back to article MoD contractor hacked, 831 members of defence community exposed

Up to 831 members of Britain's defence community with high-level security clearances had their personally identifying information stolen when the Ministry of Defence's business networking organisation was hacked, The Register has learned. Although heavily redacted in places, correspondence between the MoD and Niteworks— …

  1. Anonymous Coward
    Anonymous Coward

    Niteworks = money for old rope. It consists of Primes being paid a mint to inform the MOD what they need to buy from the Primes.

    As a consortium they have the lowest CQ (Consultancy Quotient (1)) I've seen in a long time.

    CQ = Quality of 'research' / Daily rate

    AC as I've seen em in action...

    1. Anonymous Coward
      Joke

      "AC"

      You presume "AC"? :P

      1. Anonymous Coward
        Anonymous Coward

        Re: "AC"

        I believe I'm safe from any repercussions by Niteworks! They'd want £250k to scope the study before engaging in action...

        1. wolfetone Silver badge

          Re: "AC"

          "I believe I'm safe from any repercussions by Niteworks! They'd want £250k to scope the study before engaging in action..."

          First rule of the internet: Don't trust it.

  2. frank ly

    I assume that anyone who was registered with such a sensitive site would use a false username, a unique password and access it via the Tor network.

    1. Anonymous Coward
      Anonymous Coward

      Logging into anything via Tor is a bit risky, as you can never tell who's running the exit node. It's good for drilling stuff past your ISP, good for masking your IP from the end site; but less good for logging into things, as the exit node makes an ideal MITM station. Even if there's SSL/TLS; the exit node is in a good position to exploit any flaws it can find in the comms; or even save stuff wholesale for later attempts at brute-forcing.

      1. e^iπ+1=0

        Exit node

        "you can never tell who's running the exit node"

        You can if you choose an exit node you know.

  3. Anonymous Coward
    Anonymous Coward

    Good, now can someone explain to these politicians that this is exactly how weak encryption keys will end up being lifted exposing the entire population's online activity to the same scumbags who are responsible for this.

    1. SkippyBing

      'the same scumbags who are responsible for this.' What? Niteworks?

  4. Anonymous Coward
    Anonymous Coward

    @ "Up to 831 members of Britain's defence community with high-level security clearances had their personally identifying information stolen when the Ministry of Defence's business networking organisation was hacked, The Register has learned."

    Only criminals need privacy? It seems lots of people do!

    @"Among the flurry of emails sent in response to the attack, one exchange between Niteworks and the MoD encouraged individuals to be careful before answering phone calls or emails on the topic."

    Niteworks sounds like they should use PGP phones more, you never know who might be listening in! I know a company that makes secure phones in the Netherlands,... oh wait... some backdoor lobbying of the Dutch police seems to have happened, and they've gone an attacked their only trusted domestic producer of secure phones.

    Never mind.... you'll have to talk in whispers to one another.

    1. Alan Brown Silver badge

      Pgp phones

      In the absence of a full pgp phone you could try out redphone instead.

      Crypto is a bit like whack-a-mole in that respect.

    2. Alan Brown Silver badge

      Pgp phones

      In the absence of pgp phones you could always install Redphone.

      Crypto is a lot like whack-a-mole in that respect....

      1. Anonymous Coward
        Anonymous Coward

        Re: Pgp phones

        *pops up* Crypto is a lot like whack-a-mole in that respect.... *disappears down hole*

  5. Keith Glass
    Mushroom

    Yawn. . . .

    . . . .try being one of us 21 million Yanks who had our entire security files hacked, and allegedly in the hands of the Chinese. I work cleared stuff (and frankly, it's a bit boring) and have to do a rather comprehensive data dump every 5 years, **but*** my wife and kids ALSO got affected. So I suspect the details of the families of the 831 ALSO got compromised.

    And, Gee, Uncle Sam gave each of us a bargain-basement identity-watching service for a few years as compensation. No remediation, mind you, just notification. . . on a once-a-month basis. . .

    1. Anonymous Coward
      Anonymous Coward

      Re: Yawn. . . .

      Must admit, OPM has out-fucked-up everyone else to date by a wide margin. But this is only an early attempt; and I have faith that UK Gov can produce a truly catastrophic blunder if they try. Possibly with the NHS; or maybe everyone's surfing history if May gets her way...

      1. Keith Glass

        Re: Yawn. . . .

        You may have quite the hurdle to jump. After all, they hacked the Obamacare website too. I have some colleagues who worked that program, usually referred to as "the resume stain"..

        THOSE are some epic tails of .gov-directed fail, over-riding engineers for political reasons, , ,

      2. Anonymous Coward
        Anonymous Coward

        Re: Yawn. . . .

        @moiety

        Quote: "I have faith that UK Gov can produce a truly catastrophic blunder if they try"

        1. Absolutely correct....but how do you know that there have not been MULTIPLE "catastrophic blunders" already????

        2. And as for Theresa May....well....she is clearly determined to re-build the STASI, but in the UK and in 2016 -- and she and her colleagues in government and in the so called civil service are clearly determined to keep us all in the dark about what's going on (see item 1).

    2. BigHairyAl

      Re: Yawn. . . .

      21 million Yanks had their entire security files hacked, and allegedly in the hands of the Chinese ?

      By that I presume that it was given away by Apple to the Chinese, as they did with all my email accounts to every "cold calling" Tom, Dick and Harry, the minute I owned an iPhone . . .

