Feeds

back to article Hacker sinks Royal Navy website

The Royal Navy's main website has been taken offline following claims by a Romanian hacker that he broke into the site, swiping the login credentials of administrators in the process. The hacker, TinKode, posted information on the web to support his claim to have penetrated the site, www.royalnavy.mod.uk. Royal Navy website is …

COMMENTS

This topic is closed for new posts.
N2
Bronze badge

Nice to see

We get value for money from the £500m spent on 'cyber defences'

7
0

As Zaphod would say...

Ten out of ten for style, but minus several million for good thinking, yeah?

0
0
Joke

French

What, we thought the French were doing that bit.

Nope Brussels say it's us.

Not the French

No.

Can we blame them anyway?

1
0
Joke

Ohhhh yes.

"his claim to have penetrated the site"

That would seem to be in accordance with Churchill's view of Naval tradition then.

2
0

Invalid HTML

Even the 'maintanance' page has an error:

<html>

<centre><img src="navysitedown.gif" alt=""/></centre>

<?html>

(that's the entire page)

Aside from the lack of a <body> and other WTFery, the closing tag has a '?' in it!

3
0
FAIL

And...

Good to see good old patriotic spelling of center in there as well :)

0
0
WTF?

Good to know

that the MOD are on top of technology eh?

0
0
Silver badge
Happy

Oh my

Interesting <centre> element, too... British spelling is not recognized by my Firefox.

0
0
Silver badge
Pint

Most probably...

To indicate their level of knowledge: ?html - html, what's that? It's one of those PROGRAMMING LANGUAGES, right?

0
0
FAIL

Muphry's law

Of course, I meant 'maintenance' page...

0
0
FAIL

Comical.

Oh dear, oh dear, oh dear. That really is quite special.

I particularly like <centre> vice <center>, going to the effort of specifying the alt attribute only to leave it blank and the particularly comical 'lightbox effect' on the error message cum GIF-from-hell (score one for accessibility there). Unless I'm very much mistaken, it was achieved with MS Paint - that god-awful dithering is always a give away.

I plugged it into the W3C's validator for giggles expecting it to implode but alas it only found eight things to complain about. Still, for 70 bytes of code, that's pretty impressive.

2
0
Anonymous Coward

(untitled)

That's what you get for using some random WYSIWYG editor. No human would have included blank alt tags.

0
0
FAIL

Words fail me...

They listened to the comments and changed the element to <centre>

Now it displays on the left of the page.....

The <?html> is still there though!

0
0

Re:(untitled)

While I agree that no SANE human would have included blank alt tags, no WYSIWYG editor is going to use an incorrectly spelled center tag, nor would it fail to include massive header and body entries.

So alas, it seems someone really did type that website up in their local text editor and slapped it on the net without so much as a sanity check or checking for inconsistencies.

0
1

correct me if I'm wrong

But if you're coding in XHTML then alt tags are required in images - and if the image is purely a design element then you are SUPPOSED to use a blank alt tag.

Granted - neither case applies in this case ;)

1
0
Headmaster

Not "British Spelling"

You mean "English spelling", as in, that is how it's used in England. Britain is comprised of more than one country and its inhabitants speak more than one language.

0
0
FAIL

Accessibility 101

Actually a human would create a blank alt tag if the image was purely presentational and conveyed no information.

A blank alt tags tells a screen reader or other similiar user agent that there is an image here but the user doesn't need to know about it because it's just presentation. If you don't put an alt tag on a presentational image then depending on the user agent it will 'interpret' (read guess) what to do.

Having a user agent guess at what to do is always bad for accessibility. It could be programmed to read out the file name, which could be confusing for the user or embarasing, if your HTML guy likes to name the images with stupid names.

Remember always put an alt tag on an image even if it is blank. The blankness has information...

0
0
FAIL

Re: Accessibility 101

"Actually a human would create a blank alt tag if the image was purely presentational and conveyed no information."

Except the image we're talking about DID convey information. In fact, it was (is still) the *only* element of the document conveying that the site is down for maintenance (not even a <title> element). The text shown in the article screenshot was part of the image, not imposed over it!

It seems to have been improved a bit now but it still doesn't quite work :)

0
0
Joke

Jackspeak

It's actually a (Captain) Jack Sparrow Turing Machine for converting to/from the language known as Keefeze.

AC because thats one shit joke.

0
0
Thumb Down

How ...

In God's Name is this sort of shit even still possible? Where do they find the people to code these sites?

I'm astounded.

2
0
Coat

They get them drunk round down the pub

when they wake up, they're a Navy coder...

(mine's the one with the cosh in the pocket)

0
0
Silver badge
WTF?

And since when is "centre" a tag?

I realize that's the standard English spelling, but as far as I know it's never been an HTML tag. Even <center> is only barely right by current web standards.

At least the got the alt tag in there to make it accessible to the blind.

1
0

Deja vu all over again...

"It's very unlikely that any confidential much yet secret material was kept on a public facing website"

Right, because that never happens....

Any bets on how long it takes before email 'backups' containing the current location of the on-patrol Vanguard hit the torrents?

