Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Breached US Army Servers

timothy posted more than 5 years ago | from the fine-line-between-clever-and-stupid dept.

Security 209

An anonymous reader writes "A Turkish hacking ring has broken into 2 sensitive US Army servers, according to a new investigation uncovered by InformationWeek. The hackers, who go by the name 'm0sted' and are based in Turkey, penetrated servers at the Army's McAlester Ammunition Plant in Oklahoma in January. Users attempting to access the site were redirected to a page featuring a climate-change protest. In Sept, 2007, the hackers breached Army Corps of Engineers servers. That hack sent users to a page containing anti-American and anti-Israeli rhetoric. The hackers used simple SQL Server injection techniques to gain access. That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches."

cancel ×

209 comments

Sorry! There are no comments related to the filter you selected.

wood for the trees (0)

wjh31 (1372867) | more than 5 years ago | (#28129295)

when you are busy trying to defend against the most advanced crackers around, and whatever complex tools they are using, its probably easy to overlook the simpler stuff

Re:wood for the trees (5, Insightful)

dk90406 (797452) | more than 5 years ago | (#28129395)

You are wrong on so many levels. If you can't even bother to protect against simple things as SQL injection, I have a nasty feeling about the overall security.
Why aren't classified information on a separate network, not connected to the Net? Please: this is not 1980 anymore - protect critical information seriously.

Re:wood for the trees (3, Insightful)

Anonymous Coward | more than 5 years ago | (#28129525)

How do you know that classified intelligence was even obtained? Why are you even assuming that the security of these servers, an ammunition plant and the Army Corps of Engineers no less, will have the same security as that of the Pentagon? Did it ever occur to you that perhaps the Army would appropriate security based on how vital their assets are?

Re:wood for the trees (4, Insightful)

Darkness404 (1287218) | more than 5 years ago | (#28130253)

Um, I'd say that any website from a personal website with nothing terribly important on it to the system used to launch nuclear weapons should guard against something as simple as SQL injection. Now, you might not want to have passwords 468000 characters long for a lower security website, but surely blocking SQL injection is something all websites should guard against.

Re:wood for the trees (5, Insightful)

kevin_conaway (585204) | more than 5 years ago | (#28129565)

Why aren't classified information on a separate network, not connected to the Net

It is, in fact there are multiple, separate networks.

Other than the author repeating the word "sensitive" over and over again, there wasn't anything concrete in the article about whether the information was actually classified. I suspect it wasn't.

shhhhh (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28129759)

disinformation is a wonderful tool

Re:shhhhh (1)

Jurily (900488) | more than 5 years ago | (#28130643)

Unless the hackers got fake "classified" information only on display so they stop trying to get the real stuff, what the public knows probably doesn't matter much.

Re:shhhhh (1, Funny)

Anonymous Coward | more than 5 years ago | (#28130943)

Making up a lot of fake information worked very well for a while, but they seem to have lost track of what information was fake and what was not...

Re:wood for the trees (1)

Anonymous Coward | more than 5 years ago | (#28130181)

I doubt there is anything beyond general secret at McAlester. Those bomb designs are older than anybody on /.

Re:wood for the trees (4, Informative)

TinBromide (921574) | more than 5 years ago | (#28130605)

The US military has a (well, many) classified network and an unclassified network. All computing equipment has a little sticker on it that says that equipment is used for which (classified or unclassified) purpose. I'm sure that the hacked web servers all have a little blue sticker with white text that says that the server is to only work with unclassified info (websites, most likely). I wouldn't really call this a security breach any more than I'd call shoplifting a robbery. While yes, the web servers were indeed "hacked", its not like that webserver was hosting top secret plans in pdf form for distribution purposes.

Re:wood for the trees (5, Informative)

HaZardman27 (1521119) | more than 5 years ago | (#28129747)

Sensitive does not mean classified. Sensitive could be as simple as a change in the dinner menu at the chow hall, which could suggest the arrival of important personnel. Classified information would not even exist on networks accessible via the internet.

Re:wood for the trees (3, Insightful)

HomelessInLaJolla (1026842) | more than 5 years ago | (#28130243)

That is not true. When you work for a military contractor you would be amazed at the amount of classified information which is available on the shared drives.

