Compromised Government and Military Sites For Sale

← Back to Stories (view on slashdot.org)

Compromised Government and Military Sites For Sale

Posted by Soulskill on Friday January 21, 2011 @09:49AM from the your-tax-dollars-at-derp dept.

Khopesh writes "Imperva blogged today about the sale of compromised .gov, .mil, and .edu sites, illustrating that cyber-criminals are getting bolder. Krebs on Security has an unredacted view of the site list. Perhaps the biggest threat is yet to come; if an industrious criminal can break into top government and military sites, so too can government-backed teams, proving that GhostNet and Stuxnet are just the beginning."

30 of 51 comments (clear)

Min score:

Reason:

Sort:

Obvious by TaoPhoenix · 2011-01-21 09:51 · Score: 3, Informative

Wikileaks.mil!

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
1. Re:Obvious by rtfa-troll · 2011-01-21 10:07 · Score: 1
  
  I think as a special exception in this particular case I can fill in 2 for you.
  2.0 Make a site about a new Congressional initiative to privatize Nuclear war.
  2.1 provide demos for small money with hacked Nuclear bombs
  2.2 embezzle the billions the enemy give you to destroy Tashkent
  alternatively.
  2.0 put up government policies for sale
  2.1 actually implement the policies via hacked congress/senate computers
  2.2 get awards and celebrity for improving government transparency
  2.3 use new found celebrity to get on TV in China or elsewhere outside the US and earn hard currency.
  
  --
  =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
2. Re:Obvious by dgatwood · 2011-01-21 11:23 · Score: 1
  
  2.0 put up government policies for sale
  Too late.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Obvious by i_want_you_to_throw_ · 2011-01-21 09:52 · Score: 1

1. Buy commerce.gov
2. ?????
3. Profit!!!
Not just .gov by OverlordQ · 2011-01-21 09:52 · Score: 1

More then half of those listed are from other countries are not not all US .gov and .mil sites.

--
Your hair look like poop, Bob! - Wanker.
1. Re:Not just .gov by peragrin · 2011-01-21 10:27 · Score: 2, Informative
  
  Exactly. most of these websites are on random hosted providers anyways.
  Now if they got IRS.GOV I might be concerned.
  
  --
  i thought once I was found, but it was only a dream.
2. Re:Not just .gov by QuantumLeaper · 2011-01-21 10:28 · Score: 1
  
  Hire the dumbest....
3. Re:Not just .gov by aztracker1 · 2011-01-21 11:05 · Score: 1
  
  I would say, how does that compare with the private sector residents... Having city employees make roughly what the residents do isn't a bad thing. It's good to be able to have your city employees, you know, live in the city they work for. I find it hard to believe people can afford to live in SF on under $100K.
  
  --
  Michael J. Ryan - tracker1.info
4. Re:Not just .gov by Bing+Tsher+E · 2011-01-21 12:07 · Score: 1
  
  You're right. Everybody should make... (pinky to cheek) One Million Dollars per day.
  That wouldn't create incredible inflation; everybody would still show up every day and get their jobs done and the entire economy wouldn't fail.
Simple economic solution by jeffmeden · 2011-01-21 10:05 · Score: 1

Is it sad that my first thought was "good, now they can just buy the control back!"
Not only do they get to find out what sites have vulnerabilities, but they can use the exchange to try to track down the perps at the same time.
Cabsec can fix this by ka9dgx · 2011-01-21 10:07 · Score: 4, Interesting

Capability based security (Cabsec) can provide OS with no exposed vulnerabilities. It's based on an L4 proven microkernel. The only problem is that it's vaporware.
It doesn't have to be. The parts are starting to fall into place, but the open source community has to be made aware of the fact that it is possible to solve computer security, instead of patching it with layers of band-aids.
1. Re:Cabsec can fix this by Cyberax · 2011-01-21 10:37 · Score: 3, Informative
  
  Nope, it won't help.
  Capability-based security omits one liiiiiiiittle detail: initial capability distribution. That's why most (all?) of proves of capability based security omit the initial image set up. That's the case with CoyotOS and other OSes. Or in other words, the question is: should IAmEvilExecutable get CAP_ALL_ACCESS permission if user starts it and grants it this permission?
  Another problem is that if I somehow inject myself into, say, web server then I'll get access to all capabilities granted to this webserver. Which is usually more than enough. The only 'fix' on the horizon for this problem is fully managed code (see: Singularity OS).
2. Re:Cabsec can fix this by ka9dgx · 2011-01-21 11:42 · Score: 1
  
  A web server process should only require:
  Read access to web content
  Read/Write access to an already opened internet connection
  Write access to a logging system process.
  If it only has those things, it can't do anything else, no matter how you crash the stack, etc.
  Capabilities aren't the same as priviliges or SU flags... they are per resource, not levels.
3. Re:Cabsec can fix this by ka9dgx · 2011-01-21 11:47 · Score: 1
  
  Fully managed code is an interesting idea, but requires you to trust the code to do it's job, and ONLY it's job... it doesn't protect against design flaws, or the confused deputy problem.
  The only code that should be trusted in any computer is the microkernel in the OS.
4. Re:Cabsec can fix this by currently_awake · 2011-01-21 14:17 · Score: 1
  
  If you are a large corp then you can afford to security audit your basic apps. If you run everything in a sandbox, with only the permissions it needs then the scope of problems is very small.
5. Re:Cabsec can fix this by Cyberax · 2011-01-21 21:12 · Score: 1
  
  Web server will also require access to database which is more than enough for attacker. So attacker then can request http://your.server.com/IHaveHackedThisBox.html and get a full database dump.
  In practice, your webserver will probably also need permissions for outgoing connections. So if it's hacked then your computer can be a part of DDoS'ing botnet.
6. Re:Cabsec can fix this by Cyberax · 2011-01-21 21:15 · Score: 1
  
  Why? Capability-based security is trivial with the managed code. You just need to get rid of global shared resources and that's it.
  And since it's easy to verify managed code for correctness (i.e. that no buffer overflows or type confusions are possible), you can be sure that capabilities won't fall into wrong hands.
7. Re:Cabsec can fix this by dkf · 2011-01-21 21:38 · Score: 1
  
  In practice, your webserver will probably also need permissions for outgoing connections. So if it's hacked then your computer can be a part of DDoS'ing botnet.
  That's actually pretty easy to manage: you firewall outgoing connections using a firewall that isn't on the same machine — actually, using a device whose management port isn't on the same network is most advisable — so that the webserver can only make outgoing connections to whitelisted sites. Typically, none of those need to be exposed to the outside world. If there's a need to support things like outgoing SMTP from the httpd, you use tricks like a firewall rule that rewrites all those connections so they go to a special local mail router, so making it really easy to track who's sending what and spot problems that way.
  Of course, this does mean that some crappy web2.0 webapps won't work. But that's really the fault of the developers of those webapps being security-ignorant numpties.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
Obvious Scam is Obvious by phantomcircuit · 2011-01-21 10:14 · Score: 2, Insightful

So either they actually have compromised all of those sites, OR they're phishing... hmm I wonder which it could be....
1. Re:Obvious Scam is Obvious by pitchpipe · 2011-01-21 10:30 · Score: 1
  
  Obvious didn't RTFA is obvious.
  From TF Krebs A: I've seen some of the back-end evidence of his hacks, so it doesn't seem like he's making this up.
  
  OR they're phishing... hmm I wonder which it could be....
  Do you, perchance, work for the government?
  
