Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government Security The Military United States IT

Compromised Government and Military Sites For Sale 51

Khopesh writes "Imperva blogged today about the sale of compromised .gov, .mil, and .edu sites, illustrating that cyber-criminals are getting bolder. Krebs on Security has an unredacted view of the site list. Perhaps the biggest threat is yet to come; if an industrious criminal can break into top government and military sites, so too can government-backed teams, proving that GhostNet and Stuxnet are just the beginning."
This discussion has been archived. No new comments can be posted.

Compromised Government and Military Sites For Sale

Comments Filter:
  • Obvious (Score:4, Informative)

    by TaoPhoenix ( 980487 ) <TaoPhoenix@yahoo.com> on Friday January 21, 2011 @04:51PM (#34959612) Journal

    Wikileaks.mil!

  • 1. Buy commerce.gov
    2. ?????
    3. Profit!!!
    • I think as a special exception in this particular case I can fill in 2 for you.

      2.0 Make a site about a new Congressional initiative to privatize Nuclear war.
      2.1 provide demos for small money with hacked Nuclear bombs
      2.2 embezzle the billions the enemy give you to destroy Tashkent

      alternatively.

      2.0 put up government policies for sale
      2.1 actually implement the policies via hacked congress/senate computers
      2.2 get awards and celebrity for improving government transparency
      2.3 use new found celebrity

  • More then half of those listed are from other countries are not not all US .gov and .mil sites.

    • Re: (Score:1, Troll)

      by pitchpipe ( 708843 )

      More then half of those listed are from other countries are not not all US .gov and .mil sites.

      Yeah well my state is listed (http://www.utah.gov/) with full site admin control, so I guarantee a bunch of my info is up for sale. It's probably because the state government here usually pays it's workers poorly, and I'm sure that goes for their IT people, so most likely you aren't getting the best candidates.

      It's the Republican's philosophy at work: pay the absolute bare fucking minimum no matter the cost.

      • You also forgot to say, they try to the dumbest people for those jobs too.
      • by tukang ( 1209392 )
        Why would any of your info be on the utah.gov web server?
        • Re: (Score:3, Informative)

          by peragrin ( 659227 )

          Exactly. most of these websites are on random hosted providers anyways.

          Now if they got IRS.GOV I might be concerned.

          • TLDs like .gov and .edu get a massive multiplier in Google's PageRank. Spamvertising effectiveness is therefore amplified in kind.

            On a more alarming note, the system may have been blessed in some manner that might make it useful as a launching point for attacking a more important site which might implicitly trust the hacked server due to its ownership or similar relationships. The most sensitive systems are completely firewalled and therefore inaccessible from the outside, and these systems might extend

  • Is it sad that my first thought was "good, now they can just buy the control back!"

    Not only do they get to find out what sites have vulnerabilities, but they can use the exchange to try to track down the perps at the same time.

  • Cabsec can fix this (Score:5, Interesting)

    by ka9dgx ( 72702 ) on Friday January 21, 2011 @05:07PM (#34959878) Homepage Journal

    Capability based security (Cabsec) can provide OS with no exposed vulnerabilities. It's based on an L4 proven microkernel. The only problem is that it's vaporware.

    It doesn't have to be. The parts are starting to fall into place, but the open source community has to be made aware of the fact that it is possible to solve computer security, instead of patching it with layers of band-aids.

    • by Cyberax ( 705495 ) on Friday January 21, 2011 @05:37PM (#34960236)

      Nope, it won't help.

      Capability-based security omits one liiiiiiiittle detail: initial capability distribution. That's why most (all?) of proves of capability based security omit the initial image set up. That's the case with CoyotOS and other OSes. Or in other words, the question is: should IAmEvilExecutable get CAP_ALL_ACCESS permission if user starts it and grants it this permission?

      Another problem is that if I somehow inject myself into, say, web server then I'll get access to all capabilities granted to this webserver. Which is usually more than enough. The only 'fix' on the horizon for this problem is fully managed code (see: Singularity OS).

      • by ka9dgx ( 72702 )

        A web server process should only require:
        Read access to web content
        Read/Write access to an already opened internet connection
        Write access to a logging system process.

        If it only has those things, it can't do anything else, no matter how you crash the stack, etc.

        Capabilities aren't the same as priviliges or SU flags... they are per resource, not levels.

        • by Cyberax ( 705495 )

          Web server will also require access to database which is more than enough for attacker. So attacker then can request http://your.server.com/IHaveHackedThisBox.html [server.com] and get a full database dump.

