Royal Navy Website Hacked, Passwords Revealed 114
An anonymous reader writes "The British Royal Navy's website has been suspended after a Romanian hacker exploited SQL injection vulnerabilities to gain access to the site.
The hacker, named 'TinKode,' accessed usernames and passwords used by the site's administrators and published them on the web. TinKode's attack is 'particularly embarrassing for the British Ministry of Defence, as just last month protecting against cyber attacks was declared in the National Security Strategy to be a "highest priority for UK national security."'"
i bet changing the code was too much trouble (Score:4, Insightful)
we had this happen a few times and every time you go back to the developers who coded the website they always complained how it would take them too much time to change the code. even though changing the database permissions would be a snap
Why !? (Score:1, Insightful)
Meh (Score:3, Insightful)
Embarrassing, sure. But it's just their website, and doesn't justify spending £500m on fighting "cyber-terrorism". By the way does anyone know what the £500m will actually be spent on? It *should* be spent on researching secure systems like BitC, SELinux, stack protection and so on. I bet it isn't.
Why hire dumbfucks? (Score:5, Insightful)
I don't understand why people need to deface sites just to show ... what ?
They do it just to show how ignorant are the people who are supposed to manage those sites.
The Royal Navy used to be the defense of the UK against invaders. They were supposed to fight to the end, to resist against everyone. Yet, nowadays, some script kiddie is able to defeat the Royal Navy from his mom's basement? WTF???
The message is that the sites can be defeated very easily, that's all.
Re:Why !? (Score:5, Insightful)
do you know how hard it is for somebody to even begin reporting something like that?
if you are a young adult (aged 12-24) and you find a security hole, do you know how few people will take you seriously? it's amount to telling your teacher there's a problem in every copy of a textbook: they'll just laugh at you and tell you "you just don't know any better".
Yes, I completely agree that there ARE BETTER WAYS to disclose: but by not making them easy enough for a youngster to understand: you prevent people from reporting in the first place.
Re:Why !? (Score:5, Insightful)
By making a public display of low security standards - you impact more people.
Could he have told the ONE administrator of the site about the vulnerability, and HOPED that the Sysadmin would take the time out of the day to fix it - and not completely disregard his advice? Yeah, he COULD have done that, but that doesn't guarantee results or get the message to as many people.
Don't get me wrong, we just had to deal with the hooligans ourselves in my company, and it is a bit of a piss off to have to deal with it. However, I can say for a fact we're much better with our security standards now than we ever were before. And on top of that - anyone who finds out might think "Jeez, that kind of stuff is on the rise, maybe I should get to that update I've been sitting on".
It sucks if it happens to you - but its one of those things that seems necessary to keep things in line. I'd rather we be too secure as a society as opposed to being all willy nilly.
Re:Oh Noes (Score:4, Insightful)
You're assuming that no one ever puts anything else up in a hidden directory on a website, do you? Just because it's a fluff website doesn't mean there isn't anything else behind those pages. At the very least, an exploited script could be running a simple fileserver on it for dropping off warez and pr0n and other stuff. Hell, the webmaster and his friends might've put up files there on behalf of some higher up who needs a large file sent somewhere.
Wasn't there that funny anti-piracy site that was DoS'd and ended up revealing a pile of hidden files containing emails and such?
You might think that such entities would use super-secret encryption and file transfer methods, but you'd be surprised to find out most still use common FTP and HTTP.
Re:Why !? (Score:2, Insightful)
if you are a young adult (aged 12-24) and you find a security hole, do you know how few people will take you seriously?
And when they do eventually take you seriously, they will take you way to seriously by threatening you with jailtime etc.
Better avoid all risks, and anonymously hack their site via tor or an open Wifi.
Re:Why !? (Score:3, Insightful)
This being the UK, if you find such a hole in a government website and report it you're likelly to end up in prison accused of terrorism.
Seriously, they've used the Anti-Terrorism legislation to detain a pensioner who shouted "nonsense" at the labour party conference: do you really think they would not do whatever it took to shut somebody that found such a hole up to avoid the embarassment? The whole purpose of these without-court-order-laws is exactly to be unrestrained tools of state power ...
Nah, your're better off anonymously outing this hole or keeping your mouth shut while foreign powers get to exploit whatever they can from it at will.
Re:Why hire dumbfucks? (Score:3, Insightful)
The point is that someone probably already has.
Re:something for nothing (Score:4, Insightful)