That Cyber Thing – Royal Navy Hacked

It’s bad enough for the Royal Navy that memories of matelots and their iPods are still fresh, accidentally invading Spain, the Astute being pranged by the very tug that came to rescue her, an aircraft carrier with no aircraft and the indignity of sharing ships with the bloody Frenchies, it seems the bad luck keeps stacking up.

A Romanian network security enthusiast has claimed to have compromised the Royal Navy website at http://www.royalnavy.mod.uk/

The site is currently down for maintenance with nothing but a screenshot being displayed

RN-Website-Hacked

The alleged compromise has been carried out by someone who goes by the online handle of ‘TinKode’ and claims to have used SQL injection techniques to gain access. TinKode’s blog offers this information and the Twitter feed simply links back to the original post.

==[ Author  : TinKode
==[ WebSite : InSecurity.Ro
==[ Date    : 05.11.2010
==[ Hour    : 22:55 PM
==[ Target  : www.royalnavy.mod.uk
==[ Document: Minister_Of_Defence_UK.txt
==[ Method  : SQL Injection
==[ HackTXT : http://pastebin.com/raw.php?i=M2MUEdv4

The vulnerable URL is not disclosed but the hack text link shows a list of technical information including web server type, operating system and IP address.

It also shows a list of tables, administration usernames and passwords for the Global Ops and JackSpeak sections. The Jack Speak section is a blog (highlighted in our recent post on MoD websites) that would appear to use WordPress. Lazy arse bloggers like me sometime leave the default admin user name active but a professionally run site would normally remove this as a day 1 page 1 security activity. Incredibly, it seems to have still been active.

The Jackspeak blog would also appear to have a user called jonathonband, wonder who that might be?

If it is Admiral Sir Jonathon Band then that would be another golden rule broken, the rule that says when the user leaves, so does their user login credentials.

We shouldn’t get over heated about this, its most unlikely that there is a route to the launch system for Trident from the public facing website but its more than a touch embarrassing!

It is also worth noting how much money we spend on MoD websites, some answers here and here

No doubt there will be much behind the scenes activity to harden every single MoD website and one must expect there to be several ‘interviews sans coffee‘ on Monday morning!

H/T Galrahn at Information Dissemination

4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Euan
Euan
November 6, 2010 10:00 pm

That is the problem with IT security, the average user can easily compromise the best laid plans if they simply fail to follow the rules and the people making and enforcing the rules are ineffective. So I’m not really surprised the website got hacked but as long as the real systems are secure then the public website getting hacked is not a huge concern although it is a little bit as who knows where it ends. Personally my IT security is pretty lax as is almost everyone’s but like most people I have very little that I think really needs protecting and if someone wants in somewhere they will get in.

I wonder what Jed will say about this since he IIRC knows more about IT security etc.

RichieC
RichieC
November 15, 2010 2:01 pm

Well, this is no surprise to myself. I reported this vulnerabiliy, along with a few others, a few years back to the MoD. I even offered to fix it for them but as I wasn’t part of a “legal” group, I wasn’t allowed to help them. So this is not any surprise to me.

Best Regards,
RichieC.

James
James
June 22, 2012 8:36 am

RichieC: I worked with one of the agencies at the time (not the agency responsible, I might add), and if you’re the person I think you are, you sent a bolshy email to the COI guys which almost got you referred to the police.

If you want to pitch for work by highlighting security vulnerabilities, you need to take a slightly more tactful approach. Don’t go barrelling in and making yourself out to be a “hacker gone good”, because it gets people’s backs up

James
James
June 22, 2012 9:51 am

…I’d just like to point out that the comment by James above is not me. I’ve got no comment at all on it – but we need to disambiguate!

Red Trousers.