back to article How zombie LulzSec exposed privates' love lives with PHP hack

A dating website for US soldiers was hacked and its database leaked after it blindly trusted user-submitted files, according to an analysis by security firm Imperva. The report highlights the danger of handling documents uploaded to web apps. "LulzSec Reborn" hacktivists attacked MilitarySingles.com and disclosed sensitive …

COMMENTS

This topic is closed for new posts.
  1. Gordon 10

    One hopes

    That members of scumsec are outed and run into some of their victims down a dark alley.....

  2. honkhonk34
    Childcatcher

    Here we go

    ...again..

  3. Anonymous Coward
    Anonymous Coward

    did they do this again?

    I thought this was weeks ago.

    1. Dotter

      Re: did they do this again?

      Yeah, it was. This is a separate analysis by a security firm.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: did they do this again?

        Oh, Imperva must have published it to partners prior to releasing it to the world...Or I could simply be wrong again.

  4. Old Handle

    Interesting trick

    I'm sure it's not original, but I've never heard of that particular technique before.

  5. Anonymous Electronic Warfare
    Megaphone

    Und jetzt wie man es richtig macht

    ..some real advice on how to properly secure a password-based system:

    A) Store all usernames and passwords on an entirely different machine and an entirely different database. The "credentials" server will only handle authentication requests through a well-defined (proper grammar), simple TCP interface. All other services including X11, ping and so on will be disabled on this server. The server will be completely firewalled except for that specific port.

    Application code will query this server for authentication purposes via a TCP socket and will then proceed to do the usual SQL against the "app" database.

    B) Store a "retry counter" along with the password hash and lock the account for half an hour after five bad attempts. Lock for a day after 15 wrong attempts.

    Then even passwords such as "apple15" will be quite secure.

    1. Daniel B.

      Even simpler

      Set up an LDAP server in said separate box. Make the app auth against that, and set up all lockout policies on the LDAP server.

      Poof! Done! Easy as cake.

    2. Anonymous Coward
      Anonymous Coward

      Re: Und jetzt wie man es richtig macht

      If only there were some sort of system which did this? NDS, AD, LDAP, etc.

      It seems to be a trait in developers to develop solutions to problems which have already been solved, in a much better more functional way by specialists in the subject. I speak as someone who specifies code to be created by developers for a reporting product. It is incredible the amount of times that we get problems in the report and the developers' solution is to just hack some script together, rather than ask the subject matter expert for a proper programatic solution.

  6. Matthew Anderson

    @The crew is apparently "not as motivated" as the original LulzSec, according to Rachwald, adding that it has made little or no contribution to IRC chats and hacker forums.

    So in otherwords they are making an attempt not to get caught, unlike the other fools? Stay low, do your business, get out safely.

    1. Destroy All Monsters Silver badge
      Facepalm

      They also confused "embarrassing the military" with "annoying singles"

      1. Anonymous Coward
        Anonymous Coward

        @Destroy all monsters

        Not only that, but annoying singles, who have time on their hands, who have also been organised into a team and trained to kill.

  7. Trygve Henriksen
    Mushroom

    Deathwish?

    These morons hacked a dating site for soldiers?

    Sure, piss off people not just trained in weapons use, but with with easy access to them, also.

    And you can bet there are some 'specialists' among them.

    'Signal analysts', 'surveillance' and so on...

    1. Anonymous Coward
      Trollface

      Re: Deathwish?

      "...Imperva's analysis suggests the group has no more than six members..."

      Probably safe from attack then. The US military prefers better odds than that.

    2. Pascal Monett Silver badge

      Re: Deathwish?

      I agree : leave the soldiers alone !

      They're already in the line of fire on a daily basis, no need to add to their misery.

      Besides, antagonizing them is a really stupid idea. Not only does a soldier have access to way more firepower than any script kiddie will ever get in his wildest dreams, but said soldier also has training that would make a script kiddie drop dead from exhaustion just thinking about it, and a group of well-trained, dedicated and loyal buddies to guard _his_ back while he plans to hit the aforementioned skiddie when the lump of blubber is least expecting it - like 24/7 actually.

      So yeah, you want to antagonize the military ? How about hacking into the confidential files of a general-rank guy, instead of targeting the rank and file. I guarantee that you'll get a much quicker reaction that way, and much greater exposure.

      Of course, said exposure just might be to the 2500°C blast (number drawn out of thin air) from a smart bomb but hey, you never specified what kind of exposure you wanted, right ?

  8. Peter Murphy
    FAIL

    User generated code - the new generation of fail.

    Let's look at the article again:

    Hackers uploaded a PHP file that posed as a harmless text document and then commandeered the web server to cough up the contents of its user and a hashed password database.

    How should that be even possible? The story isn't really "the danger of handling documents uploaded to web apps". Dangers ahoy there are, but that's not the real WTF here.

    The problem is that here there's no separation between code and data in the environment, which is bloody stupid. Scripts should only be run by the webserver in the directories that are assigned to code, and uploads should only go to directories that are assigned to data. Moreover, these directories should be completely distinct. If you mix the two, you are asking for trouble.

    (And if the language or framework makes it hard to separate the two - I suggest use a new language or framework.)

  9. Anonymous Coward
    Anonymous Coward

    A social works program

    Don't be fooled by the Antisec drama. These folks are good samaritans helping to create a social work program for the unemployed by building new prisons to house hackers. Antisec members prefer three hots and a cot over their freedom. They are a giving lot.

This topic is closed for new posts.