Hackers Breached US Army Servers

An anonymous reader writes "A Turkish hacking ring has broken into 2 sensitive US Army servers, according to a new investigation uncovered by InformationWeek. The hackers, who go by the name 'm0sted' and are based in Turkey, penetrated servers at the Army's McAlester Ammunition Plant in Oklahoma in January. Users attempting to access the site were redirected to a page featuring a climate-change protest. In Sept, 2007, the hackers breached Army Corps of Engineers servers. That hack sent users to a page containing anti-American and anti-Israeli rhetoric. The hackers used simple SQL Server injection techniques to gain access. That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches."

Re:wood for the trees

[dk90406]

You are wrong on so many levels. If you can't even bother to protect against simple things as SQL injection, I have a nasty feeling about the overall security.
Why aren't classified information on a separate network, not connected to the Net? Please: this is not 1980 anymore - protect critical information seriously.

I thought Information Week was sensible.

[goldaryn]

So much for Information Week being reasoned and sensible.

"Equally troubling is the fact that the hacks appear to have originated outside the United States. Turkey is known to harbor significant elements of the al-Qaida network. It was not clear if "m0sted" has links to the terrorist group."

Hooray for sensationalism!

Hyperbole?

[mpapet]

I didn't bother to RTFA, but summary is inflamatory at best.

A public-facing, high-profile (perception) server gets compromised? That's not news.

Let's say it is news for a minute. What was the budget for this public-facing project? This is not a "major Army security lapse" by any stretch of the imagination.

Of course, my line of thinking wouldn't be widely accepted because it ignores the emotional response that the summary probably provokes in most people.

Re:wood for the trees

[Anonymous Coward]

How do you know that classified intelligence was even obtained? Why are you even assuming that the security of these servers, an ammunition plant and the Army Corps of Engineers no less, will have the same security as that of the Pentagon? Did it ever occur to you that perhaps the Army would appropriate security based on how vital their assets are?

Re:wood for the trees

[kevin_conaway]

Why aren't classified information on a separate network, not connected to the Net

It is, in fact there are multiple, separate networks.

Other than the author repeating the word "sensitive" over and over again, there wasn't anything concrete in the article about whether the information was actually classified. I suspect it wasn't.

Re:Amazing.

[Lord Ender]

How do you know the code was recently written? More likely, the app was written years ago, before the phrase "sql injection" was even coined.

shhhhh

[Anonymous Coward]

disinformation is a wonderful tool

Again?????

[Runaway1956]

Again?

Slashdot requires you to wait longer between hitting 'reply' and submitting a comment.

It's been 17 seconds since you hit 'reply'.

Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.

So, what do I need to do, type really really slow?

Re:any good military has

[Anonymous Coward]

The US (I presume that's who you're referring to) won in Vietnam? By whose estimation?

Big Deal

[BlowHole666]

Ok so someone defaced a website used by the US Army. How do we know that the website is not hosted by a 3rd party provider? Also how are we sure that sensitive information and the website are on the same network? Also the army may not have codded the website so it could have just been piss poor coding by a 3rd party web developer and not the contractor who codes the programs that control the sensitive information.

In other words just because the front end website for the Army got defaced that means nothing. It is like defacing the IRS website. It means nothing till you have peoples tax returns being rerouted to your personal bank account.

Re:wood for the trees

[HomelessInLaJolla]

That is not true. When you work for a military contractor you would be amazed at the amount of classified information which is available on the shared drives.

No--it is not directly available to the internet, but how many exploits does it take to hijack a browser and gain a command prompt or a vector to the injection of bytecode? How about hijack a browser and progressively insert holes in the compromised system until a backdoor can be opened? Sure, going to www.military-contractor.com and trying to force a way from their web server to their firewall to the internal network is difficult (though still not impossible), it is much easier to lace the 'net with booby traps. Think joke sites, humor sites, sites with flashplayer or java games or comics or even seemingly legitimate business presentations. How many exploits have we seen in codecs for music, even?

Classified information may not exist on systems you think are accessed from the internet--but classified information sure as heck exists on the drives shared to systems which are used as clients to the internet. There really is no difference once the fiber (or copper) is connected.

Re:wood for the trees

[Darkness404]

Um, I'd say that any website from a personal website with nothing terribly important on it to the system used to launch nuclear weapons should guard against something as simple as SQL injection. Now, you might not want to have passwords 468000 characters long for a lower security website, but surely blocking SQL injection is something all websites should guard against.

Re:wood for the trees

[Anonymous Coward]

Um, sensitive information is on a seperate network.

http://en.wikipedia.org/wiki/SIPRNET

I work at a network node for the U.S. Army. The security procedures that come down from the top are focused on preventing abusive access by employees. The various applications that we use to "prevent" malicious outside access are pretty trivial to defeat. It's no surprise when the lowest bidder gets to produce and/or implement the procedures and software.

