Compromised Government and Military Sites For Sale 51
Khopesh writes "Imperva blogged today about the sale of compromised .gov, .mil, and .edu sites, illustrating that cyber-criminals are getting bolder. Krebs on Security has an unredacted view of the site list. Perhaps the biggest threat is yet to come; if an industrious criminal can break into top government and military sites, so too can government-backed teams, proving that GhostNet and Stuxnet are just the beginning."
Obvious (Score:4, Informative)
Wikileaks.mil!
Obvious (Score:2)
2. ?????
3. Profit!!!
Re: (Score:2)
2.0 Make a site about a new Congressional initiative to privatize Nuclear war.
2.1 provide demos for small money with hacked Nuclear bombs
2.2 embezzle the billions the enemy give you to destroy Tashkent
alternatively.
2.0 put up government policies for sale
2.1 actually implement the policies via hacked congress/senate computers
2.2 get awards and celebrity for improving government transparency
2.3 use new found celebrity
Re: (Score:2)
Too late.
Not just .gov (Score:2)
More then half of those listed are from other countries are not not all US .gov and .mil sites.
Re: (Score:1, Troll)
More then half of those listed are from other countries are not not all US .gov and .mil sites.
Yeah well my state is listed (http://www.utah.gov/) with full site admin control, so I guarantee a bunch of my info is up for sale. It's probably because the state government here usually pays it's workers poorly, and I'm sure that goes for their IT people, so most likely you aren't getting the best candidates.
It's the Republican's philosophy at work: pay the absolute bare fucking minimum no matter the cost.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:3, Informative)
Exactly. most of these websites are on random hosted providers anyways.
Now if they got IRS.GOV I might be concerned.
Spamvertising, internal trust (Score:3)
TLDs like .gov and .edu get a massive multiplier in Google's PageRank. Spamvertising effectiveness is therefore amplified in kind.
On a more alarming note, the system may have been blessed in some manner that might make it useful as a launching point for attacking a more important site which might implicitly trust the hacked server due to its ownership or similar relationships. The most sensitive systems are completely firewalled and therefore inaccessible from the outside, and these systems might extend
Re: (Score:2)
Re: (Score:1)
Over 1 in 3 of the 27K city/county employees are making over $100K.
I think that ALL of them should make over $100k a year! If we could stop this fucking MASSIVE wealth redistribution from the middle class and the poor to the super rich (not paying sufficiently for work done by the sweat of the brow is just as bad if not worse than having to pay a little back in tax) we could afford something like this AND balance the budget. But sadly no. Republicans believe that they acquired their wealth with the help of NO ONE ELSE. Isn't that weird?
Hmm. How did that stuff arrive for
Re: (Score:1)
You're right. Everybody should make... (pinky to cheek) One Million Dollars per day.
That wouldn't create incredible inflation; everybody would still show up every day and get their jobs done and the entire economy wouldn't fail.
Simple economic solution (Score:2)
Is it sad that my first thought was "good, now they can just buy the control back!"
Not only do they get to find out what sites have vulnerabilities, but they can use the exchange to try to track down the perps at the same time.
Cabsec can fix this (Score:5, Interesting)
Capability based security (Cabsec) can provide OS with no exposed vulnerabilities. It's based on an L4 proven microkernel. The only problem is that it's vaporware.
It doesn't have to be. The parts are starting to fall into place, but the open source community has to be made aware of the fact that it is possible to solve computer security, instead of patching it with layers of band-aids.
Re:Cabsec can fix this (Score:4, Informative)
Nope, it won't help.
Capability-based security omits one liiiiiiiittle detail: initial capability distribution. That's why most (all?) of proves of capability based security omit the initial image set up. That's the case with CoyotOS and other OSes. Or in other words, the question is: should IAmEvilExecutable get CAP_ALL_ACCESS permission if user starts it and grants it this permission?
Another problem is that if I somehow inject myself into, say, web server then I'll get access to all capabilities granted to this webserver. Which is usually more than enough. The only 'fix' on the horizon for this problem is fully managed code (see: Singularity OS).
Re: (Score:2)
A web server process should only require:
Read access to web content
Read/Write access to an already opened internet connection
Write access to a logging system process.
If it only has those things, it can't do anything else, no matter how you crash the stack, etc.
Capabilities aren't the same as priviliges or SU flags... they are per resource, not levels.
Re: (Score:2)
Web server will also require access to database which is more than enough for attacker. So attacker then can request http://your.server.com/IHaveHackedThisBox.html [server.com] and get a full database dump.
In practice, your webserver will probably also need permissions for outgoing connections. So if it's hacked then your computer can be a part of DDoS'ing botnet.
Re: (Score:2)
In practice, your webserver will probably also need permissions for outgoing connections. So if it's hacked then your computer can be a part of DDoS'ing botnet.
That's actually pretty easy to manage: you firewall outgoing connections using a firewall that isn't on the same machine — actually, using a device whose management port isn't on the same network is most advisable — so that the webserver can only make outgoing connections to whitelisted sites. Typically, none of those need to be exposed to the outside world. If there's a need to support things like outgoing SMTP from the httpd, you use tricks like a firewall rule that rewrites all those connecti
Re: (Score:2)
Fully managed code is an interesting idea, but requires you to trust the code to do it's job, and ONLY it's job... it doesn't protect against design flaws, or the confused deputy problem.
The only code that should be trusted in any computer is the microkernel in the OS.
Re: (Score:1)
Re: (Score:2)
Why? Capability-based security is trivial with the managed code. You just need to get rid of global shared resources and that's it.
And since it's easy to verify managed code for correctness (i.e. that no buffer overflows or type confusions are possible), you can be sure that capabilities won't fall into wrong hands.
Adding capabilities to an OS (Score:1)
Capability based security (Cabsec) can provide OS with no exposed vulnerabilities. It's based on an L4 proven microkernel. The only problem is that it's vaporware.
It doesn't have to be. The parts are starting to fall into place, but the open source community has to be made aware of the fact that it is possible to solve computer security, instead of patching it with layers of band-aids.
There's a research project that managed to add it to FreeBSD fairly easily:
http://www.cl.cam.ac.uk/research/security/capsicum/
It's not a full blown system, but a userland library (with some kernel code) that allows applications to drop privileges/capabilities it does not need (e.g., gzip does not need to talk to the network or do I/O if it detects it's in the middle of CLI pipe stream; tcpdump generally doesn't need to fork(2); etc.).
Obvious Scam is Obvious (Score:3, Insightful)
So either they actually have compromised all of those sites, OR they're phishing... hmm I wonder which it could be....
Re: (Score:2)
From TF Krebs A: I've seen some of the back-end evidence of his hacks, so it doesn't seem like he's making this up.
OR they're phishing... hmm I wonder which it could be....
Do you, perchance, work for the government?
Re: (Score:2, Informative)
Here is the google cache of [hack_addicted.pt]'s forum post that shows you how to break into all the sites listed by Srblche by using HA's Online SQLi scanner.
http://webcache.googleusercontent.com/search?q=cache:XU6t4iPLZLAJ:www.hackforums.net/showthread.php%3Ftid%3D977900+http://www.srblce.com&cd=6&hl=en&ct=clnk&gl=us
I think the value of those 'hacked sites' just dropped by a few hundred dollars.
Seen on US Forest Service site (Score:2)
I tried to look up information on the Ouachita National Forest last year, and was warned by Google Chrome that the site was a potential malware host, with parts of the site coming from a .cn domain. I didn't push forward to the site to find out exactly what part of a .gov site would require .cn content.
It looks like they've fixed it now, though I'm really not sure... this sensible URL [fs.fed.us] expands to a hundred character monstrosity [usda.gov] that's just begging for a reverse-engineering attack.
Disturbing... (Score:4, Interesting)
I don't know which is more worrying - that some of these sites are for sale, or how cheaply they're going for...
This is the hacker's site: (Score:3, Informative)
The hacker's site is http://www.sbrlche.com/ [srblche.com].
Quite easily googleable from the phrases in the screenshots!
But Cyber Warfare Risks are Overblown (Score:1)
It says so, right here:
http://www.informationweek.com/news/global-cio/security/showArticle.jhtml?articleID=229000789 [informationweek.com]
-AI
Re: (Score:2)
EMP would require an orbital nuclear weapon, that's a violation of so many international treaties that using it would cause WW3.
Web-Facing Sites are the outside of the Building.. (Score:1)
Re: (Score:2)