No--it is not directly available to the internet, but how many exploits does it take to hijack a browser and gain a command prompt or a vector to the injection of bytecode? How about hijack a browser and progressively insert holes in the compromised system until a backdoor can be opened? Sure, going to www.military-contractor.com and trying to force a way from their web server to their firewall to the internal network is difficult (though still not impossible), it is much easier to lace the 'net with booby traps. Think joke sites, humor sites, sites with flashplayer or java games or comics or even seemingly legitimate business presentations. How many exploits have we seen in codecs for music, even?

Classified information may not exist on systems you think are accessed from the internet--but classified information sure as heck exists on the drives shared to systems which are used as clients to the internet. There really is no difference once the fiber (or copper) is connected.

Re:wood for the trees (2, Informative)

AtomicDevice (926814) | more than 5 years ago | (#28129823)

Yeah, I used to work at a defense contractor and classified systems are on separate networks, and to my knowlege are universally separate from anything connected to the internet. sensitive is the lowest (or maybe second lowest?) classification, so breaking into "sensitive" servers isn't a particularly big deal, although I guess they might eek something useful out of it. Is our biggest fear that attackers might learn the inner secrets of publicly available government websites? basically anything that they don't explicitly publish falls into this category as far as I can tell.

Re:wood for the trees (2)

mlts (1038732) | more than 5 years ago | (#28130143)

Classified+ information isn't available off a webserver on the Internet. If it is, someone would be being headed to the military prison at Leavenworth for a very long time.

Re:wood for the trees (0, Redundant)

santiagodraco (1254708) | more than 5 years ago | (#28130301)

Sensitive is NOT classified, they are entirely different levels. Also, this was as public website, not a "classified" network.

Re:wood for the trees (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28130309)

Um, sensitive information is on a seperate network.

http://en.wikipedia.org/wiki/SIPRNET

I work at a network node for the U.S. Army. The security procedures that come down from the top are focused on preventing abusive access by employees. The various applications that we use to "prevent" malicious outside access are pretty trivial to defeat. It's no surprise when the lowest bidder gets to produce and/or implement the procedures and software.

Re:wood for the trees (0, Flamebait)

ground.zero.612 (1563557) | more than 5 years ago | (#28130393)

I am always surprised at the quickness at which /. tends to claim incompetency with news like this. My first thought was basically, "haha turks, you're a bunch of turkeys." As in, yay for hacking an intentionally hackable and most probably filled to the brim with mis-information networked computer. Please, you have the right to speak freely, and write freely. Thank the military for doing SOMETHING correctly, simply because you still have these rights.

Re:wood for the trees (0)

Anonymous Coward | more than 5 years ago | (#28129909)

I have worked with the U.S. Army "Network Engineers". I was apalled at their lack of knowledge and understanding of security.

Re:wood for the trees (2, Funny)

Anonymous Coward | more than 5 years ago | (#28129959)

I too can provide vague, uninteresting and falsified anecdotal evidence, look at me go!

In other words ... (4, Funny)

dkleinsc (563838) | more than 5 years ago | (#28129327)

as usual, military contracting companies provided over-hyped shoddy work to the military, who either didn't know better or didn't care.

Of course, I thought it was going to be as simple as knowing that the password was "Joshua".

Re:In other words ... (4, Funny)

Shakrai (717556) | more than 5 years ago | (#28129371)

Of course, I thought it was going to be as simple as knowing that the password was "Joshua".

Actually it's "joshua". Mr. Falken was lazy and didn't like having to reach for the shift key ;)

Re:In other words ... (0)

Anonymous Coward | more than 5 years ago | (#28129429)

A lot of defense spending is basically taxpayers helping out some overpaid well-connected idiots.

Re:In other words ... (1)

HaZardman27 (1521119) | more than 5 years ago | (#28129873)

And you would know this how?

Re:In other words ... (1)

Captain Splendid (673276) | more than 5 years ago | (#28130001)

And you would know this how?

Well said. If GP was correct, the US wouldn't have much to show for the trillions it spends. Since they have the capability to destroy the planet several times over, obviously the money was well spent.

Re:In other words ... (1)

dkleinsc (563838) | more than 5 years ago | (#28130033)

How about this then: In 1965, we had the capability to destroy the planet several times over in a matter of a few hours. In 2005, we had the capability to destroy the planet several times over in a matter of a few hours. What exactly did we gain for our trillions of dollars spent between 1965 and 2005?

Re:In other words ... (1)

internerdj (1319281) | more than 5 years ago | (#28130101)

The ability to narrow it down a bit. As much of a deterrent it is to be able to vaporize the planet, it is much nicer to vaporize the bits you want and say not vaporize your own family in the process of vaporizing your enemy.

