Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Royal Navy Website Hacked, Passwords Revealed

CmdrTaco posted more than 3 years ago | from the injection-infection dept.

Security 114

An anonymous reader writes "The British Royal Navy's website has been suspended after a Romanian hacker exploited SQL injection vulnerabilities to gain access to the site. The hacker, named 'TinKode,' accessed usernames and passwords used by the site's administrators and published them on the web. TinKode's attack is 'particularly embarrassing for the British Ministry of Defence, as just last month protecting against cyber attacks was declared in the National Security Strategy to be a "highest priority for UK national security."'"

Sorry! There are no comments related to the filter you selected.

Oops (5, Funny)

16Chapel (998683) | more than 3 years ago | (#34161678)

"Lieutenant Droptables please report to the bridge".

Re:Oops (2, Informative)

Dancindan84 (1056246) | more than 3 years ago | (#34161710)

More like:
"Lieutenant and password = '*'; please report to the bridge."

Re:Oops (0, Offtopic)

suso (153703) | more than 3 years ago | (#34161722)

report to the bridge to see Major Dix. Oh wait, this is the Navy, not the Army.

Re:Oops (0)

Anonymous Coward | more than 3 years ago | (#34162306)

Little Bobby Tables went into the Royal Navy?

Re:Oops (0)

Anonymous Coward | more than 3 years ago | (#34162706)

The RN has history of rather severe punishments for incompetence.
http://en.wikipedia.org/wiki/John_Byng#Clemency_denied_and_execution

i bet changing the code was too much trouble (3, Insightful)

alen (225700) | more than 3 years ago | (#34161694)

we had this happen a few times and every time you go back to the developers who coded the website they always complained how it would take them too much time to change the code. even though changing the database permissions would be a snap

something for nothing (1)

CarpetShark (865376) | more than 3 years ago | (#34162668)

"it would take them too much time to change the code...unless you choose to value their extra work and pay them for it, instead of expecting to piggy-back it onto the previous job."

Fixed that for you.

Re:something for nothing (4, Insightful)

IshmaelDS (981095) | more than 3 years ago | (#34162796)

"it would take them too much time to change the code...that should have been coded properly to begin with." Fixed that for you.

Re:something for nothing (1)

CarpetShark (865376) | more than 3 years ago | (#34162972)

Good point :) The way GGP wrote it though, it seemed like he was talking about general web bugs rather than security. It's pretty unfathomable that you'd take "it would be too much work" as an excuse for not securing a site against providing public access to its database.

Details (4, Informative)

muckracer (1204794) | more than 3 years ago | (#34161712)

http://pastebin.com/raw.php?i=M2MUEdv4 [pastebin.com]

Fire up your rainbow tables :-)

Re:Details (3, Informative)

Anonymous Coward | more than 3 years ago | (#34161836)

Wow, I haven't seen that ASCII art chick since the early 90s when I would hang out on questionable BBSs :)

Re:Details (2, Funny)

Monkeedude1212 (1560403) | more than 3 years ago | (#34162212)

She's filled out nicely.

Re:Details (0)

Anonymous Coward | more than 3 years ago | (#34161882)

Yea, so the admin password to the database was 'ppp'. Don't really need rainbow tables for that one.

Re:Details (1)

bsharp8256 (1372285) | more than 3 years ago | (#34161920)

I enjoyed the users "Charles the rather large man" and "Yankee Jack". I wonder what their passwords are (hopefully by now, were)?

Re:Details (0)

Anonymous Coward | more than 3 years ago | (#34161954)

Well at least it seems that Charles is a rather large man.

Re:Details (1)

xded (1046894) | more than 3 years ago | (#34162074)

And MD5 hashes were stored without any kind of seed (you can crack most of them at your nearest md5crack website). The admin password in one of the auth tables was ppp (it's already public in that file, don't hold me responsible for posting it...).

I hope real defense networks are not being managed by the same people...

Re:Details (1)

hvm2hvm (1208954) | more than 3 years ago | (#34162570)

It was probably not ppp, but a rather unfortunate password whose md5 is the same as for "ppp". I can't believe they'd actually put in a password like that.

