That Cyber Thing – Royal Navy Hacked

cyber

It’s bad enough for the Royal Navy that memories of matelots and their iPods are still fresh, accidentally invading Spain, the Astute being pranged by the very tug that came to rescue her, an aircraft carrier with no aircraft and the indignity of sharing ships with the bloody Frenchies, it seems the bad luck keeps stacking up.

A Romanian network security enthusiast has claimed to have compromised the Royal Navy website at http://www.royalnavy.mod.uk/

The site is currently down for maintenance with nothing but a screenshot being displayed

The alleged compromise has been carried out by someone who goes by the online handle of ‘TinKode’ and claims to have used SQL injection techniques to gain access. TinKode’s blog offers this information and the Twitter feed simply links back to the original post.

==[ Author  : TinKode
==[ WebSite : InSecurity.Ro
==[ Date    : 05.11.2010
==[ Hour    : 22:55 PM
==[ Target  : www.royalnavy.mod.uk
==[ Document: Minister_Of_Defence_UK.txt
==[ Method  : SQL Injection
==[ HackTXT : http://pastebin.com/raw.php?i=M2MUEdv4

The vulnerable URL is not disclosed but the hack text link shows a list of technical information including web server type, operating system and IP address.

It also shows a list of tables, administration usernames and passwords for the Global Ops and JackSpeak sections. The Jack Speak section is a blog (highlighted in our recent post on MoD websites) that would appear to use WordPress. Lazy arse bloggers like me sometimes leave the default admin user name active but a professionally run site would normally remove this as a day 1 page 1 security activity. Incredibly, it seems to have still been active.

The Jackspeak blog would also appear to have a user called jonathonband, wonder who that might be?

If it is Admiral Sir Jonathon Band then that would be another golden rule broken, the rule that says when the user leaves, so do their user login credentials.

We shouldn’t get overheated about this, its most unlikely that there is a route to the launch system for Trident from the public-facing website but it’s more than a touch embarrassing!

It is also worth noting how much money we spend on MoD websites, some answers here and here

No doubt there will be much behind the scenes activity to harden every single MoD website and one must expect there to be several ‘interviews sans coffee‘ on Monday morning!

H/T Galrahn at Information Dissemination

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments