Hacker Selling Access to Gov Websites for $500
The backdoor to sixteen military, government and college websites are up for sale.
Security firm Imperva said last week that sixteen government, military and educational websites have been hacked are now up for sale for anyone wanting to take control.
The firm originally stumbled across this revelation while scanning through underground forums. One hacker was discovered to be offering full control of a website used by the U.S. Army's Communications-Electronics Command (CECOM), granting virtual keys to the backdoor for just under $500 bucks.
And that's just for starters. According to Noa Bar-Yosef, Imperva senior security strategist, this particular hacker also claims he has control over numerous additional websites owned by the military, the government and universities. The price to gain access to these websites depend on their importance and level of use, ranging from $33 to $499.
"You can actually buy the capability of being the administrator of the website," she told Computerworld, adding that databases of personal information are also up for grabs at $20 per thousand records-- one case even reveals a data pack of 300,000 people up for a hefty price.
The hacker in question is reportedly using SQL injection to gain access to the websites. According to the Wikipedia definition, this is "a code injection technique that exploits a security vulnerability occurring in the database layer of an application." Typically hackers look for poorly-written web pages sporting search boxes and/or data-entry forms that connect with back-end databases. Hackers then use an automated tool to sneak database commands in through those faulty pages.
Although Imperva marked out the list of website names that are up for sale, security blogger Brian Krebs posted a screenshot of the forum post unedited, revealing sites such as the University of South Carolina in Beaufort, the Department of Defense Pharmacoeconomic Center, the State of Utah's official website and more.
"Amid all of the media and public fascination with threats like Stuxnet and weighty terms such as 'cyberwar,' it’s easy to overlook the more humdrum and persistent security threats, such as Web site vulnerabilities," he said. "But none of these distractions should excuse U.S. military leaders from making sure their Web sites aren’t trivially hackable by script kiddies."
- The Pirate Bay Might Return as Music Bay
- HDR For Video; Get Ready for Psychedelic Vids
- Solar-Powered 'Smart' Streets Melt Ice Away
- Funky ''Flip'' Phone Concept Has Three Sides
- Did Nintendo's 3DS Make Japanese Users Sick?
- Kinect Developer Leaves Microsoft for Google
- MSFT Blames 3rd Party for WP7 'Phantom Data'
- iTunes $10,000 Winner Hung Up on Apple's Call
- iPad 2 Production Starts February, iPhone 5 May
- Microsoft Files Suit Against TiVo
- Glass That Gives Steel a Run for its Money
- The Cake Isn't a Lie for This Machine
- Robots Simulate Evolution: The End is Nigh
- SolarFan Gives your Gadgets Sun Power
- Murata Girl (and Boy) Wheelie Their Way to CES
- RIM: PlayBook Battery Will Top the iPad
- Report: iPad 2, iPhone 5 to Have Integrated NFC
- HP-Palm's Topaz Tablet to Have 1.2Ghz Processor
- Spotted: A Black and White Google Nexus S
Good!
The Internet has become a game. Pretty soon we will be playing a cat-and-mouse game with each other for world domination. But, that is just a conspiracy.
I can see the headlines:
"Pentagon Up For Sale For 500 Thousand!"
Pwned, no fan of hacking though I got pretty pissed off when one of those dirtbags tried to mess with me.
Ha ha ha and pretty soon corporate networks will be for sale as well - now you will be able to make some money off of those.
if i'd sold my sql injection entries i'd be rich by now ... but that would mean breaking rule #1
what a pathetic way to make money.
p.s if anyone is wondering yes government sites are sometimes easier to get into then online blog sites.
Do you want to play a game?
Does that rings any bells?
That's cheap, compared to how much trouble they can get into for doing it.
good news for michael western
Looks like Die Hard 4 is going to happen someday real soon.....
not really, these are just websites, not something too important
(ok, they have personal information, but they cant change anything (hoping they have backups of the databases...))
Actually, access to those databases can prove quite useful for a social engineer. I strongly recommend reading "The Art of Deception" for a very strong dose of security wakeup call. There were some examples in there that were mind blowing.
Just websites you say... Oh, it's just the Department of Defence... Nothing important.
Access to your collage database can also be useful. Straight A's all around. Getting a scholarship would be a breeze, who cares if the education level drops.
i'm aware that it shouldnt be possible to get such personal information.
but in comparison of die hard 4 it isnt as important, they cant take all your money away and such... (i agree they can try to scam you, but you have to be careful about that all the time)
and about the scholarships: they did that my country once (direct access...) and they got found out rather quickly
(and i'll read that book, thanks)
Uh huh! Anyone want to buy the Brooklyn Bridge from me? I'll sell it to you, all of you, each one of you, for $500K each.
Come on! People are incapable of recognizing a scam when they see one?
WTF is this world coming to...
What happened to the days when hacking was to simply test your skills and brag? These "hackers" are nothing more than malicious script-kiddies. Shame on you, "hackers".
Haha, spam... I meant scam.
SQL Injection should never happen. It is extremely easy to write you code in such a way that it is not possible. Best practices have been around that prevent this for the past 10+ years.