Re:In other words ... (2, Funny)

Dishevel (1105119) | more than 5 years ago | (#28130177)

Yeah! In 3500BC we had the ability to kill shit. In 2009 we have the ability to kill shit. What exactly did we gain?

See I too can just over simplify stuff till my point seems reasonable.

Re:In other words ... (2, Insightful)

tsm_sf (545316) | more than 5 years ago | (#28130463)

Yeah! In 3500BC we had the ability to kill shit. In 2009 we have the ability to kill shit. What exactly did we gain?

You're making an entirely different point from the one you think you're making.

Re:In other words ... (1)

networkBoy (774728) | more than 5 years ago | (#28130399)

weapons age and must be refreshed, much like computers.
target acquisition systems get better and should be upgraded/replaced (now we can destroy the world several times over to a precision of < 1m Vs ~1Km)
enemies get better defenses requiring an increasingly better offense to stay at parity.

Re:In other words ... (1)

ultranova (717540) | more than 5 years ago | (#28130875)

Well said. If GP was correct, the US wouldn't have much to show for the trillions it spends. Since they have the capability to destroy the planet several times over, obviously the money was well spent.

You lost Vietnam war and haven't captured Osama yet.

Besides, how do you know the US has the capability to destroy the planet several times over? The army can't be trusted to be unbiased on their reporting, because they have an obvious incentive to make it seem that funding was well-spent rather than wasted, even if this is not the case.

Besides, I'd say that being able to destroy the planet several times over means that you've wasted most of that money, unless you expect your enemy to spontaneously resurrect ;).

I know this is old but, (5, Funny)

Anonymous Coward | more than 5 years ago | (#28129347)

All your base are belong to us

Re:I know this is old but, (0)

Anonymous Coward | more than 5 years ago | (#28129889)

Insightful!! LOL!! Hats off to slashmods hahahaha ROFL!!

Re:I know this is old but, (0)

Anonymous Coward | more than 5 years ago | (#28130623)

They're my mod points I'll use them as I see fit

No it isn't (1)

avandesande (143899) | more than 5 years ago | (#28129381)

That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches.

Who know where these outward facing servers reside? Having outward websites vandalized says nothing about the security of an organizations networks.

Wait... (0, Flamebait)

TheSpoom (715771) | more than 5 years ago | (#28129387)

The US Army uses Windows servers?

Re:Wait... (3, Interesting)

JWSmythe (446288) | more than 5 years ago | (#28129813)

    This isn't too hard to find out. Look for GS military IT jobs, and see what they're hiring for. Lots of Windows crap. They still do have *nix positions, just not as many.

    Of course, a 1 admin to 10 windows machine ratio is acceptable, as a 1 admin to 50 Linux machine ratio is acceptable. They have a LOT of workstations out there that need tending to.

   

Re:Wait... (1)

Finallyjoined!!! (1158431) | more than 5 years ago | (#28129997)

The Royal Navy now uses Windows for Warships :-(

Re:Wait... (5, Funny)

Obfuscant (592200) | more than 5 years ago | (#28130675)

The Royal Navy now uses Windows for Warships :-(

Don't you mean "Windows For Warcraft"?

Amateurs (4, Funny)

Kensai7 (1005287) | more than 5 years ago | (#28129399)

If they want to prove a point they have to stop targeting US Defense facilities. Hack a serious portal like Slashdot if you can! Ha!

Re:Amateurs (1)

Captain Splendid (673276) | more than 5 years ago | (#28130037)

I know you were going for funny, but it's true. If there any real uberhackers out there, someone would've dropped some serious ordinance on the White House by now. Or the Knesset. I'd even accept Rush Limbaugh or Rosie O'donnell. But some pokey low-importance defence servers? Yeah, amateurs.

Re:Amateurs (3, Informative)

mlts (1038732) | more than 5 years ago | (#28130549)

Actually, if someone did a show-stopper like that it would be a bad thing for everyone. It would provide the impetus for the Internet to be split up into separate non-connected networks and walled gardens. These wouldn't be "mere" firewalls, these would be networks that would be either running a new (or old) network protocol (IPX is an example) or a non routable protocol such as NetBEUI (Don't confuse NetBEUI with NetBIOS... NetBEUI is the transportation and is obsolete, as TCP/IP has completely taken over that communication layer function over) or Appletalk.

