backtop

Print 41 comment(s) - last by JakLee.. on Jun 1 at 4:20 PM
whether or not confidential information was accessed in the attacks is unknown

Security of data online is a big concern for consumers, businesses, and the government. Leaked data can not only cost money, but can significantly undermine national security. With data security as such a high priority significant sums of money are spent to protect private and public networks form nefarious attacks.

Despite the massive budgets and security protocols in place to combat cyber-attacks, InformationWeek reports that anti-American hackers have successfully hacked at least two sensitive web servers belonging to the U.S. Army. Department of Defense investigators are looking into the breaches and have reportedly subpoenaed records from Microsoft, Yahoo, Google, and other ISPs and email providers in the investigation.

The websites in question were for the Army's McAlester munitions plant and the website for the Army Corp of Engineers. The ammunition plant site was hacked and users trying to visit the site were redirected to a web page with a protest against climate change. The attack against the Army Corps of Engineers sire redirected visitors to the webpage for the hacker network m0stead at www.m0stead.net. The website is reportedly now a parked domain listing airline reservations.

However, at the time of the Corps of Engineers site attack, the URL had anti-American and anti-Israeli rhetoric and images. It's not known if the attacks resulted in the hackers gaining access to any sensitive information on the servers.

In April 2009, information came to light that hackers had successfully stolen confidential data from servers storing information on the Joint Strike Fighter aircraft.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Gotta love these nonsensical shock messages
By astralsolace on 5/29/2009 11:59:50 AM , Rating: 3
Government agencies don't keep sensitive information that could endanger national security on computers connected to the Internet, period. There is no way to "hack" top secret info remotely. If you got into the building? Sure, maybe.




By Brandon Hill (blog) on 5/29/2009 12:13:23 PM , Rating: 4
Obviously, you've never seen Goldeneye :-)

"Better luck next time... Slugheads!"


By elpresidente2075 on 5/30/2009 11:48:06 AM , Rating: 2
I lol'd. Interestingly, I almost watched that movie last night!


RE: Gotta love these nonsensical shock messages
By Xenokyn on 5/29/2009 12:14:50 PM , Rating: 4
quote:
People who work for Government agencies shouldn't keep sensitive information that could endanger national security on computers connected to the Internet, period.


Fixed to be a tad more realistic.


RE: Gotta love these nonsensical shock messages
By Jackattak on 5/29/2009 12:22:38 PM , Rating: 2
Don't mean to be rude, but trust me, you don't know what you're talking about.


RE: Gotta love these nonsensical shock messages
By rdeegvainl on 5/29/09, Rating: -1
RE: Gotta love these nonsensical shock messages
By Jackattak on 5/29/2009 2:24:26 PM , Rating: 5
Actually, I do.

All DoD systems and networks are ISO-27002 certified. That means all Internet/web-facing systems are completed declassified of any sensitive information.

Army web servers are for "information purposes only". They contain nothing that can compromise national security. Ask me how I know.


RE: Gotta love these nonsensical shock messages
By rdeegvainl on 5/29/09, Rating: -1
RE: Gotta love these nonsensical shock messages
By mindless1 on 5/29/2009 5:48:11 PM , Rating: 4
It doesn't matter how insecure some other network is when referring to a link between these insecure systems and a breach of webserver that is simply not logically connected in any way at all.

Let me put it another way so you understand better. Suppose a man named "Bob" instead of a group called the "Army" goes and buys a laptop. Bob also has a computer at work.

If Bob has never connected to the computer or network at work with his laptop, done nothing to configure connectivity between the laptop and anything at work, and put no work network, computer or password info on the laptop, then if Bob's laptop gets hacked while he's surfing the web (or serving files for something else) at home that presents no risk at all to Bob's workplace computer or networked computers.

Similarly, if I had two ISP accounts at home and put a webserver connected to a modem on one and it had no info about the other network I have, and put the second network of computers on the other ISP account and modem, hacking my webserver gives the hacker nothing more than the webserver and whatever I chose to put on it. Since I had the other network expressly for another purpose I deliberately chose not to put sensitive info on the webserver.

