Forgot your password?
typodupeerror
Security The Military United States

Hackers Breached US Army Servers 209

Posted by timothy
from the fine-line-between-clever-and-stupid dept.
An anonymous reader writes "A Turkish hacking ring has broken into 2 sensitive US Army servers, according to a new investigation uncovered by InformationWeek. The hackers, who go by the name 'm0sted' and are based in Turkey, penetrated servers at the Army's McAlester Ammunition Plant in Oklahoma in January. Users attempting to access the site were redirected to a page featuring a climate-change protest. In Sept, 2007, the hackers breached Army Corps of Engineers servers. That hack sent users to a page containing anti-American and anti-Israeli rhetoric. The hackers used simple SQL Server injection techniques to gain access. That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches."
This discussion has been archived. No new comments can be posted.

Hackers Breached US Army Servers

Comments Filter:
  • by dkleinsc (563838) on Thursday May 28, 2009 @04:11PM (#28129327) Homepage

    as usual, military contracting companies provided over-hyped shoddy work to the military, who either didn't know better or didn't care.

    Of course, I thought it was going to be as simple as knowing that the password was "Joshua".

    • by Shakrai (717556) on Thursday May 28, 2009 @04:13PM (#28129371) Journal

      Of course, I thought it was going to be as simple as knowing that the password was "Joshua".

      Actually it's "joshua". Mr. Falken was lazy and didn't like having to reach for the shift key ;)

  • by Anonymous Coward on Thursday May 28, 2009 @04:12PM (#28129347)

    All your base are belong to us

  • That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches.

    Who know where these outward facing servers reside? Having outward websites vandalized says nothing about the security of an organizations networks.

    • by db32 (862117)
      No, but it provides excellent fodder for anti-military rhetoric. I find people on far ends of either political spectrum completely abandon any semblance of using logic or reason in favor of just being an inflamatory fountain of stupid.
  • Amateurs (Score:5, Funny)

    by Kensai7 (1005287) on Thursday May 28, 2009 @04:15PM (#28129399)

    If they want to prove a point they have to stop targeting US Defense facilities. Hack a serious portal like Slashdot if you can! Ha!

    • I know you were going for funny, but it's true. If there any real uberhackers out there, someone would've dropped some serious ordinance on the White House by now. Or the Knesset. I'd even accept Rush Limbaugh or Rosie O'donnell. But some pokey low-importance defence servers? Yeah, amateurs.
      • Re:Amateurs (Score:4, Informative)

        by mlts (1038732) * on Thursday May 28, 2009 @05:29PM (#28130549)

        Actually, if someone did a show-stopper like that it would be a bad thing for everyone. It would provide the impetus for the Internet to be split up into separate non-connected networks and walled gardens. These wouldn't be "mere" firewalls, these would be networks that would be either running a new (or old) network protocol (IPX is an example) or a non routable protocol such as NetBEUI (Don't confuse NetBEUI with NetBIOS... NetBEUI is the transportation and is obsolete, as TCP/IP has completely taken over that communication layer function over) or Appletalk.

        Right now, a black hat can sit at his/her computer, and connect on the same network to virtually anything. Should people get too upset and knee-jerkish about a War Games scenario, he or she would have to spend a lot of time and effort trying to get gateways working to networks that have completely different protocols (IPX, VINES) in the effort to try to attack machines.

        Compared to the past, a dedicated cracker just needs to focus on a relative small part of an OS or a service like Apache, IIS, or SQL Server for great gains. In the past, one had to jump from DECNet to BITNET to NSFNet, perhaps doing through multiple UUCP hops if the boxes were moving mail via store and forward and mdoems. Almost no host or network was the same as another, so a generic "script kiddy" who could run a prepackaged toolkit against a random company didn't exist back then.

        • by jeff4747 (256583)

          These wouldn't be "mere" firewalls, these would be networks that would be either running a new (or old) network protocol (IPX is an example) or a non routable protocol such as NetBEUI

          Um....no

          If the networks are not supposed to interoperate, you just don't connect them in the first place. You don't do something as dumb as relying on an old protocol to prevent access.

  • Amazing. (Score:5, Interesting)

    by DoofusOfDeath (636671) on Thursday May 28, 2009 @04:17PM (#28129431)

    Pardon the rant, but can anyone tell me why we're still having people write code that is subject to SQL injection attacks?

