US government investigators are probing breaches of two sensitive Army webservers by suspected Turkish hackers, according to a report by InformationWeek. One of the servers, located at the Army's McAlester Ammunition Plant in Oklahoma, was penetrated on January 26, according to the publication, which cited investigative records …
sophisticated Defense Department tools
"The hacks are troubling in that they appear to have rendered useless supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches. The department and its branches spend millions of dollars each year on pricey security and antivirus software and employ legions of experts to deploy and manage the tools"
No amount of tacked-on 'security' will secure 'webservers'. What is needed is embedded hardware providing a secure VPN and PKI infrastructure. That way you only have a single set of nodes to watch instead of multiple/differing Windows configurations. That way if a 'webservers' is vulnerable to an 'SQL injection attack', the hackers won't see it. Else you expend energy in futile solution such as above.
Security is a top priority?
SQL injection, seriously?
Why don't government paid programmers by now know about SQL injection and the wonderful news that they've been solved by meticulously using bind variables and character escaping. There are even tools to help detect these automatically.
Priority is a joke when good programmers cannot find meaningful work. Even if the US government itself is not low balling it's contracts (probably the opposite), the companies it's contracting through care more about cutting employee wages than producing a quality product.
Heck, the gov should give me a one of those contracts.
Insert XKCD comic concerning input sanitation.
Hmmm. Kingdom of Heaven
I for one am fairly glad that the MoD and their counterparts over the pond can't be arsed with such trivialities. I nearly piss myself laughing several times a week reading how these murderous wasters have been undone and found with heads up their own arses because they were discovered to be not f*cking omnipotent.
The sooner the infernal military machines are decommissioned and put out to grass, the better for all of us. What a waste of money never mind life.
Look for proper IT work, like securing public websites and we'll all sleep better at night.
Army loves it
I do think that the army likes to have these things to report. It's part of their plan to get more funding for "cyberwar".
I'm sorry but...
Given the resources that the US government has, there's absolutely NO excuse for crap like this, especially as related to the DoD. If people have legitimate reason to access their servers, they should be given a client that makes use of either a short term certificate or an inexpensive token.
It's one thing to have publically available web servers, for people who wish to learn more about the military; but for vendors, contractors, and military personnel, every connection should be secured via VPN and the semi-trusted network should be restricted through a series of firewalls and terminal servers that might be allowed to VPN in to more deeply secured networks.
Fock, that's just sloppy on the DoD's part!
*NOW* I see the problem
"used a technique called SQL injection to exploit a security vulnerability in Microsoft's SQL Server database "
ahh .. Windows.
the trouble with trying to find out what went wrong on a windows server is not finding a hole they climbed in through .. but more which of the many holes was it.
turkish - so what?
The fact that these hackers apparently hail from (or at least have been tracked to) Turkey seems to be a rather prominent part of this story - as reported by El Reg and most other places I've seen it.
This seems to have prompted quite a xenophobic backlash amongst the redneck brigade. I've even seen one (frequently balanced and sane) webcast Buzz-ing out loud about 'they' hacked 'us', shouldn't 'we' hack 'them' back?
Face it. Hackers are hackers. Unless someone is suggesting this was state-sponsored (which even the most rabid yee-ha! types aren't - yet) then the nationality of the hackers is irrelevant, as would be their gender, religious inclinations, sexual preferences, eye colour or politics.
However, what's worse is that a lot of otherwise technically competent people still haven't got it. Hacking (with the above exception of state sponsored, or industrial / commercial espionage) is an asymmetrical activity: those who have, get hacked by those who haven't. So the whole idea of retribution makes no sense. How exactly would the american military exact revenge - apart from a grossly misguided attempt to enforce military brutality? Maybe find these guys' parents and have their pocket money stopped?
Islamic Terrorists, Eco Terrorists, Red Communists Aligning?
"Turkey-based collective known as "m0sted" and caused people attempting to access the site to be redirected to a webpage protesting climate change."
"in September 2007... They sent site visitors to m0sted.com, which at the time contained anti-American and anti-Israeli rhetoric"
U.N. official attack, whose home nation has been under antagonistic military & nuclear weapons pressure by Red Communist neighbor - http://world.commongate.com/post/United_Nations_website_breached_by_hackers/
Eco Terrorists, Islamic Terrorists, and Red Communists are aligning?
A relationship of convenience?
Hahahahahahahah @ US Army Twonks
it soap opera?
Could it be that we're all living in such a bubble? All these it security breaches are merely cliff-hangers for the next episode? none of it is real? It all seems too unbelievable otherwise.
Mines the one with the bar of carbolic in the pocket, ta.
RE: turkish - so what?
I'm glad I'm not the only one who thought that.
Surely a more truthful title would be "Unknown Individuals Embarrass Hired Killers" with a subheading "Probably random kids, maybe from Turkey."?