  --
  Look where all this talking got us, baby.
2. Re:Obvious Scam is Obvious by Anonymous Coward · 2011-01-21 11:10 · Score: 2, Informative
  
  Here is the google cache of [hack_addicted.pt]'s forum post that shows you how to break into all the sites listed by Srblche by using HA's Online SQLi scanner.
  http://webcache.googleusercontent.com/search?q=cache:XU6t4iPLZLAJ:www.hackforums.net/showthread.php%3Ftid%3D977900+http://www.srblce.com&cd=6&hl=en&ct=clnk&gl=us
  I think the value of those 'hacked sites' just dropped by a few hundred dollars.
Seen on US Forest Service site by RobertB-DC · 2011-01-21 10:35 · Score: 1

I tried to look up information on the Ouachita National Forest last year, and was warned by Google Chrome that the site was a potential malware host, with parts of the site coming from a .cn domain. I didn't push forward to the site to find out exactly what part of a .gov site would require .cn content.
It looks like they've fixed it now, though I'm really not sure... this sensible URL expands to a hundred character monstrosity that's just begging for a reverse-engineering attack.

--
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Disturbing... by Sooner+Boomer · 2011-01-21 10:37 · Score: 3, Interesting

I don't know which is more worrying - that some of these sites are for sale, or how cheaply they're going for...

--
Chaos maximizes locally around me.
Adding capabilities to an OS by Anonymous Coward · 2011-01-21 11:09 · Score: 1

Capability based security (Cabsec) can provide OS with no exposed vulnerabilities. It's based on an L4 proven microkernel. The only problem is that it's vaporware.
It doesn't have to be. The parts are starting to fall into place, but the open source community has to be made aware of the fact that it is possible to solve computer security, instead of patching it with layers of band-aids.
There's a research project that managed to add it to FreeBSD fairly easily:
http://www.cl.cam.ac.uk/research/security/capsicum/
It's not a full blown system, but a userland library (with some kernel code) that allows applications to drop privileges/capabilities it does not need (e.g., gzip does not need to talk to the network or do I/O if it detects it's in the middle of CLI pipe stream; tcpdump generally doesn't need to fork(2); etc.).
This is the hacker's site: by Anonymous Coward · 2011-01-21 11:24 · Score: 3, Informative

The hacker's site is http://www.sbrlche.com/.
Quite easily googleable from the phrases in the screenshots!
Spamvertising, internal trust by Khopesh · 2011-01-21 13:23 · Score: 2

TLDs like .gov and .edu get a massive multiplier in Google's PageRank. Spamvertising effectiveness is therefore amplified in kind.
On a more alarming note, the system may have been blessed in some manner that might make it useful as a launching point for attacking a more important site which might implicitly trust the hacked server due to its ownership or similar relationships. The most sensitive systems are completely firewalled and therefore inaccessible from the outside, and these systems might extend a level of trust to servers like those for sale on this list. Of course, that might be one of the reasons those servers were hacked and are being turned around for sale at so low a price (i.e. they don't grant such access, so the crackers are flipping them).

--
Use my userscript to add story images to Slashdot. There's no going back.
But Cyber Warfare Risks are Overblown by AlienIntelligence · 2011-01-21 14:07 · Score: 1

It says so, right here:
http://www.informationweek.com/news/global-cio/security/showArticle.jhtml?articleID=229000789
-AI

--
For me, it is far better to grasp the Universe as it really is than to persist in delusion
Web-Facing Sites are the outside of the Building.. by Tempest451 · 2011-01-21 21:46 · Score: 1

...but just because you can paint graffiti on it doesn't mean you can break in!
Re:cyber ops needs to get smart! by KDR_11k · 2011-01-21 22:56 · Score: 1

EMP would require an orbital nuclear weapon, that's a violation of so many international treaties that using it would cause WW3.

--
Justice is the sheep getting arrested while an impartial judge declares the vote void.
Re:Web-Facing Sites are the outside of the Buildin by Securityemo · 2011-01-22 03:27 · Score: 1

Yeah, but he claims that a lot of the sites on the list have "high-value information", and I assume that the mil/gov database information he claims to sell on the side are some sort of amalgamation of stuff like that he found. Like the US DoD "pharmacoeconomic center"? That could be sensitive stuff, I guess. Fortunately it looks like they took it down.

--
Emotions! In your brain!