Per the above example I even had the networked computers with sensitive info on the internet while the Army did not, and still hacking my webserver gives a hacker nothing of importance except the ability to redirect visitors somewhere else, or take over control of the webserver to do other typical hackerish things like create a botnet or spam relay.


RE: Gotta love these nonsensical shock messages
By rdeegvainl on 5/30/2009 9:50:52 AM , Rating: 2
quote:
People who work for Government agencies shouldn't keep sensitive information that could endanger national security on computers connected to the Internet, period.

Nearly every system, at one point or another is connected to the internet. The laptops and workstations that people use to write an unclass brief for general so-and-so, he will most likely be using bits and pieces of information that by themselves will not be classified. But in combination with other information that is available on the unclass side, on systems that are also connected to the internet, become secret.
The guy who has logistical orders for mass amounts of gear, while another guy has information for transportation, while yet another has info about current training ops, can be pieced together to show that this unit or that is going to be a large influx of military in a certain country.
You also have large amounts of Personal Identifiably information about nearly every individual in the DOD, such as drivers licenses, ssn, birth dates, and every other bit of info you can think of, on systems that are connected to the internet.
While yes in this case they are only talking about web servers, this thread and the comments in it are not limiting themselves to just that, the quoted statement above includes all systems connected to the internet.


By Etsp on 5/30/2009 10:35:06 PM , Rating: 5
This is true, nearly every system is connected to the internet. Except the military's systems that contain classified info. They have their own version of the internet that they use, that is not tied to the public internet whatsoever.

Vast majority of systems that are connected to that secure network do not have the means of copying data onto removable media, or reading from removable media (or those means are severely restricted, under lock and key and a mountain of paperwork).

This means that for spillage to occur, someone would have to look at the classified info, WRITE IT DOWN, and type it up on another computer. They don't allow any room for "Accidents"

Systems that contain restricted information are less secure, and don't face those same restrictions. But Classified and Restricted are two completely different things. Purchase Orders of components and things of that nature is restricted information, it's not classified.


By jarman on 5/31/2009 2:32:20 AM , Rating: 5
quote:
Nearly every system, at one point or another is connected to the internet.


No, they are not.

quote:
The laptops and workstations that people use to write an unclass brief for general so-and-so, he will most likely be using bits and pieces of information that by themselves will not be classified. But in combination with other information that is available on the unclass side, on systems that are also connected to the internet, become secret.


You REALLY need to review your NISPOM and program specific security classification guides. Guidelines are clearly outlined in those documents for the explicit purposes of ensuring that "aggregation" of classified information is not possible via dissemination of FOUO information across any public network.

If this is not being being rigorously enforced were you are working, I'd highly recommend that you inform your program protection personnel... quickly.


RE: Gotta love these nonsensical shock messages
By Ammohunt on 5/29/2009 2:51:07 PM , Rating: 5
Perhaps a job title that i once held myself? DOD contractor in a warzone? he knows exactly what he is talking about and is absolutely correct. Sensitive information is not stored on servers that are connected to the internet.


RE: Gotta love these nonsensical shock messages
By rdeegvainl on 5/29/09, Rating: -1
RE: Gotta love these nonsensical shock messages
By Jackattak on 5/29/2009 3:26:25 PM , Rating: 3
Then why state a rebuttal in the first place? Let's keep this civil, please and not point fingers at "where the problem lies".

The three of us obviously have worked or do work for the DoD in some capacity.

I've spent the last 15+ years insuring that the majority of the Army's web services comply with the ISO standards, although I am no longer in that capacity as of two years ago. When I left my position in the organization, it was as physically and logically as possible to have sensitive information that could hard national security on any Internet-facing system within the US Army.

If anything has changed since the new administration has taken over, I'd be heavily surprised, not to mention I would've been notified.

And I mean that.