0
0

Navy website taken off line

Causing millions of pounds of improvements in operational efficiency.

1
0
Pirate

Uh-oh...

Lemme guess ... this site was part of the "Windows for Warships" upgrade? If this can happen to the RN's site, imagine what a WiFi-toting pirate can do to the warships at sea...

ARRRR!!!!! Shiver your timbers!!!!

0
0

Re: Invalid HTML

Also, using <center> in 2010 is pretty embarrassing. And then spelling it wrong (should be spelt "center") isn't great either!

1
0
Grenade

Navy wimps

They just put up a 'maintenance' page?

WTF do they have all those cruise missiles for, if not to deal with lowlives like TinCock or whatever he calls himself?

0
0
Flame

Yeah A Cruise Missile Will Do

...and the target coordinates are somewhere in in Whitehall. It should be "Headquarters, Naval Training and Education Command".

Alternatively, "HQ, Royal Radio Corps", "HQ, Royal Engineers".

First they have an SQL insertion weakness and then they can't even do proper HTML. Any more words needed ? The leadership needs to go here.

0
0
Silver badge
Pint

So when do they propose extraditing the offender and keel-hauling him?

If this had happened to a Pentagon website, again, they would be screaming terrorism, loss of secrets, etc. and demanding the alleged whiz behind this attack be handed over immediately.

Won't happen because Romania has balls and would tell them to get stuffed.< www.sheepscreek.com/recipe.html > unlike a certain island nation we know of..

5
0
Gold badge
WTF?

Gosh, you mean.....

......the Navy's public-facing PR website containing no secret data is not as secure or well built as their operational systems?

<Extremely heavy sarcasm>

My, I am surprised. This is a disaster and no mistake.

</Extremely heavy sarcasm>

0
0
Troll

Me thinks

You do protest to much with sarcam, so it's OK that a web site that should have security as its top priority was hacked? Gives me full confidence.

0
0
Pint

+5 / -5

Allow me to be the first to congratulate you on the headline, that's fab.

As for the coder of the maintenance page - I have word that he was recently transferred to the post, following early completion of his duties as captain of the HMS Astute (a nuclear submarine recently attacked by a small island off the coast of Scotland).

0
0
Thumb Down

All other pages..

... return a 404: http://www.royalnavy.mod.uk/helicopter-warfare

Shoddy site management in anyone's books... a 503 - Service Temporarily Unavailable header should be returned, unless they want to mess up with their indexing within search engines.

0
0
FAIL

I don't know what is more worrying ...

The thought that they would fall victim to a trivial SQL injection that could have been cooked up by any 13 year old kid .... (lets be honest, it basically boils down to typing something extra into the address bar on your browser .. hardly a massively sophisticated and unexpected attack vector)

Or .. is it that the website is the public facing side of the navy, and as is contains no secret data, no defence inplications and no security risks ... ddoes it matter that it was not very secure and hacked with a few kestrokes into a webbrowser ...

Or ... is the REALLY worrying thing that the "secret stuff" thats not exposed to the web actually MORE insecure, and the shambolic coding standards on the public facing website are actually hardened and tougher than the internal backend systems defending our country ????

0
0

swiping the login credentials of administrators

Really? They store their passwords in the DB? Somewhat worse than writing crap HTML. If its true.

0
0
Flame

Meanwhile, back in the real world...

A village in Romania is about to take delivery of several Royal Navy Tomahawk cruise missiles....

0
0
FAIL

Meanwhile, back in the real world, #2

..the RN had their pants down until 16:40 German time. I am sure other navies a deeply impressed by British Cyber Capabilities.

The Romanian guy is already busy defacing something else via TOR and these muppets will never catch him.

The current state is:

"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

<title>Royal Navy</title>

</head>

<body>

<div><img src="navysitedown.gif" alt="A screenshot of the Royal Navy homepage" title="Royal Navy site down for essential maintenance"/></div>

</body>

</html>"

0
0
Flame

If the Royal Muppets (RM) Had A Cyper Capability

..a colonel who can write& debug 20000 lines of C++ code would have handled the situation. Logs would have been analyzed by an ad-hoc team of PHP/.net/Java (whatever kludge they use for content mgmt) programmers.

The weakness would be found in less than 1 hour by just analyzing logs and re-running the evil requests and debugging the CMS. If required, the colonel would call Cheltenham and have them look at it, too.

The senior NCO who is the webmaster would have had a simple text file as the index.html saying "due to service, currently offline. webmaster". That would have saved that html embarrassment.

All would be up and running again. They certainly would log in a secure manner. The Evil Romanian Hacker would not be able to erase logs.

But I guess the muppets currently download the latest version of their CMS from sourceforge and hope for the best. Everything runs as root. Or as "Adminstrator" ??

0
0
Grenade

Beer + Missile Guidence Code = ....

I used to work with a C programmer who'd worked on missile guidance systems for the MOD.

Given that this bloke was fond of large amounts of beer at lunchtime then (just as he is now) its perhaps no wonder there is so much "collateral damage" in modern warfare.

0
0
This topic is closed for new posts.