Question (0)

Anonymous Coward | more than 3 years ago | (#34162670)

You're assuming there was an MD5 collision for some other relatively short length password. Ok I guess I can buy that. Here's my question though, does it matter? If there is in fact a collision, won't typing ppp when prompted for the password still get hashed and compared and validated as the same?

Re:Details (3, Informative)

mattdm (1931) | more than 3 years ago | (#34162694)

It was probably not ppp, but a rather unfortunate password whose md5 is the same as for "ppp". I can't believe they'd actually put in a password like that.

Since the former is statistically improbable to beyond-astronomical degrees, the latter is, unfortunately, more likely.

Re:Details (1)

raylu (914970) | more than 3 years ago | (#34163824)

I think you meant to say that the latter (unfortunate password with same hash as "ppp") is improbable so the former (password actually was chosen to be "ppp") is more likely.

Re:Details (1)

mattdm (1931) | more than 3 years ago | (#34163986)

I think you meant to say that the latter (unfortunate password with same hash as "ppp") is improbable so the former (password actually was chosen to be "ppp") is more likely.

The bit I was replying to was convoluted enough that I probably shouldn't have referred to it that way. I meant the whole of "It was probably not ppp, but a rather unfortunate password whose md5 is the same as for 'ppp'." as the former and "they'd actually put in a password like that." as unfortunate but probably true.

Re:Details (1)

clone53421 (1310749) | more than 3 years ago | (#34162760)

It probably was ppp. An unfortunate MD5 collision seems much more improbable than simple incompetence on the part of the database administrators.

In fact, I’d assume most likely it was a tribute to the point-to-point protocol [wikipedia.org] (used for dial-up internet connections and replaced by the PPPoE, point-to-point protocol over ethernet, for some broadband connections).

Ah, that brings back memories... 24.4k modems, Trumpet WinSock on Windows 3.11, and Netscape Navigator. Upgrading to 56k was a big deal. The 3.5mb installation for Netscape 3 (or maybe it was 4) took hours to download and I had to keep everybody else in the house off the telephone because I didn’t have a download manager...

Re:Details (1)

PseudonymousBraveguy (1857734) | more than 3 years ago | (#34162890)

MD5 is considered broken, but it's not THAT broken. If you manage to find two short* strings with the same MD5 sum, you should post that result to a security conference and get famous.

*i.e. not longer than your average password

Re:Details (0)

Anonymous Coward | more than 3 years ago | (#34162386)

The password for user ianapp is spare251

via http://md5.rednoize.com/ [rednoize.com]

Think I'll post anonymously.

Re:Details (0)

Anonymous Coward | more than 3 years ago | (#34163148)

And for colin its dprn523x

And http://www.lmcrack.com/ [lmcrack.com] is in the process of reversing greg's. If anyones interested, check back in 24 hours

I will post anon too for the same reason.

Re:Details (1)

phantomcircuit (938963) | more than 3 years ago | (#34163134)

admin : f27f6f1c7c5cbf4e3e192e0a47b85300 | cracked: ppp

Something tells me they aren't exactly the most security conscious bunch...

Why !? (1, Insightful)

Ddalex (647089) | more than 3 years ago | (#34161724)

I don't understand why people need to deface sites just to show ... what ? their skillz ? the poor security of the website ?! This is beyond childish, and the "authors" are probably no more than script kiddiez. As tinKode points out on his site, he wants to drive attention to security problems. In fact, if he wanted to do only that, he could privately inform the site owners about the problems he sees. He could make his own security company, and make some nice bucks out of doing this specific job he seems to enjoy. But what he does now is no better than hooliganism, and I hope he will be tracked and serve some sentence for defacing of private property or anything similar.

Why hire dumbfucks? (4, Insightful)

mangu (126918) | more than 3 years ago | (#34161842)

I don't understand why people need to deface sites just to show ... what ?

They do it just to show how ignorant are the people who are supposed to manage those sites.

The Royal Navy used to be the defense of the UK against invaders. They were supposed to fight to the end, to resist against everyone. Yet, nowadays, some script kiddie is able to defeat the Royal Navy from his mom's basement? WTF???

The message is that the sites can be defeated very easily, that's all.

Re:Why hire dumbfucks? (1)

netsharc (195805) | more than 3 years ago | (#34162194)

One would hope that the whole Navy isn't defeated just because someone hacked into their "Look at my cat!" website...

But database names like "globalops" and "livechat" inspires no confidence at all. Imagine if this hacker didn't deface the site, but made a script that silently reads and forwards information out of those databases to the highest bidder...

Re:Why hire dumbfucks? (2, Insightful)

ghjm (8918) | more than 3 years ago | (#34162310)

The point is that someone probably already has.

Re:Why hire dumbfucks? (1)

c6gunner (950153) | more than 3 years ago | (#34163152)

But database names like "globalops" and "livechat" inspires no confidence at all. Imagine if this hacker didn't deface the site, but made a script that silently reads and forwards information out of those databases to the highest bidder...

Yep, because foreign governments would pay large sums of money for freely listed information about the deployments of the RN, accompanied with chat-logs between navy recruiters and Joe/m/15 from Liverpool asking if sailors also get guns.

Re:Why hire dumbfucks? (1)

k6mfw (1182893) | more than 3 years ago | (#34162734)

> able to defeat the Royal Navy from his mom's basement? WTF???

Maybe his mom doesn't have a basement and this illustrates that mothers and basements are not needed to defeat military defense systems.

Re:Why hire dumbfucks? (0)

Anonymous Coward | more than 3 years ago | (#34163242)

I don't understand why people need to deface sites just to show ... what ?

They do it just to show how ignorant are the people who are supposed to manage those sites.

The Royal Navy used to be the defense of the UK against invaders. They were supposed to fight to the end, to resist against everyone. Yet, nowadays, some script kiddie is able to defeat the Royal Navy from his mom's basement? WTF???

The message is that the sites can be defeated very easily, that's all.

Yes, because the web developers are the same people giving orders to aircraft carriers.

Re:Why hire dumbfucks? (1)

CompMD (522020) | more than 3 years ago | (#34163778)

Sure he can defeat the Navy's website. Let's see him try and defeat the 10" guns on a battleship, pointed at his house.

Re:Why !? (4, Insightful)

phyrexianshaw.ca (1265320) | more than 3 years ago | (#34161846)

Have you ever found a glaring security hole in a major website for a major company?
do you know how hard it is for somebody to even begin reporting something like that?

if you are a young adult (aged 12-24) and you find a security hole, do you know how few people will take you seriously? it's amount to telling your teacher there's a problem in every copy of a textbook: they'll just laugh at you and tell you "you just don't know any better".

Yes, I completely agree that there ARE BETTER WAYS to disclose: but by not making them easy enough for a youngster to understand: you prevent people from reporting in the first place.

Re:Why !? (2, Insightful)

ArsenneLupin (766289) | more than 3 years ago | (#34162142)

if you are a young adult (aged 12-24) and you find a security hole, do you know how few people will take you seriously?

And when they do eventually take you seriously, they will take you way to seriously by threatening you with jailtime etc.

Better avoid all risks, and anonymously hack their site via tor or an open Wifi.

Re:Why !? (2, Insightful)

Aceticon (140883) | more than 3 years ago | (#34162288)

This being the UK, if you find such a hole in a government website and report it you're likelly to end up in prison accused of terrorism.

Seriously, they've used the Anti-Terrorism legislation to detain a pensioner who shouted "nonsense" at the labour party conference: do you really think they would not do whatever it took to shut somebody that found such a hole up to avoid the embarassment? The whole purpose of these without-court-order-laws is exactly to be unrestrained tools of state power ...

Nah, your're better off anonymously outing this hole or keeping your mouth shut while foreign powers get to exploit whatever they can from it at will.

Re:Why !? (1)

CarpetShark (865376) | more than 3 years ago | (#34162688)

they've used the Anti-Terrorism legislation to detain a pensioner who shouted "nonsense" at the labour party conference

To be fair, they mistook "nonsense" for a request.

It's tough. Try telling Google something. (1)

Animats (122034) | more than 3 years ago | (#34165522)

I've been trying to get Google to fix this phishing page [phishtank.com] for months.

Someone discovered a neat hack - they can store a phishing page in Google Storage, and link to it from Google Sites. Google's abuse system doesn't comprehend that you can leverage an attack through Google Storage, so there's no way to get that phishing page taken down.