Right now, a black hat can sit at his/her computer, and connect on the same network to virtually anything. Should people get too upset and knee-jerkish about a War Games scenario, he or she would have to spend a lot of time and effort trying to get gateways working to networks that have completely different protocols (IPX, VINES) in the effort to try to attack machines.

Compared to the past, a dedicated cracker just needs to focus on a relative small part of an OS or a service like Apache, IIS, or SQL Server for great gains. In the past, one had to jump from DECNet to BITNET to NSFNet, perhaps doing through multiple UUCP hops if the boxes were moving mail via store and forward and mdoems. Almost no host or network was the same as another, so a generic "script kiddy" who could run a prepackaged toolkit against a random company didn't exist back then.

Re:Amateurs (1)

jeff4747 (256583) | more than 5 years ago | (#28130839)

These wouldn't be "mere" firewalls, these would be networks that would be either running a new (or old) network protocol (IPX is an example) or a non routable protocol such as NetBEUI

Um....no

If the networks are not supposed to interoperate, you just don't connect them in the first place. You don't do something as dumb as relying on an old protocol to prevent access.

Amazing. (4, Interesting)

DoofusOfDeath (636671) | more than 5 years ago | (#28129431)

Pardon the rant, but can anyone tell me why we're still having people write code that is subject to SQL injection attacks?

I mean, sometimes potential buffer overflows in C/C++ programs can be tricky to notice. Writing threading code that's not subject to deadlock or starvation can often be a challenge.

But isn't code that's subject to SQL injection attacks just blindingly, amazingly obvious at first glance?

Re:Amazing. (2, Informative)

Anonymous Coward | more than 5 years ago | (#28129657)

Yes and No. If I want to have a program that I pass SQL queries to and it returns either safe or unsafe that is not a computable problem. There is no way to tell if a query is good or bad without context. That being said there are things like prepared statements that give the statements context, that is explicitly stating which parts of the query are control statements and which are data.

In a simple system you are correct but in a system of even moderate complexity telling if code is vulnerable to SQL injection becomes non-trivial. When you have to dig through 5 levels of inheritance several times to hunt down all the places where the query is actually formed it's not all that simple.

Re:Amazing. (1)

DoofusOfDeath (636671) | more than 5 years ago | (#28130021)

Yes and No. If I want to have a program that I pass SQL queries to and it returns either safe or unsafe that is not a computable problem.

Are you sure? Your statement would only be obviously true if a single SQL statement can be a Turing-complete language.

Re:Amazing. (1)

againjj (1132651) | more than 5 years ago | (#28130699)

Yes and No. If I want to have a program that I pass SQL queries to and it returns either safe or unsafe that is not a computable problem. There is no way to tell if a query is good or bad without context. That being said there are things like prepared statements that give the statements context, that is explicitly stating which parts of the query are control statements and which are data.

In a simple system you are correct but in a system of even moderate complexity telling if code is vulnerable to SQL injection becomes non-trivial. When you have to dig through 5 levels of inheritance several times to hunt down all the places where the query is actually formed it's not all that simple.

Perl taint mode. Sure, it it conservative, but if taint is complex enough that it does work, then I wouldn't trust a person to get it right with 100% accuracy.

Re:Amazing. (4, Insightful)

Lord Ender (156273) | more than 5 years ago | (#28129697)

How do you know the code was recently written? More likely, the app was written years ago, before the phrase "sql injection" was even coined.

Re:Amazing. (1)

JWSmythe (446288) | more than 5 years ago | (#28129969)

    Well, before they started calling it SQL injection, it was just invalid input. Since I was programming for an audience of millions, if even 0.1% of them were script kiddies, and 0.01% of them were good, my servers would have a life expectancy of days at most.

    What's the big difference between:

    SELECT user FROM auth WHERE username = 'foo';DROP TABLE auth;

    and

    (please forgive me for how wrong this is)

    $result = `grep %in{search} *.txt`;

    Where $search is "; sudo cat /dev/zero > /dev/sda ;"

    Just the degree of damage. If people would learn that not everyone plays nice, there would be less holes to fix later. Sometimes that's hard to explain until your first client gets really mad because you failed to validate an external input. Of course, I'll always be more than happy to say "didn't I tell you to always validate and sanitize your user input?" :)

   

Re:Amazing. (1)

Lord Ender (156273) | more than 5 years ago | (#28130359)

The way to protect against sql injection is not to "validate external input." It is to pass the external input to the database after telling the database what that external input should be representing (sql parameterization). Let the database decide if it is valid or not.