RE: Gotta love these nonsensical shock messages
By rdeegvainl on 5/29/2009 3:37:31 PM , Rating: 2
For the sake of civility, I appologize and point the finger at complacency as the problem.
The policies, and procedures haven't loosened to allow information out, but their are way to many cases of individuals either due to ignorance or negligence, that do not follow the guidlines.


By Ammohunt on 5/29/2009 3:44:29 PM , Rating: 3
Thats more accurate! the problems i witnessed were mainly caused by clueless National Guard butter bars. Not the system design itself.


By Jackattak on 5/29/2009 4:32:16 PM , Rating: 3
Redaction appreciated.

I know all about spillage, to rebut your statement a few posts up as requested. What I am trying to state is that these systems (at lest he ones I implemented and audited) are hardened utilizing a multitude of techniques and methods to make it as close to impossible as possible for them to send, transmit, or store sensitive, classified data of a nature that could harm national security.

You can't even so much as move a file with jet fighter aircraft schematics up one directory from where it is stored without four or five protective measures (some human, some not) getting involved.

I think the portion you're arguing would be if a contractor, for example, typed a bunch of reports on his laptop regarding said jet fighter aircraft schematics and then lost the laptop.

While possible, (hell it's probable and has been close to being done before LOL) it hardly poses much of a risk to national security (my original argument) as the data involved is not quantifiable.


RE: Gotta love these nonsensical shock messages
By Aloonatic on 5/29/2009 12:24:42 PM , Rating: 5
Everyone knows the best place to keep this sort of information is on a lap top, safely stored on the London underground tube train over night, or better yet a memory stick left down the back of a seat in a taxi cab.

What are you talking about with your crazy "buildings" to keep data in securely?


By jadeskye on 5/29/2009 12:46:45 PM , Rating: 2
As a londoner, i agree whole-heartedly with your statement.

^_____^


By kattanna on 5/29/2009 2:52:27 PM , Rating: 2
or on a laptop you leave in the back seat of your car

or on an old hard drive that the IT dept sells on ebay


By Sazar on 5/29/2009 4:36:30 PM , Rating: 2
Exactly. Very few people actually understand the difference between NIPR and SIPR configurations and the inherent security or vulnerability of each on the client-side.

You also have NIPRNet and SIPRNet enterprise configurations specifically to avoid having sensitive information exposed, or have front-facing data which is not sensitive, i.e. RIPR.

Having a website or webserver hacked is quite different than a secure internal SIPR setup which does contain top secret stuff.


SQL Injection
By Crusty on 5/29/2009 12:27:34 PM , Rating: 2
Way to not post HOW the servers were hacked, a simple SQL injection attack.

It blows my mind that people still can not prevent this kind of attack, it's got to be one of the simplest things to prevent.




RE: SQL Injection
By Jackattak on 5/29/2009 12:30:38 PM , Rating: 2
Citation?


RE: SQL Injection
By AntiV6 on 5/29/2009 1:36:03 PM , Rating: 2
Apple.com

Anything that can be protected can be hacked.


RE: SQL Injection
By vladio on 5/29/2009 3:55:03 PM , Rating: 2
`Anything that can be protected can be hacked`
well, yes, same as, yes, we can build strait line road from New-York to San Francisco from ...gold.
POSSIBLE? yes
but NOT LIKELY!

Properly protected system, yes, will NOT be protected 100%, but...will be INPOSSIBLE to penetrate by 14-years old kids.
and that's what is NOW 99.99% of the time.


RE: SQL Injection
By GeorgeH on 5/30/2009 5:00:23 AM , Rating: 5
It is with the deepest regret that I must dispute your claim as to the possibility of constructing a golden roadway connecting the cities of New York, NY and San Francisco, CA.

NY-SF Distance: ~2900 miles or 4,667,097m
Width 2-Lane Roadway: ~23 feet or 7m
Required Roadway Depth: ~2mm

Total Roadway Volume: ~65,000 cubic meters

Density of Gold: 19.3g/cc

Total Gold Required: ~1,300,000 tonnes

Amount of Gold Mined to Date: ~160,000 tonnes

As you can clearly see, construction of this roadway would require the availability of nearly one full order of magnitude more gold than has been mined in all of human history. I therefore must conclude that construction of such a roadway is actually quite impossible given currently available mineral resources either today or in the foreseeable future. On these grounds I hereby demand a retraction of your claim of possibility on pain of general harrumphing.