(The basic problem is that if you offer free hosting or URL redirection, and don't validate your users, you will be used to host attacks. "TinyURL" is good at catching this. "bit.ly", not so much. "t35.com" (free hosting) works hard to kick the phishers off manually, but their abuse guy gets a week or two behind at times. "piczo.com" (blog hosting for teenage girls) doesn't seem to try very hard, and phishing pages stay live there for months. We track this automatically, so we get to watch the major sites throw out the trash. Major sites that don't automate phishing and hostile code detection, constantly reading the PhishTank and APWG lists to see if one of their pages made the list, get pwned regularly.)

Re:Why !? (4, Insightful)

Monkeedude1212 (1560403) | more than 3 years ago | (#34161900)

By making a public display of low security standards - you impact more people.

Could he have told the ONE administrator of the site about the vulnerability, and HOPED that the Sysadmin would take the time out of the day to fix it - and not completely disregard his advice? Yeah, he COULD have done that, but that doesn't guarantee results or get the message to as many people.

Don't get me wrong, we just had to deal with the hooligans ourselves in my company, and it is a bit of a piss off to have to deal with it. However, I can say for a fact we're much better with our security standards now than we ever were before. And on top of that - anyone who finds out might think "Jeez, that kind of stuff is on the rise, maybe I should get to that update I've been sitting on".

It sucks if it happens to you - but its one of those things that seems necessary to keep things in line. I'd rather we be too secure as a society as opposed to being all willy nilly.

Re:Why !? (1)

duguk (589689) | more than 3 years ago | (#34161912)

I don't understand why people need to deface sites just to show ... what ? their skillz ? the poor security of the website ?! This is beyond childish, and the "authors" are probably no more than script kiddiez. As tinKode points out on his site, he wants to drive attention to security problems. In fact, if he wanted to do only that, he could privately inform the site owners about the problems he sees. He could make his own security company, and make some nice bucks out of doing this specific job he seems to enjoy. But what he does now is no better than hooliganism, and I hope he will be tracked and serve some sentence for defacing of private property or anything similar.

So it's worse that a Romanian hacker makes this information public, than 'terrorists' using it privately?

The British Navy are using Wordpress and Livechat. This is their own damn fault, and I for one am glad that we know how bad our security services are.

I'm guessing your not a British citizen, since if this was announced privately, it'd just be covered up. At least like this, something will happen - and quickly.

Re:Why !? (0)

Anonymous Coward | more than 3 years ago | (#34161988)

I disagree. Vulnerabilities like this should not be tolerated on a government system. I think the attacker should be knighted for alerting the navy of the issue because another attacker could have stolen sensitive information.

Oh Noes (1)

headhot (137860) | more than 3 years ago | (#34161732)

A useless PR website to a government agency was hacked! This is like when the RIAA home page gets hacked. No operations were actually effected, because no one goes there anyway. No shut down the email servers, thats something else.

Re:Oh Noes (1)

LWATCDR (28044) | more than 3 years ago | (#34161872)

I do agree people seem to think that Navy.mil or Whitehouse.gov are high security sites. They are for the most part nothing but PR tools. Nothing wrong with PR tools but sites like those do not control the Trident launch codes or anything else major.
The big worry is that some idiot used the same password for that site as for a secured system.
I swear that letting people pick their own passwords is just a bad idea.
One of the first sites I did for my company I had to write our own forum and security using .htaccess. This was a million years ago and frankly there was nothing worth hacking on the message base.
I let the users pick their own passwords and user names but I warned them with this text. "Your username and password are case sensitive."
Then one day someone wanted me to change their user name and password for them. They set them them to... Case and Sensitive!
Grrr.
I then wrote a program that generated AOL style passwords using a random list words. I then had to deal with people that took offense to the random passwords!

Re:Oh Noes (3, Insightful)

tlhIngan (30335) | more than 3 years ago | (#34162052)

A useless PR website to a government agency was hacked! This is like when the RIAA home page gets hacked. No operations were actually effected, because no one goes there anyway. No shut down the email servers, thats something else.

You're assuming that no one ever puts anything else up in a hidden directory on a website, do you? Just because it's a fluff website doesn't mean there isn't anything else behind those pages. At the very least, an exploited script could be running a simple fileserver on it for dropping off warez and pr0n and other stuff. Hell, the webmaster and his friends might've put up files there on behalf of some higher up who needs a large file sent somewhere.