If you try and reinvent the wheel in every app, you will certainly make a mistake at some point. The guys who wrote the DB know more about this than you do; let them handle it.

Re:Amazing. (2, Funny)

Anonymous Coward | more than 5 years ago | (#28129785)

I'd like you to stop by my work and bludgeon a few developers of mine over the head, if you would. Seems they're all too busy posting on a site called "BackSlash" or something to check their code.

I thought Information Week was sensible. (5, Insightful)

goldaryn (834427) | more than 5 years ago | (#28129443)

So much for Information Week being reasoned and sensible.

"Equally troubling is the fact that the hacks appear to have originated outside the United States. Turkey is known to harbor significant elements of the al-Qaida network. It was not clear if "m0sted" has links to the terrorist group."

Hooray for sensationalism!

Information Week was hacked! (0)

Anonymous Coward | more than 5 years ago | (#28129699)

By a mysterious terrorist collective that goes by the name of "mAkeslashd0teditorsl00kg00dbyc0mparis0n" who over hypes to the extreme while conflating sql injection attacks with the evil weapon of mass distruction SQL Server made by rogue nation-state Microsoft.
 

Re:I thought Information Week was sensible. (1)

forgottenusername (1495209) | more than 5 years ago | (#28130035)

Yeah, that's pretty terrible. You can be equally unclear if they had links to Nazism, or the Republican National Committee. Too bad spinspotter dotbombed - http://spinspotter.com/ [spinspotter.com]

Re:I thought Information Week was sensible. (1)

rivetgeek (977479) | more than 5 years ago | (#28130581)

BREAKING! THIS JUST IN! There is no evidence to prove the hackers were not, in fact, members of the elite "girl scouts".

Front end compromise... (4, Interesting)

Manip (656104) | more than 5 years ago | (#28129461)

I'm just playing devil's advocate but who puts their public website inside their defences?

I know it is an extremely common practice in this country to actually put sites like these on standard third party hosting services (e.g. Rackspace).

They set them up to be as secure as other e-commerce sites, so fairly secure, but without having to poke holes in a nice heavy firewall.

Re:Front end compromise... (1)

royallthefourth (1564389) | more than 5 years ago | (#28129931)

The hosting situation has nothing to do with the SQL injection. This is a software problem caused by coders who don't know the proper way to interact with a relational database when receiving input from a user. This software would be insecure when turned toward the public under any circumstances.

Re:Front end compromise... (1)

Manip (656104) | more than 5 years ago | (#28130137)

My point was less about the severity of the compromise and more about the nature of it being on "US Army Servers." I was just trying to show the distinction between the public facing kind of "US Army Servers" and the behind the scenes equipment that one might hope was secure.

SQL injections are fairly common, as have been buffer overflows. But while companies have responded to buffer overflows by making better compilers, better frameworks, and even new CPUs there has only been a slow crawl to a better way to write SQL statements to make SQL injection more difficult.

Some frameworks support Parameters but they're still largely rare (both usage or support) with most people still attempting to write SQL statements with data embedded directly.

Re:Front end compromise... (1)

whitefang1121 (1432411) | more than 5 years ago | (#28130185)

I'm just playing devil's advocate but who puts their public website inside their defences?

George W. Bush thats who

Hyperbole? (5, Insightful)

mpapet (761907) | more than 5 years ago | (#28129483)

I didn't bother to RTFA, but summary is inflamatory at best.

A public-facing, high-profile (perception) server gets compromised? That's not news.

Let's say it is news for a minute. What was the budget for this public-facing project? This is not a "major Army security lapse" by any stretch of the imagination.

Of course, my line of thinking wouldn't be widely accepted because it ignores the emotional response that the summary probably provokes in most people.

Basic Security Principles (0)

Anonymous Coward | more than 5 years ago | (#28129555)

A chain is not stronger than it's weakest link.

A simple and powerful principle when dealing with security, whatever side of the law or order you are.

Re:Basic Security Principles (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28130357)

Unless of course that weakest link lies outside of the circle of trust, making it just like any other link not part of the chain, whereby breaking said link in no way negatively affects the structural integrity of the aforementioned chain.

any good military has (1)

circletimessquare (444983) | more than 5 years ago | (#28129557)

1. good tactics
2. the ability to adapt new tactics as previously good tactics become irrelevant

one way a tactic becomes irrelevant is changing battlefield conditions. you don't fight in a swamp the way you fight in a desert, for instance

well, the internet is valid battlefield. and you fight on it with new tactics. it remains to be seen now if the us military understands that

1. it needs to take this battlefield seriously
2. it can develop good tactics to fight on this battlefield

but as it stands now, a bunch of teenagers are thoroughly and repeatedly trouncing the us military

Re:any good military has (0)

Anonymous Coward | more than 5 years ago | (#28129659)

but as it stands now, a bunch of teenagers are thoroughly and repeatedly trouncing the us military

By doing the equivalent of spraypainting graffiti on the fences of US Military bases.

a different war has different goals (2, Interesting)

circletimessquare (444983) | more than 5 years ago | (#28129995)

the battle on the web is one of image and a communication capability and integrity. if the enemy can thoroughly trounce the image and capability of the military on the web, then that is a battlefield which is a valid battlefield and which has been won by the enemy. you thoroughly reject the validity of this battlefield. you are thoroughly wrong and woefully behind the times

your allegory of spraypainting graffiti on fences is inaccurate. it would be more accurate to say every flag in every corridor were turned into the nazi flag and every manual in every shelf were turned into mao's little red book, and every directive and nonsecure communication were replaced with the speeches of tokyo rose

the scale and the morale effect is a lot larger than you suppose, and the effect on nonessential, and sometimes even essential communication channels is game-changing

get with the times. it matters a hell of a lot more than you think and it will only continue to matter more. it is often said that the wars in the middle east are about winning hearts and minds. image control in that regard matters crucially. it does no good to project an image of incompetence, to give the enemy something to celebrate in terms of david beating goliath

and this isn't even a new concept. it is valid in a million examples pre-internet. for one, consider the doolittle raid on tokyo after pearl harbor: completely tactically pointless. but in terms of morale boost for the usa, and morale killer for the enemy, it was huge. this is the exact same dynamic going on with the ability of teenagers to deface the military's presence on the internet, nevermind their ability to infiltrate actual essential communication, which you don't even consider to be a possibility

well you can bet russia and china are considering that possibility, and may even have contingencies and capabilities in place to do exactly that while you snooze and act dismissive about what is going on here in terms of infiltration. you snooze you lose. right now, you are comatose

Re:a different war has different goals (1)

tcopeland (32225) | more than 5 years ago | (#28130343)

> if the enemy can thoroughly trounce the image and capability of the military on the web,

Another variant on this "lawfare", where you use the laws of a country against them. Boumediene v. Bush [wikipedia.org] is prime fodder for this.

Along the lines of what you were saying, Robert Coram's book about Medal of Honor recipient Colonel Bud Day [militarypr...glists.com] talks about how the North Vietnamese would show the POWs videos from back home to show that resistance was hopeless - e.g., John Kerry's testimony before the Senate. Same kind of thing... "mediafare" or something.

Re:a different war has different goals (0)

Anonymous Coward | more than 5 years ago | (#28130591)

Who the hell looks at the website of a munitions plant or the Army Corps of Engineers anyway? You're assuming the US lost the image war because of a defaced website that no one had any remote interest in visiting. You'd have a point if they hit army.com or any other military high traffic target. But no, they didn't.

Your analogy is inaccurate too. They only defaced a single obscure website no one visits. They managed to replace couple of our flags with a Nazi flags. I guess we're fucked now.

Re:any good military has (0)

Anonymous Coward | more than 5 years ago | (#28129701)

Um...no.

If they had managed to get passed a single firewall or router, I would be impressed. As it stands, they redirected links on a public facing webserver...yawn. I work with hundreds of other IT techs who's job it is to monitor the Army network down to every single interface and we do it 24/7.

Re:any good military has (3, Interesting)

cdrguru (88047) | more than 5 years ago | (#28129787)

The US military is pretty much incapable of fighting a guerrilla war where the combatents are intermixed with civilians and civilian casualties are forbidden. It made Vietnam very difficult and it has made Iraq difficult as well.

What we have is a guerrilla war against hackers where they are effectiely shielded in most cases by the ISP and their own country's law enforcement. The end result is almost an unwinnable war.

We are winning in Iraq by ending the use of civilians as shields. We won in Vietnam by separating the combatants from the civilians. It is going to take that sort of effort to win against hackers, crackers and identity thieves. Unfortunately, right now the effort required to do this is intense enough that it is many, many times the losses so far. So I don't think they are going to do anything until the losses mount up a lot more.

