Royal Navy Website Hacked, Passwords Revealed

An anonymous reader writes "The British Royal Navy's website has been suspended after a Romanian hacker exploited SQL injection vulnerabilities to gain access to the site. The hacker, named 'TinKode,' accessed usernames and passwords used by the site's administrators and published them on the web. TinKode's attack is 'particularly embarrassing for the British Ministry of Defence, as just last month protecting against cyber attacks was declared in the National Security Strategy to be a "highest priority for UK national security."'"

Re:Oops

[Dancindan84]

More like:
"Lieutenant and password = '*'; please report to the bridge."

Details

[muckracer]

http://pastebin.com/raw.php?i=M2MUEdv4 [pastebin.com]

Fire up your rainbow tables :-)

Re:Details

[Anonymous Coward]

Wow, I haven't seen that ASCII art chick since the early 90s when I would hang out on questionable BBSs :)

that's not technically embarrassing

[circletimessquare]

it's an unimportant website

now THIS is technically embarrassing

http://www.bbc.co.uk/news/uk-scotland-highlands-islands-11605365 [bbc.co.uk]

this is a nuclear powered brand new stealth submarine, giving away its secret propulsion system as the tide lowers, because someone drove it into the beach. stealth beach? (slaps forehead)

Re:clear text passwords?

[Grantbridge]

If you look at the data they released, they only gave the password hashes, not the passwords themselves. There were no clear text passwords in the database. That said, one of them has been "cracked" to "ppp". Its an admin password, hopefully it required being logged in from the intranet or something.

Re:Details

[mattdm]

It was probably not ppp, but a rather unfortunate password whose md5 is the same as for "ppp". I can't believe they'd actually put in a password like that.

Since the former is statistically improbable to beyond-astronomical degrees, the latter is, unfortunately, more likely.

If they are anything like the US

[orphiuchus]

Then they have at least 4 levels of networks just for the military, 1 for the public(the recruiter websites), 1 for regular correspondence such as training and rosters(accessible by everyone in the military), 1 for things that may be considered secret but have fairly low impact if compromised(acceptable to everyone with a security clearance requiring a basic background check), such as deployment dates and reports from deployed units, and 1 for medium-high risk stuff like radio fill codes(available to people with extensive background checks and monitored closely). The networks that get compromised and make the news, at least in the US, are the first 3. Wiki-leaks stuff usually comes from the 3rd level there and tends to be stuff that a lot of people have access to. This compromise seems to be the very lowest level, as several people have pointed out, and I doubt if anyone in the royal navy is all that concerned about actual security. That doesn't mean its not embarrassing, because the public reaction is sure to be ill-informed and overblown, but the actual damage here is nil. The real secrets everyone wants to assume are stored on these websites, such as the black ops or alien autopsies, aren't actually anywhere. If the government actually does something super secret and potentially earth-shaking they don't write it down and file it. That wouldn't make any sense. Once you get past Grey-SOF level of secret stuff the paper trail pretty much needs to disappear.