Re:Basic Security Principles

[Anonymous Coward]

Unless of course that weakest link lies outside of the circle of trust, making it just like any other link not part of the chain, whereby breaking said link in no way negatively affects the structural integrity of the aforementioned chain.

Re:In other words ...

[tsm_sf]

Yeah! In 3500BC we had the ability to kill shit. In 2009 we have the ability to kill shit. What exactly did we gain?

You're making an entirely different point from the one you think you're making.

Re:any good military has

[Anonymous Coward]

[...] We won in Vietnam [...]

Sorry, but either you watched too many movies or you failed all your history classes.

No matter what Rambo, Forest Gump and Doctor Manhattan did, the US lost the war in Vietnam.

Ho hum

[bartwol]

Web server page redirection? Should that scare me? I mean, it's not quite as if somebody smuggled munitions or fired a weapon.
"Oh...but the breach reveals the military's vulnerability."
Does it? To what?
Answer: To webserver page redirection.
Might there be greater risk here? Perhaps. But no evidence was presented to indicate that. Get back to me when you've identified a MATERIAL RISK, not merely a TECHNICAL VULNERABILITY.
As for those of you who have hopes and expectations that ALL THINGS MILITARY will be secure...WTF?

SQL Injection?

[Anonymous Coward]

I'm hardly one to defend MS products, but come on.

SQL injection is hardly "a security vulnerability in Microsoft's SQL Server database." SQL injection is a result of badly written code. Nothing more. There is never an excuse for that to occur, even in environments where security isn't the top priority.

The whole article feels a bit off to me. I get the sense it was written by somebody with little technical cluefulness. I particularly like the line about "sophisticated Defense Department tools and procedures designed to prevent such breaches" followed by a sentence identifying AV software. Written by a dummy, for similarly intelligent people, perhaps?

Re:Ho hum

[timeOday]

I agree, this is like "infiltrating" the coffee-break room of the Army recruiting station at your hometown strip mall. It's not great, but it's not that big a deal. I'm not sure I want the DoD investing the (taxpayer) resources to make sure nobody ever, ever defaces their website again.

Re:any good military has

[mjwx]

We are winning in Iraq

That's doubtful at the best of times, but for the sake of argument entertain you.

by ending the use of civilians as shields.

No you haven't. There hasn't been any noticeable decrease in violence, just less reporting of it. Just because the US army has the media on a tight leash doesn't mean that you're winning, in fact this is about the only lesson the US armed forces learned in Vietnam and in my opinion the most useless one taught.

We won in Vietnam

Ahh yes, we've all seen the famous "victory in Vietnam" photo. You know the one where all the people are rushing to the roof of the US embassy to get on the last chopper out of Saigon.

by separating the combatants from the civilians.

Once again, you did no such thing. The US didnt know about half the double agents inside the South Vietnamese government and army until after the NVA rocked up in Saigon and pat them on the back.

Reality is on line 1 for you. It also wants to know how this got modded up.

Re:wood for the trees

[sinai]

The folks that take care of the important stuff aren't stupid and are highly paranoid.

Not sure where you're getting your facts from, but from my years in the military I'd venture to say that you're a bit overconfident. There are plenty of ways for sensitive data [salon.com] to find its way into the hands of outsiders.

Re:any good military has

[Anonymous Coward]

I do agree that fighting hacker is guerilla warfare that our government is not capable of fighting and for them the fight cannot be won. They don't underdstand that tatics and most of their cool toys don't work against an enemy such has this. On two points you are tottaly wrong.

We are winning in Iraq by ending the use of civilians as shields.

Yes we ended the use of civilians as shields. We ended this by changing the term "Civilians" to "Enemy Combatants". No matter what "term" you use to call them the people we are killing is the local population. You can call them Enemy Combatants but it doesn't change the fact they are women and children.

We won in Vietnam by separating the combatants from the civilians.

Dude we lost that stupid war! I know I was there! The reason we lost was we could not separate the combatants from the civilians because the Combatants WERE! the civilians! No one except the poloticat eliete wanted us their. They are a happy thriving peaceful country now that we are gone.

The one thing the US Military has yet to figure out is you can win a war against an "Army" but you cannot win a war against a "People" except by completely wiping them out. Yes and you must kill them all. If you leave a few they have babies and then you have a bunch of pissed off Grand kids in a few hundred years. Ask any American Indian. After over 500 years they still give the US Government a headache.

Please as a Vietnam Vet I ask you to not ever make the statement again that we won that fucking war. We didn't. I lost a lot of good friends for nothing except to make a few people rich.