What makes this worse is in order to effectively combat these people it is going to take either the cooperation of foreign law enforcement or just going around them. Neither one is going to make these other countries want to be our friends, but they seem to be happy with the hackers running around doing whatever.

goalposts. deliverables. (1)

circletimessquare (444983) | more than 5 years ago | (#28129843)

the goals in iraq and vietnam are different than that on the web. in irag and vietnam you have to go out there and police the countryside. on the web, you just have to hunker down and prevent intrusions. its the difference between riding out into the countryside and battening down the hatches on the castle. its a lot easier to secure a castle than police the entire countryside

Re:any good military has (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28130013)

The US (I presume that's who you're referring to) won in Vietnam? By whose estimation?

Re:any good military has (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28130503)

[...] We won in Vietnam [...]

Sorry, but either you watched too many movies or you failed all your history classes.

No matter what Rambo, Forest Gump and Doctor Manhattan did, the US lost the war in Vietnam.

Re:any good military has (1)

JBdH (613927) | more than 5 years ago | (#28130683)

We are winning in Iraq by ending the use of civilians as shields. We won in Vietnam by separating the combatants from the civilians.

I didn't know the Viet Cong was operating in Iraq.

Re:any good military has (0)

Anonymous Coward | more than 5 years ago | (#28129985)

These were not "Army" sites and they are not maintained or administered by soldiers. One is for a munitions plant where the government owns the facility but it is leased to a private company who operates it for the government. The other is for the Corps of Engineers, the guys who do things like make sure dams don't have any leaks.

Re:any good military has (1)

rampant poodle (258173) | more than 5 years ago | (#28130369)

Continuing the military analogy... What great battles have been won purely by defense? Denying yourself he ability to "reach out and touch someone", will always give the advantage to those who seek to blow you up -- or to bring your server down.

pfffft (1)

TheRealMindChild (743925) | more than 5 years ago | (#28129591)

This is what you get when you recruit kids out of high school and renege on the promise of the money they will get for joining up. It is communism-on-a-stick. Where is the motivation to do well>

SQL Injection? *Yawn* (4, Funny)

Rayeth (1335201) | more than 5 years ago | (#28129599)

I think using SQL injection hasn't qualified as "hacking" since it showed up on XKCD.

Re:SQL Injection? *Yawn* (0)

Anonymous Coward | more than 5 years ago | (#28129827)

In the same way I wouldn't consider a thief walking into your unlocked house, stealing all your stuffs breaking into your house

If you are stupid enough to not lock your doors...

I'm not saying that it isn't still illegal or wrong, but you can do things to protect yourself.

Re:SQL Injection? *Yawn* (1)

BobMcD (601576) | more than 5 years ago | (#28129957)

Meh. Locking your doors only means paying to replace a broken window along with your missing stuff. If the thief is determined, that is.

Re:SQL Injection? *Yawn* (1)

againjj (1132651) | more than 5 years ago | (#28130743)

Some companies do not consider you to have done due diligence if you do not lock up. That is why I always lock the doors of rental cars, even though I don't lock my car's doors. I would also check your homeowners insurance policy for door locking.

Microsoft SQL Server (1)

akabigbro (257295) | more than 5 years ago | (#28129741)

Hmm... Not surprised.

This (0)

Anonymous Coward | more than 5 years ago | (#28129757)

Makes my balls itch.

the only winning move is not to play (1)

senorpoco (1396603) | more than 5 years ago | (#28129791)

Start by protecting against the simple stuff and work up.

Oh noes (1)

iPhr0stByt3 (1278060) | more than 5 years ago | (#28129799)

Oh no, they redirected web users. My goodness, does this mean we'll see missles flying overhead soon?
Seriously, every department in the world has trojans in some form "inside the network". But retrieving the secretaries mail and retrieving classified information are different things. Albeit, redirecting users IS a mediocre risk, but since when does /. care about mediocre over-hyped news?

Sensitive? (1)

stuntpope (19736) | more than 5 years ago | (#28129817)

It appears the servers in question were used for serving up web sites. Probably publicly-facing web sites. So, what sensitive information was at risk? There are already regulations about what content can be approved to sit on a DoD server with a publicly-facing web site.

Policies that are better. (1)

Celeste R (1002377) | more than 5 years ago | (#28129841)

Cue a new cold war information protection policy! Dibs on the grey goo defense!

Again????? (3, Insightful)

Runaway1956 (1322357) | more than 5 years ago | (#28129849)

Again?

