Hacker makes a fool of .mil and .gov security

By Richi Jennings. January 24, 2011.

A "brazen" hacker is selling access to his conquered websites. For a mere $499, you can own the Army's "dynamic and committed" CECOM site. Or perhaps you'd prefer the DoD's Pharmacoeconomic Center? In IT Blogwatch, bloggers boggle at the possibilities.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention Magic Otter: The Translation...

Robert McMillan:

The hacker says he has control over a number of websites, including ... military sites, government sites, and those belonging to universities. ... Prices range from $33 to $499, depending on how important or widely used the website is. ... The hacker is also selling databases of personal information he's stolen from the websites for $20 per thousand records.


Whoever is selling this stuff probably broke into these websites using a common Web attack called SQL injection. ... When SQL injection works, the results can be devastating. It's what notorious hacker Albert Gonzalez used to break into companies such as Heartland Payment Systems and 7-Eleven.

Paul Suarez addz:

Imperva, a data security firm, discovered a hacker is selling alleged access to military, government and educational sites across the globe. Prices range from $499 for U.S. military websites to $55 for MySQL root access to the State of Michigan website.


The hacker will also "hack a normal website," scan a site for vulnerabilities for $2 and give you 3MB of random hacked accounts for $65.

Imperva's Rob Rachwald writes:

The victims' vulnerabilities were probably obtained by SQL injection vulnerability automatic scanner and exploited in automatic manner, ... the hacker published his methods in a post in some hacker forum.

Brian Krebs asks, "Ready for Cyberwar?"

It’s easy to overlook the more humdrum and persistent security threats, such as Web site vulnerabilities. But none of these distractions should excuse U.S. military leaders from making sure their Web sites aren’t trivially hackable by script kiddies.


For example, the hacker is advertising full control and root access to cecom.army.mil, a site whose stated purpose is “to develop, acquire, provide and sustain world-class…systems and Battle Command capabilities for the joint warfighter.”

But Pascal-Emmanuel Gobry seeks the crazy angle:

What's crazy about this is the brazenness of it all: the hacker basically put up an online storefront, like any e-commerce site, except instead of buying shoes and books, you're buying government sites.

Meanwhile, Adrian Chen snarks it up:

Julian Assange finally knows how to spend all his Christmas money.

And Finally...

Magic Otter: The Translation

Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: itbw@richij.com.

You can also read Richi's full profile and disclosure of his industry affiliations.

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon