Amid all of the media and public fascination with threats like Stuxnet and weighty terms such as “cyberwar,” it’s easy to overlook the more humdrum and persistent security threats, such as Web site vulnerabilities. But none of these distractions should excuse U.S. military leaders from making sure their Web sites aren’t trivially hackable by script kiddies.
Security vendor Imperva today blogged about a hacker who claims to have access to and control over several top dot-gov, dot-mil and dot-edu Web sites. I’ve seen some of the back-end evidence of his hacks, so it doesn’t seem like he’s making this up. Perhaps out of deference to the federal government, the Imperva folks blocked out the best part of that screen shot — the actual names of the Web site domains that this hacker is selling. For example, the hacker is advertising full control and root access to cecom.army.mil, a site whose stated purpose is “to develop, acquire, provide and sustain world-class…systems and Battle Command capabilities for the joint warfighter.” It can be yours, for just $499 (sorry, no credit cards accepted; only the virtual currency Liberty Reserve).
Here is an unredacted (well, mostly) shot of that site:
According to Imperva, this enterprising hacker is also selling info personally identifiable information from hacked sites, for $20 per 1K records. The company mined this hacker’s postings on other forums, and found evidence that he was able to hijack the sites via SQL injection vulnerabilities, most likely with the help of an automated vulnerability scanner.
I find it ironic that one of these sites allegedly for sale is the Department of Defense Pharmacoeconomic Center, which is a DoD site tasked with “improving the clinical, economic, and humanistic outcomes of drug therapy in support of the…military health system.” In all likelihood, if access to this site is purchased, it will be by someone looking to plant links to rogue online pharmacies of the sort frequently advertised in junk e-mail. People who get paid to promote these rogue pharmacies typically do so by hacking legitimate Web sites and including links back to fly-by-night pharma sites, and they particularly like dot-mil, dot-gov and dot-edu sites because search engines tend to treat links coming from those domains with more authority than random .com sites.
By the way, that “Undetected Private Java Driveby Exploit” that this guy is selling is none other than the social engineering trick I blogged about last week here.