Wasn't there that funny anti-piracy site that was DoS'd and ended up revealing a pile of hidden files containing emails and such?

You might think that such entities would use super-secret encryption and file transfer methods, but you'd be surprised to find out most still use common FTP and HTTP.

Re:Oh Noes (1)

ArsenneLupin (766289) | more than 3 years ago | (#34162374)

And also, what do you wanna bet that those egit admins used the same passwords on the fluff site than on the classified network? And using the magic of trjans and other pieces of rubber, the attackers could have easily used that web server as a springboard to infect the internal Windows clients that are used to access the "secured" classified servers as well.

So, potential for even greater mischief was indeed there.

We keep a Brit here as a pet in our office. As long as we feed it bananas and apples everyday, it acts cute :-)

Re:Oh Noes (1)

AHuxley (892839) | more than 3 years ago | (#34162494)

Yes a usb drive/laptop used to pass a cute new propaganda/recruiting image could allow code to find its way back deeper into the system.
The air gap is gone, the bespoke OS gap is now filled by MS.

It was only a dream (2, Interesting)

IICV (652597) | more than 3 years ago | (#34161742)

It's okay! This was only a simulation [slashdot.org] , right?

It's only been a priority for a month! (0)

Anonymous Coward | more than 3 years ago | (#34161752)

That's not even enough time for them to schedule a meeting to determine when they're going to hold a meeting to deal with the meeting to find the people who will look for the people who will be in charge of finding the people who will be responsible for the people who have the task of finding the problems.

Really, it's just inconsiderate of this Romanian fellow. Why can't he be a sport and wait a bit?

clear text passwords? (1)

erroneus (253617) | more than 3 years ago | (#34161758)

Really?? I realize there are cases where it is useful and possibly even necessary, but the use of clear text passwords is just a bad idea. It amazes me that it continues to go on and on and on...

Re:clear text passwords? (2, Informative)

Grantbridge (1377621) | more than 3 years ago | (#34161924)

If you look at the data they released, they only gave the password hashes, not the passwords themselves. There were no clear text passwords in the database. That said, one of them has been "cracked" to "ppp". Its an admin password, hopefully it required being logged in from the intranet or something.

Re:clear text passwords? (0)

Anonymous Coward | more than 3 years ago | (#34162004)

Who said they were clear text? They look pretty hashed to me.

http://pastebin.com/raw.php?i=M2MUEdv4 [pastebin.com]

Meh (2, Insightful)

Timmmm (636430) | more than 3 years ago | (#34161768)

Embarrassing, sure. But it's just their website, and doesn't justify spending £500m on fighting "cyber-terrorism". By the way does anyone know what the £500m will actually be spent on? It *should* be spent on researching secure systems like BitC, SELinux, stack protection and so on. I bet it isn't.

Re:Meh (1)

Locutus (9039) | more than 3 years ago | (#34162608)

it will probably pay for a package from Microsoft which will contain a document describing Microsoft's Secure Computing Initiative and a white flag.

LoB

Microsoft? Really? :-) (1)

spankers (456500) | more than 3 years ago | (#34161776)

eherr@quark:~$ HEAD http://royalnavy.mod.uk/ [royalnavy.mod.uk]
200 OK
Date: Mon, 08 Nov 2010 15:51:01 GMT
Accept-Ranges: bytes
ETag: "0ee7b62b67dcb1:7904"
Server: Microsoft-IIS/6.0
Content-Length: 70
Content-Location: http://royalnavy.mod.uk/index.html [royalnavy.mod.uk]
Content-Type: text/html
Last-Modified: Sat, 06 Nov 2010 13:27:40 GMT
Client-Date: Mon, 08 Nov 2010 15:51:03 GMT
Client-Peer: 94.236.30.11:80
Client-Response-Num: 1
X-Powered-By: ASP.NET

Re:Microsoft? Really? :-) (1)

ArsenneLupin (766289) | more than 3 years ago | (#34162182)

Yeah, the usual suspects: Microshit sequel sewer, and ass pee.

Was only a matter of time, serves the right.

Re:Microsoft? Really? :-) (0)

Anonymous Coward | more than 3 years ago | (#34162550)

if they followed the recomendations and use stored procs and passed parameters to them, data would be automatically cleaned to block sql Injection attacks. As usual, its the programmer, not the tools.

Re:Microsoft? Really? :-) (1)

RDW (41497) | more than 3 years ago | (#34162258)

Lucky they don't use it for anything critical! Oh, wait:

http://www.theregister.co.uk/2008/12/16/windows_for_submarines_rollout/ [theregister.co.uk]

Re:Microsoft? Really? :-) (1)

AHuxley (892839) | more than 3 years ago | (#34162322)

Yes to save costs MS is now 'next' to the UK's most critical systems.
One usb drive/download away from ???? at sea.

Re:Microsoft? Really? :-) (1)

spankers (456500) | more than 3 years ago | (#34162564)

I think this particular instance was more a matter of poor security practices in web development than underlying OS or web server, but it does seem a bit odd that a military branch would use Microsoft/IIS vice using a Unix or Linux platform. It appears that the U.S. Navy is also running IIS for their primary public site.

200 OK
Cache-Control: max-age=334
Connection: close
Date: Mon, 08 Nov 2010 16:56:47 GMT
ETag: "8094fdaf44cc81:287"
Server: Microsoft-IIS/6.0
Content-Location: http://www.navy.mil/usnhome.html [navy.mil]
Content-Type: text/html
Last-Modified: Thu, 11 Oct 2007 20:24:13 GMT
Client-Date: Mon, 08 Nov 2010 16:56:48 GMT
Client-Peer: 96.17.8.152:80
Client-Response-Num: 1
Header: US Navy
X-Powered-By: ASP.NET

Re:Microsoft? Really? :-) (1)

dotancohen (1015143) | more than 3 years ago | (#34162808)

Actually, no, the server hacked was RHEL:

Server : Apache/2.2.3 (Red Hat) DAV/2 PHP/4.4.9 Machine : i686
System User : amax_navy@192.168.10.17
OS : redhat-linux-gnu
IP : 94.236.30.85

Re:Microsoft? Really? :-) (1)

spankers (456500) | more than 3 years ago | (#34162940)

Ah. My bad. I just read the exploit summary.

Re:Microsoft? Really? :-) (0)

Anonymous Coward | more than 3 years ago | (#34165984)

Actually, no, the server hacked was RHEL:

Server : Apache/2.2.3 (Red Hat) DAV/2 PHP/4.4.9 Machine : i686
System User : amax_navy@192.168.10.17
OS : redhat-linux-gnu
IP : 94.236.30.85

Try to go to a random page, anything will do, just type some nonsense. May I suggest http://www.royalnavy.mod.uk/blah

See the Microsoft IIS error.

Re:Microsoft? Really? :-) (1)

ais523 (1172701) | more than 3 years ago | (#34163172)

SQL injections, which were apparently used, have nothing to do with the operating system the system is running on; rather, they exploit errors in (usually) custom-built applications mixing up data and code before sending it to the database (which cannot really distinguish an SQL injection from an actual command). Thus, posting this is really a bit misleading; a huge number of things are Microsoft's fault, but this is probably not one of them.

Re:Microsoft? Really? :-) (1)

spankers (456500) | more than 3 years ago | (#34163220)

Yeah. I had not read the exploit. It was apparently a Linux box that was compromised.

From TFA (3, Interesting)

contra_mundi (1362297) | more than 3 years ago | (#34161794)

"We can all be thankful that Tinkode's activities appear to be have been more mischievous than dangerous. If someone with more malice in mind had hacked the site they could have used it to post malicious links on the Navy's JackSpeak blog, or embedded a Trojan horse into the site's main page."

Giving anyone free reign to embed said trojans into the site is only marginally better. Assuming of course that it could be done with the exposed admin logins. Now they're forced to go through pretty much everything to make sure no such traps were placed or if information was stolen.
The mischevious option would have been to remain only parts of the passwords, or otherwise proving it and not leaking anything sensitive.
Not to worry however, I'm sure he'll get 60 years in jail without parole for embarrassing the wrong people.

I'm gonna guess the priority got raised again (1)

fkx (453233) | more than 3 years ago | (#34161850)

Better a harmless hacker does it than an enemy of Britain.

Although I can't think of any at the moment.

Not sure what is more embarrassing (2, Interesting)

MalHavoc (590724) | more than 3 years ago | (#34161858)

I'm not sure what is worse. The fact that they fell victim to an SQL injection attack, or the HTML source that is displayed on TFA is badly broken. A "centre" tag? And the closing HTML tag is broken. Someone put up that maintenance page in a mega hurry.

Re:Not sure what is more embarrassing (0)

Anonymous Coward | more than 3 years ago | (#34162042)

To anyone from the Royal Navy in charge of the website: http://validator.w3.org/ [w3.org] .

It's only one of the many tools that you will need in order to keep your job. The first step is to throw away your "HTML 3.2 for Dummies" book in the trash and learn to separate content (HTML) from presentation (CSS).

Re:Not sure what is more embarrassing (1)

6Yankee (597075) | more than 3 years ago | (#34162058)

And that's not even all of it. Given how much fail they managed to cram into three lines of HTML, it's no wonder there are SQL injection holes.

Still, at least it'll cost less to fix this than to fix Astute... or at least you'd think so. I'm sure someone's on the phone to EDS offering them half a billion quid to do the job, even as I type.

Re:Not sure what is more embarrassing (0)

Anonymous Coward | more than 3 years ago | (#34162728)

Chances are that it was a sysadmin in a hurry throwing up that page, and nothing to do with the developer who had the SQL injections.

that's not technically embarrassing (4, Informative)

circletimessquare (444983) | more than 3 years ago | (#34161888)

it's an unimportant website

now THIS is technically embarrassing

http://www.bbc.co.uk/news/uk-scotland-highlands-islands-11605365 [bbc.co.uk]

this is a nuclear powered brand new stealth submarine, giving away its secret propulsion system as the tide lowers, because someone drove it into the beach. stealth beach? (slaps forehead)

But it is stealthy (1)

petes_PoV (912422) | more than 3 years ago | (#34161986)

It's cunningly disguised as a small island with a chimney on top

Re:that's not technically embarrassing (1)

ColdWetDog (752185) | more than 3 years ago | (#34162192)

Secret propulsion system.

Rather like this picture [guardian.co.uk] ?

Re:that's not technically embarrassing (1)

glwtta (532858) | more than 3 years ago | (#34164616)

Well, they've got a sheet over it - I guess that's enough to keep the secret part secret?

Unless (1)

ThatsNotPudding (1045640) | more than 3 years ago | (#34163756)

their steering system got hacked for just this result.

That would be steam powered (1)

Martin S. (98249) | more than 3 years ago | (#34164214)

Moderate this funny not informative.

Re:that's not technically embarrassing (1)

c6gunner (950153) | more than 3 years ago | (#34164906)

this is a nuclear powered brand new stealth submarine, giving away its secret propulsion system as the tide lowers

Shit. Thanks to this incident, the whole world knows that the UK uses propellers. May as well just scrap the whole navy now.

Who wants to have... (1)

pahles (701275) | more than 3 years ago | (#34161902)

a username like "Charles the rather large man"?

Re:Who wants to have... (1)

ArsenneLupin (766289) | more than 3 years ago | (#34162240)

... and does the contents of his trousers match his overall bulk? Does he have nice hair on his chest? And is it more muscle or more fat?

How does that go again? Oh yeah (0)

Anonymous Coward | more than 3 years ago | (#34161948)

HA HA!

smallest web page I've seen recently (1)

v1 (525388) | more than 3 years ago | (#34162126)

{html}
{centre}{img src="navysitedown.gif" alt=""/}{/centre}
{?html}

and even a ? instead of a / , they were obviously in quite a hurry to take it down... I'm also surprised it takes "centre"... silly brits and their proprietary english!

(you'd think by now slashdot wouldn't blow a gasket trying to use a less than or greater than symbol in the text of their post...)

Re:smallest web page I've seen recently (1)

sconeu (64226) | more than 3 years ago | (#34162456)

Have you ever heard of entities?

&lt; generates a < less than symbol quite nicely.

Similarly, &gt; generates a > greater than.

And if you need an ampersand (&), &amp; does the trick.

Re:smallest web page I've seen recently (1)

clone53421 (1310749) | more than 3 years ago | (#34162812)

And if you need an ampersand (&), &amp; does the trick.

So does an ampersand (&) (unless it happens to be followed by lt; or some other HTML entity).

Re:smallest web page I've seen recently (1)

PitaBred (632671) | more than 3 years ago | (#34163356)

If you type &gt; you can get a >

Oblig (0)

Anonymous Coward | more than 3 years ago | (#34162162)

327 [xkcd.com]

Care time? (2, Interesting)

crow_t_robot (528562) | more than 3 years ago | (#34162444)

If the navy's website was actually connected to any operational naval computer systems, yielded more than just the names and passwords of contractor web developers, housed actual classified operational information of the royal navy or was due to a flaw in a piece of software written by the navy for mission-critical systems then I MIGHT CARE.

But, it doesn't, so I DON'T.

Re:Care time? (2)

commandermonkey (1667879) | more than 3 years ago | (#34163578)

It's a good thing people never use the same passwords in different domains for their own accounts let alone any group accounts. Oh wait people DO.

In this case I am willing to bet they are NOT administered by the same group and since most of the UIDs DON'T look like anything other than test id's the risk is minimal, but the risk would be even less had the site not had the vulnerability.

More importantly, the real story ISN'T about how there was a massive military security lapse and now we are all going to die. The real story is that IT may be slightly embarrassing that a military website was taken down due to an SQL injection and the story helps TO remind all of us that we really SHOULD try to harden our code to these attempts.

P.S. I like you're IDEA of randomly bolding things. IT maY not make your post any clearer BUT it makes it more FUN to wRITe.

don't store passwords (1)

tukia (1375091) | more than 3 years ago | (#34162500)

When will sites learn not to store actual passwords and to just store a hash of the password.

Re:don't store passwords (1)

dotancohen (1015143) | more than 3 years ago | (#34162836)

Which FA did you read? The one I read had only hashes.

So... (1)

Utini420 (444935) | more than 3 years ago | (#34162718)

the Queen's not getting on Facebook then, hugh?

Re:So... (0)

Anonymous Coward | more than 3 years ago | (#34164216)

Who you calling Hugh?!

If they are anything like the US (3, Informative)

orphiuchus (1146483) | more than 3 years ago | (#34162950)

Then they have at least 4 levels of networks just for the military, 1 for the public(the recruiter websites), 1 for regular correspondence such as training and rosters(accessible by everyone in the military), 1 for things that may be considered secret but have fairly low impact if compromised(acceptable to everyone with a security clearance requiring a basic background check), such as deployment dates and reports from deployed units, and 1 for medium-high risk stuff like radio fill codes(available to people with extensive background checks and monitored closely). The networks that get compromised and make the news, at least in the US, are the first 3. Wiki-leaks stuff usually comes from the 3rd level there and tends to be stuff that a lot of people have access to. This compromise seems to be the very lowest level, as several people have pointed out, and I doubt if anyone in the royal navy is all that concerned about actual security. That doesn't mean its not embarrassing, because the public reaction is sure to be ill-informed and overblown, but the actual damage here is nil. The real secrets everyone wants to assume are stored on these websites, such as the black ops or alien autopsies, aren't actually anywhere. If the government actually does something super secret and potentially earth-shaking they don't write it down and file it. That wouldn't make any sense. Once you get past Grey-SOF level of secret stuff the paper trail pretty much needs to disappear.

But You Must Trust (1)

BoRegardless (721219) | more than 3 years ago | (#34163022)

Your government knows best. Really!

Plus 5], Troll) (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34164088)

the latest Ne7craft

What they should have put on the the page (0)

Anonymous Coward | more than 3 years ago | (#34166196)

There is no cannibalism in the royal navy. By "none", we mean none to speak of. (Camera pans to sailor eating a human leg.)

My God... They've Finally Done It. (1)

Petersko (564140) | more than 3 years ago | (#34166302)

They're sacrificing chickens at the alter of biofuels.

How deliciously accurate. They've admitted biofuel are a desperate, unsupportable hail mary to the Gods.

Oops... (1)

Petersko (564140) | more than 3 years ago | (#34166366)

Wrong thread.

Further Statement. (1)

Octopuscabbage (1932234) | more than 3 years ago | (#34166350)

The British national navy later released a statement saying "Damnit, we knew password1 was a bad password. But it was so easy to remember."
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?