    I mean, sometimes potential buffer overflows in C/C++ programs can be tricky to notice. Writing threading code that's not subject to deadlock or starvation can often be a challenge.

    But isn't code that's subject to SQL injection attacks just blindingly, amazingly obvious at first glance?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Yes and No. If I want to have a program that I pass SQL queries to and it returns either safe or unsafe that is not a computable problem. There is no way to tell if a query is good or bad without context. That being said there are things like prepared statements that give the statements context, that is explicitly stating which parts of the query are control statements and which are data.

      In a simple system you are correct but in a system of even moderate complexity telling if code is vulnerable to SQL in

      • Yes and No. If I want to have a program that I pass SQL queries to and it returns either safe or unsafe that is not a computable problem.

        Are you sure? Your statement would only be obviously true if a single SQL statement can be a Turing-complete language.

      • by againjj (1132651)

        Yes and No. If I want to have a program that I pass SQL queries to and it returns either safe or unsafe that is not a computable problem. There is no way to tell if a query is good or bad without context. That being said there are things like prepared statements that give the statements context, that is explicitly stating which parts of the query are control statements and which are data.

        In a simple system you are correct but in a system of even moderate complexity telling if code is vulnerable to SQL injection becomes non-trivial. When you have to dig through 5 levels of inheritance several times to hunt down all the places where the query is actually formed it's not all that simple.

        Perl taint mode. Sure, it it conservative, but if taint is complex enough that it does work, then I wouldn't trust a person to get it right with 100% accuracy.

    • Re:Amazing. (Score:5, Insightful)

      by Lord Ender (156273) on Thursday May 28, 2009 @04:31PM (#28129697) Homepage

      How do you know the code was recently written? More likely, the app was written years ago, before the phrase "sql injection" was even coined.

      • by JWSmythe (446288)

        Well, before they started calling it SQL injection, it was just invalid input. Since I was programming for an audience of millions, if even 0.1% of them were script kiddies, and 0.01% of them were good, my servers would have a life expectancy of days at most.

        What's the big difference between:

        SELECT user FROM auth WHERE username = 'foo';DROP TABLE auth;

        and

        (please forgive me for how wrong this is)

        $result = `grep %in{sea

        • The way to protect against sql injection is not to "validate external input." It is to pass the external input to the database after telling the database what that external input should be representing (sql parameterization). Let the database decide if it is valid or not.

          If you try and reinvent the wheel in every app, you will certainly make a mistake at some point. The guys who wrote the DB know more about this than you do; let them handle it.

        • Why would anyone let the website run with DROP TABLE or any other high level permissions? Shouldn't the website be using credentials with read only permissions. Maybe after the user logs in they can update their one record. Not anyone other record.

          (Here is where I will be flamed to oblivion)
          Or is this another case where the web dev says that they need full god rights on the DB server?

          You should always run with just the permissions you need to get the job at hand done. Nothing more ever.

          • by JWSmythe (446288)

                Ok, how about...

                ; update users set password = password('') ;

                It was just a freakin' example, not a dictation of how to break things. {sigh}

    • Re: (Score:2, Funny)

      by Anonymous Coward

      I'd like you to stop by my work and bludgeon a few developers of mine over the head, if you would. Seems they're all too busy posting on a site called "BackSlash" or something to check their code.

    • by jeff4747 (256583)

      As mentioned by other posters, since we don't know how old the system is, we can't really measure it against "modern" perceptions.

      In addition, they could be a victim of this kind of thing:

      Contractor: We'd like to make a prototype for a web site that will do XYZ.

      Govt: K, here's some cash.

      Contractor: Here's a prototype, now can we have some cash to convert it from a prototype into a real system?

      Govt: Nah. I'd have to fill out a lot of paperwork for that. We'll just use the prototype.

    • by Yvanhoe (564877)
      It is not people still writting such code, it is people still using such code. A website that has accumulated information and that has been working correctly for 10 years is not something most people are willing to rewrite.
    • by mjwx (966435)

      Pardon the rant, but can anyone tell me why we're still having people write code that is subject to SQL injection attacks?

      Like everything else this system was built by the lowest bidder.

    • by Yetihehe (971185)
      It's the fault of subpar developers. I have some of them in my company, tried to teach them, but nothing works. I still encounter some bad queries here and there in their code. Add lack of ANY programming/indenting style and you have today's web programming.
  • by goldaryn (834427) on Thursday May 28, 2009 @04:17PM (#28129443) Homepage
    So much for Information Week being reasoned and sensible.

    "Equally troubling is the fact that the hacks appear to have originated outside the United States. Turkey is known to harbor significant elements of the al-Qaida network. It was not clear if "m0sted" has links to the terrorist group."

    Hooray for sensationalism!
  • by Manip (656104) on Thursday May 28, 2009 @04:19PM (#28129461)

    I'm just playing devil's advocate but who puts their public website inside their defences?

    I know it is an extremely common practice in this country to actually put sites like these on standard third party hosting services (e.g. Rackspace).

    They set them up to be as secure as other e-commerce sites, so fairly secure, but without having to poke holes in a nice heavy firewall.

    • by jeff4747 (256583)

      I'm just playing devil's advocate but who puts their public website inside their defences?

      Who says it's behind their real defenses?

      Look, it's a web server on the Internet. It's gonna need at least a firewall. Just like if they used Rackspace to host it and you were behind Rackspace's firewall. But there's also gonna be additional defenses for other systems.

      And, btw, anything that's on the server is gonna be unclassified or somebody's goin' to jail regardless of the breach.

    • by Zapotek (1032314)
      Devil's advocate? Every comment here is already against the admins of the servers...
  • Hyperbole? (Score:5, Insightful)

    by mpapet (761907) on Thursday May 28, 2009 @04:20PM (#28129483) Homepage

    I didn't bother to RTFA, but summary is inflamatory at best.

    A public-facing, high-profile (perception) server gets compromised? That's not news.

    Let's say it is news for a minute. What was the budget for this public-facing project? This is not a "major Army security lapse" by any stretch of the imagination.

    Of course, my line of thinking wouldn't be widely accepted because it ignores the emotional response that the summary probably provokes in most people.

    • Yeah. If you read about all of the shit the military keeps secret for decades, something tells me that information week wasn't able to pull something the military didn't want to give.

      So, what would you do if you wanted to learn the technical capabilities of the enemy? Try to hack into their location, or set up some seemingly vulnerable services and watch what they do? Double bonus: "leak" the break-in (wink wink) to Information Week and see what kind of celebration activity you can see on the lines. Hell, I

    • by nametaken (610866)

      Seems we don't have to know much about the situation to know one thing... a "major Army security lapse" is more like, say, strategic radio comm in the clear, close enough to be intercepted by the enemy, and results in casualties.

      A public facing website that gets script-kiddied by some asshat from Turkey that thinks exploiting a site by SQL injection is Uber-L33t is not a major lapse. I'm pretty sure this is not weighing heavily on some 5-star's mind.

  • 1. good tactics
    2. the ability to adapt new tactics as previously good tactics become irrelevant

    one way a tactic becomes irrelevant is changing battlefield conditions. you don't fight in a swamp the way you fight in a desert, for instance

    well, the internet is valid battlefield. and you fight on it with new tactics. it remains to be seen now if the us military understands that

    1. it needs to take this battlefield seriously
    2. it can develop good tactics to fight on this battlefield

    but as it stands now, a bunch

    • by cdrguru (88047) on Thursday May 28, 2009 @04:38PM (#28129787) Homepage

      The US military is pretty much incapable of fighting a guerrilla war where the combatents are intermixed with civilians and civilian casualties are forbidden. It made Vietnam very difficult and it has made Iraq difficult as well.

      What we have is a guerrilla war against hackers where they are effectiely shielded in most cases by the ISP and their own country's law enforcement. The end result is almost an unwinnable war.

      We are winning in Iraq by ending the use of civilians as shields. We won in Vietnam by separating the combatants from the civilians. It is going to take that sort of effort to win against hackers, crackers and identity thieves. Unfortunately, right now the effort required to do this is intense enough that it is many, many times the losses so far. So I don't think they are going to do anything until the losses mount up a lot more.

      What makes this worse is in order to effectively combat these people it is going to take either the cooperation of foreign law enforcement or just going around them. Neither one is going to make these other countries want to be our friends, but they seem to be happy with the hackers running around doing whatever.