  6. Anonymous Coward
    Anonymous Coward

    Back in the day

    When the primary source of IT news was NFN - a contractor reported that he had discovered on an MOD site an early MySQL database with no password and the details of about 15000 contractors. So he told them MOD...who threatened him with prosecution for looking at it.

    Rien ne change pas.

  7. Semtex451
    Pint

    Whoever came up with the idea to use that Dads Army pic - is a genius.

    1. Alexander J. Martin
      Pint

      Happy POETS Day!

    2. Anonymous Coward
      Anonymous Coward

      Whoever came up with the idea to use that Dads Army pic - is a genius.

      While I was very taken by the image, I feel bound to say that The Homeguard rarely appeared as incompetent or as venal as the organisation under discussion.

  8. Anonymous Coward
    Anonymous Coward

    My organisation has tarted me out to Niteworks several times over the last few years - I get a lot more spam then I used to (and I don't just mean your traditional Nigerian Prince type stuff, I mean invitations to obscure defence and science related conferences - often in China - could be purely coincidental of course...)

    Anonymous because, well, my employers quite like me working on Niteworks contracts...

  9. Anonymous Coward
    Anonymous Coward

    Black-ops?

    A casual read of Niteworks web-site makes it clear they do black-ops for the MoD, allowing the Minister plausible deniability over how chinless-wonders at Main Building have squandered ££B

    1. Anonymous Coward
      Anonymous Coward

      Re: Black-ops?

      Not black. Dark grey. But financially they do seem to drain a great deal for relatively simple jobs.

    2. amanfromMars 1 Silver badge

      Bastard Black-ops Arenas ..... a Wholly New Thundering Ball Game with/for Global Operating Devices

      The Deep and Dark Web[s] are the new Black-ops Theatres of Engagement, JJC, .... and AILOVE*child with Minds of ITs Own.

      But beware and be aware of the adage ..... "Step into my parlour", said the spider to the fly and the phish to the trojan.

      (and I don't just mean your traditional Nigerian Prince type stuff, I mean invitations to obscure defence and science related conferences - often in China - could be purely coincidental of course...) ... AC

      An all expenses paid and prepaid invitation would not be purely coincidental of course. Such would surely indicate a deep engaging desire to network at higher levels/darker depths and be quite an opportunity to boot. :-) Nothing ventured, nothing gained, springs to mind, and they [the Chinese] do have trillions of dollars to spend and launder ..... turning dumb flash cash into valuable SMARTR Intellectual Property ...... although that AIMagic Trick and Track is a Holy Grail for any and all SCADA systems and collapsing elite executive office administrations verging on receivership and battling against hostile takeover and radical makeover, and a real bargain no matter what the cost price.

      *Advanced IntelAIgent Live Operational Virtual Environment

  10. Chris G

    Herbal?

    Interesting thing! I Googled Niteworks and top of the list was this; http://catalog.herbalife.com/Catalog/en-US/Targeted-Nutrition/Heart-Health/Niteworks

    A US Herbal remedies company, the Hack wasn't somebody looking for herbal tea to help them sleep/stay awake/ go to the loo more regularly? They just opened the page and signed up for herbal updates and got 800+ weapons makers instead of funny smelling tea bags.

  11. 8Ace

    Sorry !

    I look at the headline picture and I just smile, nothing to do the article at all, some things just make you smile

  12. Tomato42
    Trollface

    "Cyber"

    No wonder they were hacked to death. They are experts in "cyber hacking", while they were brought down by a garden variety "computer security" shortcomings.

  13. David Roberts

    Undeliverable emails?

    One thing that occasionally winds me up are the sites which insist on an email address on sign up (or form submission) but never use it to authenticate the user.

    [I happen to have a very short and guessable email address, which is sometimes used by techie numpties as a test address because "it is kewel" without any thought that almost any short address they can think of has probably already been registered. But I digress. ]

    So are we saying that they never validated the email addresses, or that they were blocked after initial validation? Over a third of all registered users?

    I would like to think that this was a sign of security awareness in the users - only use an address that wasn't valid after registration or block the compromised site's email domian as soon as word got out, however I feel that I might be being too generous.

    1. Bloakey1

      Re: Undeliverable emails?

      Oh my God!

      Are you winky@wong.com ? I apologise old chap as I have been using that one for years and never though of the problems that might be encountered down stream.

      I am surprised it is only 831 members but with current cuts that is possibly all of the Royal Navy. I suppose with those details they can now go off and spread their wings with other attacks based on the details of those users.

    2. Alan Brown Silver badge

      Re: Undeliverable emails?

      "I happen to have a very short and guessable email address"

      You don't get as much mail as twelve@monkeys.com does. The admin of that domain has blogged about the load for years.

      There is a standardised test address by the way: email@example.com (which is also what should be used in documentation. It's guaranteed undeliverable)

      1. BigHairyAl

        Re: Undeliverable emails?

        What would be the point of using a test address that is undeliverable ? ? ?

        I know IT types are pretty obtuse, but surely the point of a test email is to ensure one of two things (a) that you are transmitting the data and (b) that it is being received . . .

  14. alpine

    An MoD network forum. On the INTERNET? Were they mad?

  15. Mephistro
    Devil

    "Of those emails, 355 were “returned as undeliverable'..."

    Are they totally sure it wasn't the anti-spam filters blocking the delivery?

    ;-)

  16. Stevie

    Bah!

    Not getting why entire credential file wasn't encrypted, userids 'n' orl.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like