By Richi Jennings
. January 24, 2011. A "brazen" hacker is selling access to his conquered websites. For a mere $499, you can own the Army's "dynamic and committed" CECOM site. Or perhaps you'd prefer the DoD's Pharmacoeconomic Center? In IT Blogwatch, bloggers boggle at the possibilities.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention Magic Otter: The Translation... Robert McMillan:
The hacker says he has control over a number of websites, including ... military sites, government sites, and those belonging to universities. ... Prices range from $33 to $499, depending on how important or widely used the website is. ... The hacker is also selling databases of personal information he's stolen from the websites for $20 per thousand records. Paul Suarez addz:
Whoever is selling this stuff probably broke into these websites using a common Web attack called SQL injection. ... When SQL injection works, the results can be devastating. It's what notorious hacker Albert Gonzalez used to break into companies such as Heartland Payment Systems and 7-Eleven.
Imperva, a data security firm, discovered a hacker is selling alleged access to military, government and educational sites across the globe. Prices range from $499 for U.S. military websites to $55 for MySQL root access to the State of Michigan website. Imperva's Rob Rachwald writes:
The hacker will also "hack a normal website," scan a site for vulnerabilities for $2 and give you 3MB of random hacked accounts for $65.
The victims' vulnerabilities were probably obtained by SQL injection vulnerability automatic scanner and exploited in automatic manner, ... the hacker published his methods in a post in some hacker forum. Brian Krebs asks, "Ready for Cyberwar?"
Its easy to overlook the more humdrum and persistent security threats, such as Web site vulnerabilities. But none of these distractions should excuse U.S. military leaders from making sure their Web sites arent trivially hackable by script kiddies. But Pascal-Emmanuel Gobry seeks the crazy angle:
For example, the hacker is advertising full control and root access to cecom.army.mil, a site whose stated purpose is to develop, acquire, provide and sustain world-class
systems and Battle Command capabilities for the joint warfighter.
What's crazy about this is the brazenness of it all: the hacker basically put up an online storefront, like any e-commerce site, except instead of buying shoes and books, you're buying government sites. Meanwhile, Adrian Chen snarks it up:
Julian Assange finally knows how to spend all his Christmas money. And Finally... Magic Otter: The Translation
Don't miss out on IT Blogwatch:
You can also read Richi's full profile and disclosure of his industry affiliations.
| || ||Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: firstname.lastname@example.org. |