      • the goals in iraq and vietnam are different than that on the web. in irag and vietnam you have to go out there and police the countryside. on the web, you just have to hunker down and prevent intrusions. its the difference between riding out into the countryside and battening down the hatches on the castle. its a lot easier to secure a castle than police the entire countryside

        • by mi (197448)

          its the difference between riding out into the countryside and battening down the hatches on the castle. its a lot easier to secure a castle than police the entire countryside

          Your analogy is flawed... Although you are right, that "policing the countryside" is difficult, securing the castle is very hard too, when you aren't allowed to pursue the repelled attackers. And, as far as I know, most of the military's tactics and doctrines rely on retaliating (or a threat thereof) as a deterrent.

          And yet, retaliati

      • by ultranova (717540)

        What we have is a guerrilla war against hackers where they are effectiely shielded in most cases by the ISP and their own country's law enforcement. The end result is almost an unwinnable war.

        What you have is a few teenagers writing graffiti on the army bulletin board located outside the base. And yes, the War on Vandals is likely unwinnable. However, you might try declaring War on Exaggeration.

        We won in Vietnam by separating the combatants from the civilians.

        You didn't win in Vietnam, you lost and fled.

      • by DeionXxX (261398)

        Wait... we won Vietnam?

      • We are winning in Iraq by ending the use of civilians as shields. We won in Vietnam by separating the combatants from the civilians. It is going to take that sort of effort to win against hackers, crackers and identity thieves. Unfortunately, right now the effort required to do this is intense enough that it is many, many times the losses so far. So I don't think they are going to do an

        Excuse me? The US did not win the Vietnam War, unless the US was aiming to make Vietnam a communist country and have lots of casualties.

      • Changing wording to create fiction in the hope that somebody gullible will hand over some cash is not the way to fight this increasingly organised and increasingly common criminal activity, but unfortunately that is how the current head of the NSA and others scrambling for funding are doing it. One such idiot full of cyberhype recently showed he knew less about Trojans than anyone with even a passing knowlege of european culture let alone a computer professional (ie. the Trojan horse lets the other nasty s
      • Re: (Score:2, Insightful)

        by mjwx (966435)

        We are winning in Iraq

        That's doubtful at the best of times, but for the sake of argument entertain you.

        by ending the use of civilians as shields.

        No you haven't. There hasn't been any noticeable decrease in violence, just less reporting of it. Just because the US army has the media on a tight leash doesn't mean that you're winning, in fact this is about the only lesson the US armed forces learned in Vietnam and in my opinion the most useless one taught.

        We won in Vietnam

        Ahh yes, we've all seen the famou

    • Continuing the military analogy... What great battles have been won purely by defense? Denying yourself he ability to "reach out and touch someone", will always give the advantage to those who seek to blow you up -- or to bring your server down.

    • by jeff4747 (256583)

      but as it stands now, a bunch of teenagers are thoroughly and repeatedly trouncing the us military

      Not really. Do you have any idea just how many computers have .mil addresses? If somebody screwed up on the configuration for an infinitesimally small percentage of them, that's still a lot of systems open to attack. And the script kiddies will get lucky.

      But the US military also doesn't talk about their own "cyber" offensive and defensive capabilities for obvious reasons. Which leads to the erroneous presum

  • This is what you get when you recruit kids out of high school and renege on the promise of the money they will get for joining up. It is communism-on-a-stick. Where is the motivation to do well>
  • by Rayeth (1335201) on Thursday May 28, 2009 @04:26PM (#28129599)
    I think using SQL injection hasn't qualified as "hacking" since it showed up on XKCD.
  • It appears the servers in question were used for serving up web sites. Probably publicly-facing web sites. So, what sensitive information was at risk? There are already regulations about what content can be approved to sit on a DoD server with a publicly-facing web site.

  • Again????? (Score:4, Insightful)

    by Runaway1956 (1322357) on Thursday May 28, 2009 @04:44PM (#28129849) Homepage Journal

    Again?

    Slashdot requires you to wait longer between hitting 'reply' and submitting a comment.

    It's been 17 seconds since you hit 'reply'.

    Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.

    So, what do I need to do, type really really slow?

    • So, what do I need to do, type really really slow?

      Maybe you can package your comment as the payload of an SQL injection?

  • by Ukab the Great (87152) on Thursday May 28, 2009 @04:52PM (#28129951)

    I don't know what I've been told
    But Army server's are quickly pwned
    You don't need some high-tech decryption machine
    Just a string with a semi-colon in between
    I don't know what I will find
    When good Army hacker's have resigned
    We'll have a good laugh when some bored kid in China
    Posts photos of Gen. Petraeus with a vagina

  • Big Deal (Score:3, Insightful)

    by BlowHole666 (1152399) on Thursday May 28, 2009 @05:08PM (#28130221)
    Ok so someone defaced a website used by the US Army. How do we know that the website is not hosted by a 3rd party provider? Also how are we sure that sensitive information and the website are on the same network? Also the army may not have codded the website so it could have just been piss poor coding by a 3rd party web developer and not the contractor who codes the programs that control the sensitive information.

    In other words just because the front end website for the Army got defaced that means nothing. It is like defacing the IRS website. It means nothing till you have peoples tax returns being rerouted to your personal bank account.
  • Turkish hackers are well known to compete on mass defacement contests.

    When preparing a contest, they scan all IPs to locate vulnerable sites.
    When the contest starts, they deface the maximum number of sites in a given amount of time (probably one hour in this case).
    They always go for the quickest way to hack a site, and so, they are not really hackers but script-kiddies.

    TFA is completely bullshit, since the hackers don't care about the content of the sites.

    BTW, why does the army still keeps vulnerable Window

  • Ho hum (Score:5, Insightful)

    by bartwol (117819) on Thursday May 28, 2009 @05:33PM (#28130609)
    Web server page redirection? Should that scare me? I mean, it's not quite as if somebody smuggled munitions or fired a weapon.
    "Oh...but the breach reveals the military's vulnerability."
    Does it? To what?
    Answer: To webserver page redirection.
    Might there be greater risk here? Perhaps. But no evidence was presented to indicate that. Get back to me when you've identified a MATERIAL RISK, not merely a TECHNICAL VULNERABILITY.
    As for those of you who have hopes and expectations that ALL THINGS MILITARY will be secure...WTF?
    • Re: (Score:3, Insightful)

      by timeOday (582209)
      I agree, this is like "infiltrating" the coffee-break room of the Army recruiting station at your hometown strip mall. It's not great, but it's not that big a deal. I'm not sure I want the DoD investing the (taxpayer) resources to make sure nobody ever, ever defaces their website again.
    • by TubeSteak (669689)

      "Oh...but the breach reveals the military's vulnerability."
      Does it? To what?
      Answer: To webserver page redirection.
      Might there be greater risk here? Perhaps. But no evidence was presented to indicate that. Get back to me when you've identified a MATERIAL RISK, not merely a TECHNICAL VULNERABILITY.

      The military has to look at an opponent and asses capabilities.
      Not actual abilities, but possible capabilities.

      So while you say "technical vulnerability," a security oriented person says "everyone who visited that web page could have been thoroughly pwned with trojans". If that doesn't qualify as a material risk, what does?

      As for those of you who have hopes and expectations that ALL THINGS MILITARY will be secure...WTF?

      Even the lowliest of web security scanners checks for SQL injections.

  • Users attempting to access the site were redirected to a page featuring a climate-change protest.

    OHNOES! They breached the admin net!

    There's a reason why the protected A/B network is accessible to the intarwebs and the L2 or higher networks are not. This may be interesting from a hacktivism standpoint... but it's not terribly newsworthy... or, at least, it's not got nearly as much shock value as the summary purports it to have.

  • they hacked the gibson...
  • SQL Injection? (Score:5, Insightful)

    by Anonymous Coward on Thursday May 28, 2009 @06:12PM (#28131113)

    I'm hardly one to defend MS products, but come on.

    SQL injection is hardly "a security vulnerability in Microsoft's SQL Server database." SQL injection is a result of badly written code. Nothing more. There is never an excuse for that to occur, even in environments where security isn't the top priority.

    The whole article feels a bit off to me. I get the sense it was written by somebody with little technical cluefulness. I particularly like the line about "sophisticated Defense Department tools and procedures designed to prevent such breaches" followed by a sentence identifying AV software. Written by a dummy, for similarly intelligent people, perhaps?

  • But I'm really hoping that "mosted" translates into something really awesome, because in English, it just sounds pretty gay...

A holding company is a thing where you hand an accomplice the goods while the policeman searches you.

Working...