Slashdot requires you to wait longer between hitting 'reply' and submitting a comment.

It's been 17 seconds since you hit 'reply'.

Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.

So, what do I need to do, type really really slow?

Re:Again????? (0)

Anonymous Coward | more than 5 years ago | (#28130811)

It's the SlashdotWave ;-)

Re:Again????? (1)

commodoresloat (172735) | more than 5 years ago | (#28130821)

So, what do I need to do, type really really slow?

Maybe you can package your comment as the payload of an SQL injection?

Sript kiddies at work, nothing new (0)

Anonymous Coward | more than 5 years ago | (#28129859)

Sounds like little more than defacing public military websites to boost their "1337" egos. The real hacks, the serious ones, are the ones you never hear about because the perpetrators are smart enough to not go around publicly proclaiming that they broke in.

Cyber Security Cadence (3, Funny)

Ukab the Great (87152) | more than 5 years ago | (#28129951)

I don't know what I've been told
But Army server's are quickly pwned
You don't need some high-tech decryption machine
Just a string with a semi-colon in between
I don't know what I will find
When good Army hacker's have resigned
We'll have a good laugh when some bored kid in China
Posts photos of Gen. Petraeus with a vagina

Re:Cyber Security Cadence (0)

Anonymous Coward | more than 5 years ago | (#28130489)

Your cadence's rhythm is terrible and you put unnecessary apostrophes in your plurals.

defcon 5 (0)

Anonymous Coward | more than 5 years ago | (#28130129)

come on people, sql injection attack == hackers? plz web server defraud is only for even more sad audience who thinks its a form of haking

kthx (0)

Anonymous Coward | more than 5 years ago | (#28130201)

penetrated servers at the Army's McAlester Ammunition Plant in Oklahoma in January. Users attempting to access the site were redirected to a page featuring a climate-change protest.

Thanks for the info, Turkish crackers, I didn't know the Army had an ammo plant in OK. That will be useful info.

Big Deal (2, Insightful)

BlowHole666 (1152399) | more than 5 years ago | (#28130221)

Ok so someone defaced a website used by the US Army. How do we know that the website is not hosted by a 3rd party provider? Also how are we sure that sensitive information and the website are on the same network? Also the army may not have codded the website so it could have just been piss poor coding by a 3rd party web developer and not the contractor who codes the programs that control the sensitive information.

In other words just because the front end website for the Army got defaced that means nothing. It is like defacing the IRS website. It means nothing till you have peoples tax returns being rerouted to your personal bank account.

You think they would learn (1)

gubers33 (1302099) | more than 5 years ago | (#28130479)

After the Decepticons hacked in and stole all that info from Captain Witwicky, that they would secure their information better.

What the hell are (0)

Anonymous Coward | more than 5 years ago | (#28130527)

SQL *Server* injection attacks? /. doesn't know the difference between SQL and SQL Server, really?

Mass Defacement Contest (1)

eulernet (1132389) | more than 5 years ago | (#28130545)

Turkish hackers are well known to compete on mass defacement contests.

When preparing a contest, they scan all IPs to locate vulnerable sites.
When the contest starts, they deface the maximum number of sites in a given amount of time (probably one hour in this case).
They always go for the quickest way to hack a site, and so, they are not really hackers but script-kiddies.

TFA is completely bullshit, since the hackers don't care about the content of the sites.

BTW, why does the army still keeps vulnerable Windows servers reachable on the Internet ?

Ho hum (5, Insightful)

bartwol (117819) | more than 5 years ago | (#28130609)

Web server page redirection? Should that scare me? I mean, it's not quite as if somebody smuggled munitions or fired a weapon.
"Oh...but the breach reveals the military's vulnerability."
Does it? To what?
Answer: To webserver page redirection.
Might there be greater risk here? Perhaps. But no evidence was presented to indicate that. Get back to me when you've identified a MATERIAL RISK, not merely a TECHNICAL VULNERABILITY.
As for those of you who have hopes and expectations that ALL THINGS MILITARY will be secure...WTF?

ONOES! (1)

Morphine007 (207082) | more than 5 years ago | (#28130637)

Users attempting to access the site were redirected to a page featuring a climate-change protest.

OHNOES! They breached the admin net!

There's a reason why the protected A/B network is accessible to the intarwebs and the L2 or higher networks are not. This may be interesting from a hacktivism standpoint... but it's not terribly newsworthy... or, at least, it's not got nearly as much shock value as the summary purports it to have.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>