Sign in with
Sign up | Sign in

Hacker Selling Access to Gov Websites for $500

By - Source: Computerworld | B 17 comments

The backdoor to sixteen military, government and college websites are up for sale.

Security firm Imperva said last week that sixteen government, military and educational websites have been hacked are now up for sale for anyone wanting to take control.

The firm originally stumbled across this revelation while scanning through underground forums. One hacker was discovered to be offering full control of a website used by the U.S. Army's Communications-Electronics Command (CECOM), granting virtual keys to the backdoor for just under $500 bucks.

And that's just for starters. According to Noa Bar-Yosef, Imperva senior security strategist, this particular hacker also claims he has control over numerous additional websites owned by the military, the government and universities. The price to gain access to these websites depend on their importance and level of use, ranging from $33 to $499.

"You can actually buy the capability of being the administrator of the website," she told Computerworld, adding that databases of personal information are also up for grabs at $20 per thousand records-- one case even reveals a data pack of 300,000 people up for a hefty price.

The hacker in question is reportedly using SQL injection to gain access to the websites. According to the Wikipedia definition, this is "a code injection technique that exploits a security vulnerability occurring in the database layer of an application." Typically hackers look for poorly-written web pages sporting search boxes and/or data-entry forms that connect with back-end databases. Hackers then use an automated tool to sneak database commands in through those faulty pages.

Although Imperva marked out the list of website names that are up for sale, security blogger Brian Krebs posted a screenshot of the forum post unedited, revealing sites such as the University of South Carolina in Beaufort, the Department of Defense Pharmacoeconomic Center, the State of Utah's official website and more.

"Amid all of the media and public fascination with threats like Stuxnet and weighty terms such as 'cyberwar,' it’s easy to overlook the more humdrum and persistent security threats, such as Web site vulnerabilities," he said. "But none of these distractions should excuse U.S. military leaders from making sure their Web sites aren’t trivially hackable by script kiddies."

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 1 Hide
    fayzaan , January 26, 2011 1:16 AM
    Good!
  • 1 Hide
    dogman_1234 , January 26, 2011 1:44 AM
    The Internet has become a game. Pretty soon we will be playing a cat-and-mouse game with each other for world domination. But, that is just a conspiracy.

    I can see the headlines:

    "Pentagon Up For Sale For 500 Thousand!"
  • 2 Hide
    joelmartinez , January 26, 2011 1:50 AM
    Pwned, no fan of hacking though I got pretty pissed off when one of those dirtbags tried to mess with me.
  • Display all 17 comments.
  • 1 Hide
    droidnet , January 26, 2011 1:51 AM
    Ha ha ha and pretty soon corporate networks will be for sale as well - now you will be able to make some money off of those.
  • 1 Hide
    micr0be , January 26, 2011 1:56 AM
    if i'd sold my sql injection entries i'd be rich by now ... but that would mean breaking rule #1
    what a pathetic way to make money.

    p.s if anyone is wondering yes government sites are sometimes easier to get into then online blog sites.
  • 0 Hide
    JD13 , January 26, 2011 1:59 AM
    Do you want to play a game?

    Does that rings any bells?

    That's cheap, compared to how much trouble they can get into for doing it.
  • 0 Hide
    mayankleoboy1 , January 26, 2011 5:35 AM
    Quote:
    "Pentagon Up For Sale For 500 Thousand!"


    :lol: 
  • 0 Hide
    hardcore_gamer , January 26, 2011 5:49 AM
    good news for michael western
  • 0 Hide
    alyoshka , January 26, 2011 5:59 AM
    Looks like Die Hard 4 is going to happen someday real soon.....
  • 0 Hide
    fjiekie , January 26, 2011 6:19 AM
    not really, these are just websites, not something too important
    (ok, they have personal information, but they cant change anything (hoping they have backups of the databases...))
  • 0 Hide
    DSpider , January 26, 2011 8:11 AM
    Actually, access to those databases can prove quite useful for a social engineer. I strongly recommend reading "The Art of Deception" for a very strong dose of security wakeup call. There were some examples in there that were mind blowing.

    Just websites you say... Oh, it's just the Department of Defence... Nothing important.
  • 0 Hide
    DSpider , January 26, 2011 8:21 AM
    Access to your collage database can also be useful. Straight A's all around. Getting a scholarship would be a breeze, who cares if the education level drops.
  • 0 Hide
    fjiekie , January 26, 2011 9:10 AM
    i'm aware that it shouldnt be possible to get such personal information.
    but in comparison of die hard 4 it isnt as important, they cant take all your money away and such... (i agree they can try to scam you, but you have to be careful about that all the time)

    and about the scholarships: they did that my country once (direct access...) and they got found out rather quickly

    (and i'll read that book, thanks)
  • 0 Hide
    wiyosaya , January 26, 2011 12:54 PM
    Uh huh! Anyone want to buy the Brooklyn Bridge from me? I'll sell it to you, all of you, each one of you, for $500K each.

    Come on! People are incapable of recognizing a scam when they see one?

    WTF is this world coming to...
  • 1 Hide
    eddieroolz , January 26, 2011 4:32 PM
    What happened to the days when hacking was to simply test your skills and brag? These "hackers" are nothing more than malicious script-kiddies. Shame on you, "hackers".
  • 0 Hide
    rhino13 , January 26, 2011 4:44 PM
    Haha, spam... I meant scam.
  • 0 Hide
    gm0n3y , January 26, 2011 6:11 PM
    SQL Injection should never happen. It is extremely easy to write you code in such a way that it is not possible. Best practices have been around that prevent this for the past 10+ years.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter