Add the webpages for the Phoenix Mars Lander to the list of high-profile sites that have been hacked by script kiddies. Not once, but twice. Security pros had to take down the University of Arizona-hosted site after hackers replaced the lead blog entry with graffiti that read "hacked by VITAL." As if that wasn't enough, members …
Regardless of how vulnerable the site was to SQL injection
it is ultimately the responsibilty of the morons who did this. Leaving my door unlocked may be foolish, but it doesn't make it okay for someone to walk in and wreck my stuff.
Come on guys, think bigger
Hack the freakin lander if you want to show true skillz. Use the arm to carve your tag in the martian soil.
Brad = WIN!
I'd love to see Mars get tagged!
Here hacker is being used incorrectly
That is because the terms script kiddie and hacker are being used together; that is an oxymoron.
And of course there is artistic license, because later we find the crackers are claiming to be hackers; but what do these script kiddies know, they could be claiming to be the love children of Turing and Von Rossum, it does not make it true.
SQL injection is not hacking, and the security pros are not pros if they have claimed a site to be secure that is vulnerable to SQL injection.
As to the problem of SQL injection, well if you know your stuff it is not hard to stop it.
It is only set to get worse though, as more fuzzers start to come online.
Come on. We are talking script kiddies here. They have no real hacking ability. All they can do is leech of someone elses work then claim the "glory". But, as we all know, they are nothing more than spotty faced, socially challeneged, unlikely to get laid nothings who can only get their jollies by waving their tiny, flaccid e-peens around as though they actually have a skill, instead of using some crap "toolkit" that they downloaded using mummy and daddies credit card and probably ending up with their and their families computers being rootkitted into the bargain.
The answer is...
Developers should use stored procedures and tell their db server not to server up any other requests apart from SPs. That way it makes it impossible to execute a sql injection attack. (Plus use the usual anti-scripting tactics - never let your guard down.)
This isn't some shitbag corporation or filthy governmental oppression centre they're messing with, it's a scientific mission of importance to Humanity. They should tag the site and then send a patch to stop it happening again.
"Phoenix Mars website invaded by hackers"
"Take me to your Web-app developer"
Funny, good and funny. Another reason to love el Reg.
As for the script kiddies tagging the Martian soil, it's only a matter of time, right?
Why publish their tags?
The script kiddies almost certainly consider this article a bonus. Just miss out their pseudonyms to cancel that out. Better still, publish their true names and addresses.
They could have done much more
Imagine if they had an imagination and spoofed the site with news of a real live alien found on mars.
Such an opportunity wasted. HGWells they are not.
@ Anonymous Coward
Your analogy; ("Leaving my door unlocked may be foolish, but it doesn't make it okay for someone to walk in and wreck my stuff.") doesn't quite work The website is more like a sports centre , it is intended that people visit. This "visit" by the intruders is more like a bloke in cartoon burglar costume wandering around the changing room with a notice saying "How safe is your wallet? i walked through the staff entrance dressed like this unchallenged."
I wonder if www.airheads.org/daftslappper/colchesterhappyeater is as vulnerable
Reduce the chance of a drive by... use NoScript and firefox.
Firefox with Noscript extension... so, that would be Opera clean out of the box, then?
These kiddies really are poor "hackers" if all they did was tag the site.
If I had broken into the Phoenix site I would have changed the front page to announce that intelligent life had been found on the surface - then sat back and watched various news services embarrass themselves by publishing the info!
At the end of the day it's just not right, that's the problem today. Some people do not exhibit any form of self conciousness and feel what they do is OK regardless of how it effects others.
They should be locked up and dealt with for many years, after several thousand have done this the message should then sink into their little script kiddie brains and act as a deterrent to others.
Mine's the one with the handcuffs
The answer is
Taint Mode, obviously.
AC, I'm afraid Reg readers generally would find that OK. It'd be your fault for leaving your door unlocked, and you'd deserve it. In fact, you shouldn't even be allowed to have a house by their standards. And going by the comments on this particular thread, even if you had secured your house as best you could, anyone breaking in would actually be their hero if he'd hand-crafted some burglary tools instead of picking up a brick someone else had made to break a window. Obviously, that particular window would have to have a dodgy alarm on it or whatever, to pre-empt smartarse comments about it not being totally secure etc. etc. Oh, and the guys here, were they criminally inclined, would of course have produced the materials for the tools themselves blah blah blah ...
Brilliant. Bang on.
I'd probably of told them that we were now at war with the unknown aliens, create a few fake transcripts - have a real giggle.
"Red is the color of the Martian surface, but it seems it also describes the faces of security pros responsible for the sites"
I fail to see how using NoScript and Firefox could have avoided this "hack".
The "hackers" themselves would need NoScript installed to prevent themselves from confusing AJAX into injecting SQL.
Silly Firefox fanboys...
Get Safari ;)
@AC re:Regardless again
Had to reread that as it is such a brilliant summary of expected comments.
Thanks for making me laugh.
@AC crApple fanboi
Running a browser that, without asking my permission, downloads files or blindly allows well known iframes hacks and who's designers can't be bothered to actually fix the problem ain't going to hunt.
But then again, what else do you expect from a company whose product sells pretty much because it is nothing more than eye candy. Why buy Mac when you can get more for less with a PC and Linux?
And if this browser is so good, why did crApple feel the need to forcibly and fraudulently install it on the computers in a failed attempot to boost it's pathetic 1 to 2% market share. Somewhat ironic since crApple are claiming a 7%+ market share, which means that the vast majority of crApple users are installing Firefox rather than using Safari on it's native platform. Speaks volumes.
Opera? Why install bloatware? I want a web browser to browse the web, not do email, etc. Bollox to apoplication convergence. They are always a compromise.