Signed,
Lord Humperdink VonPedantic


RE: SQL Injection
By JediJeb on 6/1/2009 3:13:18 PM , Rating: 2
What if you make the Roadway Depth 0.2mm?


RE: SQL Injection
By JakLee on 6/1/2009 4:20:48 PM , Rating: 2
So I guess I have to build my road of gold 1 order of mangitude smaller..... might be a small road, but I could still call it a road.


RE: SQL Injection
By emergnsee on 5/29/2009 2:04:55 PM , Rating: 2
Where did you get this information?


RE: SQL Injection
By mindless1 on 5/29/2009 5:51:27 PM , Rating: 2
Not knowing the particulars, it seems as though all security resources are finite, those in charge of this may have had more important things to do than securing a relatively unimportant system. While it may be a newsworthy event that doesn't automatically translate into an event that compromises the core operations of the military.


finally...
By nixoofta on 5/29/2009 4:03:28 PM , Rating: 2
forwarding my spam has paid off. Hah! Uhm,...wait,...there's someone at the door....




By crystal clear on 5/30/2009 3:17:53 AM , Rating: 2
The reason behind all these reports of cybersecurity/hackings/etc etc you hear/read in these recent weeks is-

The main dispute over whether the Pentagon or the National Security Agency should take the lead in preparing for and fighting cyberbattles.

The budgets are huge & both departments want to grab their share & even better all of it.




Ebay
By brightstar on 5/31/2009 2:13:21 AM , Rating: 2
Who needs to hack US Gov computers when you can buy classified Info from hard drives on Ebay ;)




expected result..
By vladio on 5/29/09, Rating: -1
RE: expected result..
By Nyamekye on 5/30/2009 11:22:40 AM , Rating: 1
Okay, but he's been in the office for what... about 5 months.

You can't expect instant results on everything, especially from the government under any party or president.


This could have been avoided....
By matt321 on 5/29/09, Rating: -1
RE: This could have been avoided....
By Suntan on 5/29/2009 12:31:42 PM , Rating: 3
quote:
I couldn't resist....


Too bad you didn't make the joke about 5 years ago. Then it would have only been "old" by about 4 or 5 years.

Seriously, come up with something other than a situation where Bill Gates whines at someone. It stopped being funny years ago.

-Suntan


RE: This could have been avoided....
By matt321 on 5/29/2009 2:10:58 PM , Rating: 1
So the quote was old but it still applicable. It doesn't matter how much money the DoD has or how many precautions are put in place to prevent hacking, if it's connected to the web it CAN BE HACKED.

I just find it funny that, like Bill Gates, there is going to be someone to blame and they are going to suffer for something they could not help...


RE: This could have been avoided....
By mindless1 on 5/29/09, Rating: 0
By mindless1 on 6/1/2009 4:00:44 AM , Rating: 2
I was rated low by making a blow to pseudo-hackers and know-it-alls that don't hack anything except low hanging fruit.

Fact: Hackers cannot just decide to break into wherever they want to. Either they find a vulnerability or move on to the next target. Granted, given enough time on a target, sometimes a vulnerability can be found but it's not at all the same as pretending in some vague way that we're all insecure.

Only dumb OR overworked people that don't assess risk and limit functionality, those that don't assess security, are especially at risk.

Those that rate down, ha ha ha, you piddle with web forum comments instead of even spending time trying. Good for you though, wasting time instead of trying to act criminally, but it's hardly a sign of anything but silliness when one doing that rates a valid and true comment.

Oh, but it's not about truth right? It's about a teenager concept of popularity in what you'd LIKE instead of the way things are.

Sad really, Jr. hacker wannabe.


"So if you want to save the planet, feel free to drive your Hummer. Just avoid the drive thru line at McDonalds." -- Michael Asher











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki