It’s bad enough for the Royal Navy that memories of matelots and their iPods are still fresh, accidentally invading Spain, the Astute being pranged by the very tug that came to rescue her, an aircraft carrier with no aircraft and the indignity of sharing ships with the bloody Frenchies, it seems the bad luck keeps stacking up.
A Romanian network security enthusiast has claimed to have compromised the Royal Navy website at http://www.royalnavy.mod.uk/
The site is currently down for maintenance with nothing but a screenshot being displayed
The alleged compromise has been carried out by someone who goes by the online handle of ‘TinKode’ and claims to have used SQL injection techniques to gain access. TinKode’s blog offers this information and the Twitter feed simply links back to the original post.
==[ Author : TinKode ==[ WebSite : InSecurity.Ro ==[ Date : 05.11.2010 ==[ Hour : 22:55 PM ==[ Target : www.royalnavy.mod.uk ==[ Document: Minister_Of_Defence_UK.txt ==[ Method : SQL Injection ==[ HackTXT : http://pastebin.com/raw.php?i=M2MUEdv4
The vulnerable URL is not disclosed but the hack text link shows a list of technical information including web server type, operating system and IP address.
It also shows a list of tables, administration usernames and passwords for the Global Ops and JackSpeak sections. The Jack Speak section is a blog (highlighted in our recent post on MoD websites) that would appear to use WordPress. Lazy arse bloggers like me sometimes leave the default admin user name active but a professionally run site would normally remove this as a day 1 page 1 security activity. Incredibly, it seems to have still been active.
The Jackspeak blog would also appear to have a user called jonathonband, wonder who that might be?
If it is Admiral Sir Jonathon Band then that would be another golden rule broken, the rule that says when the user leaves, so do their user login credentials.
We shouldn’t get overheated about this, its most unlikely that there is a route to the launch system for Trident from the public-facing website but it’s more than a touch embarrassing!
No doubt there will be much behind the scenes activity to harden every single MoD website and one must expect there to be several ‘interviews sans coffee‘ on Monday morning!
H/T Galrahn at Information Dissemination