          In practice, your webserver will probably also need permissions for outgoing connections. So if it's hacked then your computer can be a part of DDoS'ing botnet.

          • by dkf ( 304284 )

            In practice, your webserver will probably also need permissions for outgoing connections. So if it's hacked then your computer can be a part of DDoS'ing botnet.

            That's actually pretty easy to manage: you firewall outgoing connections using a firewall that isn't on the same machine — actually, using a device whose management port isn't on the same network is most advisable — so that the webserver can only make outgoing connections to whitelisted sites. Typically, none of those need to be exposed to the outside world. If there's a need to support things like outgoing SMTP from the httpd, you use tricks like a firewall rule that rewrites all those connecti

      • by ka9dgx ( 72702 )

        Fully managed code is an interesting idea, but requires you to trust the code to do it's job, and ONLY it's job... it doesn't protect against design flaws, or the confused deputy problem.

        The only code that should be trusted in any computer is the microkernel in the OS.

        • If you are a large corp then you can afford to security audit your basic apps. If you run everything in a sandbox, with only the permissions it needs then the scope of problems is very small.
        • by Cyberax ( 705495 )

          Why? Capability-based security is trivial with the managed code. You just need to get rid of global shared resources and that's it.

          And since it's easy to verify managed code for correctness (i.e. that no buffer overflows or type confusions are possible), you can be sure that capabilities won't fall into wrong hands.

    • by Anonymous Coward

      Capability based security (Cabsec) can provide OS with no exposed vulnerabilities. It's based on an L4 proven microkernel. The only problem is that it's vaporware.

      It doesn't have to be. The parts are starting to fall into place, but the open source community has to be made aware of the fact that it is possible to solve computer security, instead of patching it with layers of band-aids.

      There's a research project that managed to add it to FreeBSD fairly easily:

      http://www.cl.cam.ac.uk/research/security/capsicum/

      It's not a full blown system, but a userland library (with some kernel code) that allows applications to drop privileges/capabilities it does not need (e.g., gzip does not need to talk to the network or do I/O if it detects it's in the middle of CLI pipe stream; tcpdump generally doesn't need to fork(2); etc.).

  • by phantomcircuit ( 938963 ) on Friday January 21, 2011 @05:14PM (#34959952) Homepage

    So either they actually have compromised all of those sites, OR they're phishing... hmm I wonder which it could be....

    • Obvious didn't RTFA is obvious.

      From TF Krebs A: I've seen some of the back-end evidence of his hacks, so it doesn't seem like he's making this up.

      OR they're phishing... hmm I wonder which it could be....

      Do you, perchance, work for the government?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Here is the google cache of [hack_addicted.pt]'s forum post that shows you how to break into all the sites listed by Srblche by using HA's Online SQLi scanner.

      http://webcache.googleusercontent.com/search?q=cache:XU6t4iPLZLAJ:www.hackforums.net/showthread.php%3Ftid%3D977900+http://www.srblce.com&cd=6&hl=en&ct=clnk&gl=us

      I think the value of those 'hacked sites' just dropped by a few hundred dollars.

  • I tried to look up information on the Ouachita National Forest last year, and was warned by Google Chrome that the site was a potential malware host, with parts of the site coming from a .cn domain. I didn't push forward to the site to find out exactly what part of a .gov site would require .cn content.

    It looks like they've fixed it now, though I'm really not sure... this sensible URL [fs.fed.us] expands to a hundred character monstrosity [usda.gov] that's just begging for a reverse-engineering attack.

  • Disturbing... (Score:4, Interesting)

    by Sooner Boomer ( 96864 ) <sooner...boomr@@@gmail...com> on Friday January 21, 2011 @05:37PM (#34960242) Journal

    I don't know which is more worrying - that some of these sites are for sale, or how cheaply they're going for...

  • by Anonymous Coward on Friday January 21, 2011 @06:24PM (#34960846)

    The hacker's site is http://www.sbrlche.com/ [srblche.com].

    Quite easily googleable from the phrases in the screenshots!

  • ...but just because you can paint graffiti on it doesn't mean you can break in!
    • Yeah, but he claims that a lot of the sites on the list have "high-value information", and I assume that the mil/gov database information he claims to sell on the side are some sort of amalgamation of stuff like that he found. Like the US DoD "pharmacoeconomic center"? That could be sensitive stuff, I guess. Fortunately it looks like they took it down.

You can write a small letter to Grandma in the filename. -- Forbes Burkowski, CS, University of Washington

Working...