Database hacking spree on US Army, NASA, and others costs gov’t millions

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/security/2013/10/database-hacking-spree-on-us-army-nasa-and-others-cost-gov-millions/

By Dan Goodin
Ars Technica
Oct 28 2013

Federal prosecutors have accused a UK man of hacking thousands of computer 
systems, many of them belonging to the US government, and stealing massive 
quantities of data that resulted in millions of dollars in damages to 
victims.

Lauri Love, 28, was arrested on Friday at his residence in Stradishall, UK 
following a lengthy investigation by the US Army, US prosecutors in New 
Jersey said. According to prosecutors, the attacks date back to at least 
October 2012. Love and other alleged hackers are said to have breached 
networks belonging to the Army, the US Missile Defense Agency, NASA, the 
Environmental Protection Agency, and others, in most cases by exploiting 
vulnerabilities in SQL databases and the Adobe ColdFusion Web application. 
The objective of the year-long hacking spree was to disrupt the operations 
and infrastructure of the US government by stealing large amounts of 
military data and personally identifying information of government 
employees and military personnel, a 21-page indictment said.

"You have no idea how much we can fuck with the US government if we wanted 
to," Love told a hacking colleague in one exchange over Internet relay 
chat, prosecutors alleged. "This... stuff is really sensitive. It's 
basically every piece of information you'd need to do full identity theft 
on any employee or contractor" for the hacked agency.

According to prosecutors, Love used automated scanners to identify 
vulnerabilities in large ranges of IP addresses. He would then exploit 
them to inject powerful SQL commands into a site's backend database. He 
exploited similar types of vulnerabilities in sites that used ColdFusion, 
the Web application software whose full source code was recently found on 
a server operated by hackers. The ColdFusion security flaw, which has 
since been corrected, allowed Love to gain administrator-level access to 
computer servers without proper login credentials, a separate criminal 
complaint filed in a Virginia federal court alleged. After breaching the 
websites, Love allegedly planted backdoor code on the servers that gave 
him persistent access to the networks so he could return at a later date 
and steal confidential data.

[...]



--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/