Man indicted for alleged military data hack using ColdFusion flaws, SQL attacks

[Lee J <lee () riskbasedsecurity com>]

http://www.scmagazine.com//man-indicted-for-alleged-military-data-hack-using-coldfusion-flaws-sql-attacks/article/318328/<http://www.scmagazine.com//man-indicted-for-alleged-military-data-hack-using-coldfusion-flaws-sql-attacks/article/318328/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29>

A U.K. man, described by federal prosecutors as a “sophisticated and
prolific computer hacker,” has been indicted for the alleged hack of U.S.
Army and other government-run databases.

On Monday, Lauri Love, 28, was charged for his suspected involvement in
breaching “thousands of computer systems in the United States and
elsewhere” between October 2012 and this month in order to steal sensitive
government data and personally identifiable information (PII), a
release<http://www.justice.gov/usao/nj/Press/files/Love,%20Lauri%20Indictment%20News%20Release.html>
from
the New Jersey U.S. Attorney's Office said.

On Friday, Love, a resident of Stradishall, England, was arrested at his
home by British law enforcement cooperating with U.S. investigators.

Prior to his arrest, he was charged in a Newark federal court with one
count of accessing a government computer without authorization and one
count of conspiring to do so, an indictment unsealed on Monday
revealed (PDF<http://media.scmagazine.com/documents/55/love,_lauri_indictment_13632.pdf>
).

That same day, a complaint filed against Love in a federal court in
Alexandria, Va. was unsealed
(PDF<http://media.scmagazine.com/documents/55/lauri_love_affidavit_supportin_13633.pdf>).
In Virginia, Love was charged with conspiracy to access and damage the
protected computer of multiple U.S. government agencies.

According to the indictment unsealed in New Jersey, "the data stolen from
the government victims include PII of military servicemen and servicewomen
and current and former employees of the federal government," which resulted
in millions of dollars in damages.

Over the past year, Love allegedly exploited vulnerabilities in Adobe
ColdFusion <http://www.scmagazine.com/search/ColdFusion/> and carried out SQL
injection attacks <http://www.scmagazine.com/search/SQL+injection+attacks/> to
hack government databases with unnamed co-conspirators in Australia and
Sweden.

After gaining access to the targeted networks, the group allegedly planted
malware on government systems, which allowed them to maintain backdoor
access to the compromised networks, court documents said.

Using the ColdFusion and SQL injection attack methods, the group is accused
of stealing data from a long list of U.S. Army systems and other agencies
and organizations, which include the U.S. Department of Defense's Missile
Defense Agency, the National Aeronautics and Space Administration (NASA)
and the Environmental Protection Agency (EPA).

In a press release, the New Jersey U.S. Attorney's Office published a short
version<http://www.justice.gov/usao/nj/Press/files/Love,%20Lauri%20Indictment%20News%20Release.html>
of
the alleged intrusions, listing the details in order of occurrence –
including the organization affected, the type of attacks used and what kind
of data was stolen as a result of the hacks.

In addition to PII stored on the affected databases, information such as
defense program budgeting data and other sensitive military information was
believed to have been accessed.

If convicted, Love could face up to 20 years in prison for charges brought
against him in New Jersey and Virginia.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.