course, that might be one of the reasons those servers were hacked and are being turned around for sale at so low a price (i.e. they don't grant such access, so the crackers are flipping them).

--
Use my userscript to add story images to Slashdot. There's no going back.
But Cyber Warfare Risks are Overblown by AlienIntelligence · 2011-01-21 14:07 · Score: 1

It says so, right here:
http://www.informationweek.com/news/global-cio/security/showArticle.jhtml?articleID=229000789
-AI

--
For me, it is far better to grasp the Universe as it really is than to persist in delusion
Yeehaw! USCB! by Anonymous Coward · 2011-01-21 15:43 · Score: 0

I can access Univ of South Carolina at Beaufort!
I'm gonna spend $88 and change my degree to say A+
and make my IQ test say pass and I'm gonna have
a 100 on my SATs!
{oblig from a Sandlapper}
-@|
cyber ops needs to get smart! by Anonymous Coward · 2011-01-21 15:55 · Score: 0

Here's a thought, drop misinformation 'honeypots' on bogus secret data sites hardly hidden behind public sites and start forensic backtrack
to blacklist or emp the fucking root servers in some of these countries via satellite.
Then other nations will get the hint that we're aware of their thieving asses!! Or how bout bogus fund a top secret
airplane, missile, sub, etc that is a dud!!! Then china and russia will spend themselves into oblivion
on junk that won't work..
WTF!!! where are the misinformation people on this crap, you guys can do alot of damage
to the thieves stealing IP and research data from America.. I'm sick of seeing these sneaky bastards
ripping us off and making their own knock offs using our stolen research and IP..
We need to get smart like Kelly Johnson was running skunkworks, we did'nt need any foreign science brain trusts, not even
any fucking nazis to produce the engines for the SR-71, it was all us doing it back then!
No country to this day is able to keep up with the SR-71 so fuck them and their 'brain drain' bullshit..
1. Re:cyber ops needs to get smart! by KDR_11k · 2011-01-21 22:56 · Score: 1
  
  EMP would require an orbital nuclear weapon, that's a violation of so many international treaties that using it would cause WW3.
  
  --
  Justice is the sheep getting arrested while an impartial judge declares the vote void.
Web-Facing Sites are the outside of the Building.. by Tempest451 · 2011-01-21 21:46 · Score: 1

...but just because you can paint graffiti on it doesn't mean you can break in!
Re:Web-Facing Sites are the outside of the Buildin by Securityemo · 2011-01-22 03:27 · Score: 1

Yeah, but he claims that a lot of the sites on the list have "high-value information", and I assume that the mil/gov database information he claims to sell on the side are some sort of amalgamation of stuff like that he found. Like the US DoD "pharmacoeconomic center"? That could be sensitive stuff, I guess. Fortunately it looks like they took it down.

--
Emotions! In your brain!