Airline Database Posted On Defacement

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.internetnews.com/dev-news/article/0,,10_1013341,00.html

April 22, 2002 
By Jim Wagner  

The U.S. Space and Naval Ware Systems Command was defaced Monday
morning, with presumably legitimate screenshots of database files from
a major airline and bank.

Using a common gateway interface (CGI) hack, a defacing team calling
themselves the Deceptive Duo posted the information on the U.S. Navy
site to "ensure that the public is aware of the United States of
America's lack of security."

At the bottom of the defaced Web page, several screenshots have been
added, notably what seems to be a flight schedule and passenger
manifest for a Midwest Express airline database using Microsoft Access
in Windows XP Office.

"This situation proves that we are all still vulnerable even after
9/11," the DeceptiveDuo posted on their defacement. "Tighten the
security before a foreign attack forces you to. At a time like this,
we cannot risk the possibility of compromise by a foreign enemy," the
Web page statement read.

It also appears the e-mail addresses and full names of Midwest Express
customers have been compromised with the screenshot, which one
security expert said, "seemed legitimate, and not just a manipulated
image map."

Lisa Bailey, Midwest Express spokesperson, said the two hackers gained
access to its Web-based user profile database, an area that lets
customers update their personal information via a supposedly secure
connection.

"Frankly, we're not sure how they got into it," Bailey told
InternetNews.com. "We hired consultants two weeks ago to go over our
entire operations, but they hadn't gotten to that (part) yet. We gave
them a call this morning and they are now."

In an instant messaging interview with the two members, the Deceptive
Duo said it was "quite easy" to break into the database of the airline
and the Union Bank.

The two wouldn't explain how the bank database was accessible, but
said they got into Midwest Express because of a relatively common
vulnerability. The airline uses Microsoft SQL, which has a default
password to login. It's seems the system administrator didn't change
the password when the database was implemented and put on a live
network. The two merely gained access to the corporate intranet and
typed in the default password to get in the database.

In a preemptive nod to critics who say Web site defacing/hacking is
not the way to publicize security breaches, the Deceptive Duo said
they've already tried getting the affected companies attention in the
past.

"We've tried subtle ways of informing the (admins of) vulnerable
servers," one of the duo said. "It seems that it takes drastic means
for others to realize the severity of this all. And I feel if we show
the mass public, others will flex and strive to secure their servers
as well. I mean, we see everyone pushing for stronger security, yet we
are still witnessing breaches?"

"Unfortunately, it takes action to get a reaction," they concluded.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.