US Army Website Hacked By Syrian Electronic Army 116
swinferno writes: On Monday afternoon, the Syrian Electronic Army claimed on Twitter to have successfully hacked the website of the United States Army, army.mil. Various screenshots that appeared on Twitter reportedly showed pro-Assad propaganda on the site before it crashed. "Today an element of the Army.mil service provider's content was compromised. After this came to our attention, the Army took appropriate preventive measures to ensure there was no breach of Army data by taking down the website temporarily," spokesman Brig. Gen. Malcom B. Frost said in a statement.
Obligatory (Score:5, Insightful)
https://xkcd.com/932/ [xkcd.com]
Re: (Score:2)
Hmmm... they actually did get into the webserver... it wasn't just a DDOS attack or something. They actually got in.
Now did they get anywhere near anything we care about? Probably not. But they did get in to something.
Possibly read it this way:
"vandals broke into a sign put up by the US military and changed the letters around to say POOP"... they did get in... just... to a place no one cares about.
Re: (Score:3)
Yeah, that's exactly what that XKCD is saying. They got at an externally hosted server that would have occasionally been accessed FROM a (more, but not highly) secure .mil network, but doesn't have any access TO any .mil network.
It's about as significant as shitting through a recruiting office letterbox in a mall.
Re: (Score:3)
emmm... not really. just because there isn't secure information in there doesn't mean it is "okay" that it got busted.
First there is a question of prestige here. You don't let shitstain hackers break into your webserver. You just don't.
Second, I'm not sure there was nothing in there of value. It could have contained something that would point them at other systems or give them deeper knowledge of the infrastructure of another network. And they could leapfrog from one to the next.
It definitely was a breach..
Re: (Score:2)
I am... Perfect security possible with computers. You can make things that are unhackable.
It needs to be simple enough to debug, elements that don't change should be made literally static... ideally physically locked, and anything hyper secure should be either encrypted with perfect 1:1 encryption or airgapped. That's if you want PERFECT security. Which again... is possible.
Its like anything that is perfect... either very simple or nearly impossible to do. Make it easy on yourself by making it simple.
Re: (Score:2)
To understand how to make something unhackable you have to understand how hacking works.
The whole strategy is basically using the adaptability of the system against the owner. You reprogram the system to do what you want instead of what the owner wanted.
That's hacking. Can you hack non-programmable systems? Nope. Can you hack something that might be programmable but which you cannot access because it literally doesn't communicate bidirectionally over exposed IP addresses? The ability to hack something like
Re: (Score:2)
You are assuming the underlying system is correctly and securely designed. That's a big assumption and one you have no way of ascertaining that.
Re: (Score:2)
Wrong.
To be hackable it has to be reprogrammable through the web portal.
If it isn't for any reason then it isn't hackable.
Sorry, but that's nonsense (Score:2)
I've taught computer security and web application security at an undergraduate level, and I can tell you that this is just not true. Now, its possible you can have foreclosed all the most obvious direct methods of breaking into your system. You've closed every possible content injection hole, you've configured the network such that even if someone started a rogue process on your machine it couldn't talk to anything outside your network, you've locked down every file using SELinux rules so no process exposed
Re: (Score:2)
Are all the systems on the network secure? Yes. In so many ways. The workstations are locked down. You can't run un-authorized code on them.
Are the appliances secure as well? Yep. This one is actually easier. The appliances are either non-programmable or they're firewalled.
What is more, when I was talking about things being unhackable, I meant from the outside. If you're in the building then things become difficult because I have to start fighting the first law of computer security, which is physical securi
Re: (Score:2)
They were reprogrammed otherwise the worm would not have been able to imprint itself on them.
My understanding further is that the Iranian worm situation was caused by spreading malware from unsecured systems to the centrifuges.
Are you suggesting that it is impossible to keep a secure network isolated from the facebook and porn network?
Re: (Score:2)
OK, dream on. I've worked with some damned fine security guys in my time. You really could learn a few things from them.
Re: (Score:2)
and what would I learn?... Seems like the lesson you want to teach is despair.
Why would I want to learn that lesson when I can just win? I'm fine thanks.
Look, I'm not saying perfect security is practical in all cases. I'm just saying it is possible. And when you are dealing with high security environments you can secure them so that they do not get hacked.
Saying you can't do it because how would we check our facebook is itself naive, soft, and frankly irresponsible.
You lock it down and you don't get touched
Re: (Score:2)
You were saying you would run an active hack from inside a high security network.
If you don't think such facilities have men with guns then you know less about such networks than you think.
Ever tried to walk into an investment bank? You wouldn't leave the lobby. You need an ID card at a minimum to get the elevator to go to the right floor. And that assumes there aren't four or five other security systems being used in correlation with that.
I'm always amazed at what people think is "actual" security.
Take som
Re: (Score:2)
Doxx myself? First, I don't own the systems so I have no right to do such a thing. Second, only an idiot would doxx themselves... just because some AC dared him to? Comical.
I'd do it if I had permission and if I were getting paid... ideally by you... lots of money.
Short of that... you're basically asking me to betray my employer, subject myself to real life harassment from internet trolls, and for... nothing?
No thanks.
Re: (Score:2)
Hey bingo.
I can only make 25 posts a day. How long do you think it takes me to make a post?
The only thing that makes this site take a long time is that I have to wait awhile between posts.
Otherwise, I'd burn my post quota out in about half an hour.
Re: (Score:2)
You'd know this if you ever logged in... the system cuts you off if you make more than 25 posts in a 24 hour period. You get an error and it prevents you from posting again for at least an hour. At which point you can only post until your post count in the last 24 hours reaches 25.
Anyway, bingo... I don't know where you get off judging people that actually HAVE records. You don't. You don't get to judge, shithead. ;)
Re: (Score:2)
So on top of being a troll, obsessed with me, a hypocrite, a coward, and a liar... you're also unable to count?
That link you showed me doesn't show more than 25 posts. That's all it permits per page.
So what is it like being such a failure of a human being?
I mean... what are you good at?... besides failure of course. You're amazing at failure.
I'm just going to give you a little golf clap for the unbroken track record of failure so far:
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
I've never counted. I get an error every so often saying "you can't post more than 25 times in 24 hours"... so sue me... I thought the error warning was accurate.
Whatever.
ACs still have no ethical or moral right to judge people that log in. We have histories. You don't.
Re: (Score:2)
Taking a warning message from the slashdot site as being valid doesn't make me a liar... idiot.
Re: (Score:2)
Next time I get it, I'll screen cap it for you or something. I get it about twice a month. Often there will be some dog pile and I'll have to respond to about a dozen fucktwits and that just burns up my post count allotment.
Re: (Score:2)
Yes... and if I thought that was correct then I didn't lie.
Being wrong doesn't mean you're a liar. Idiot.
Re: (Score:2)
Making an honest mistake given reasonable information is neither unethical nor immoral. Your presumption of judgment is comical.
What is funnier is that you're trying blow this up into something that damns me as a person.
And what you possibly didn't realize is that I'm responding to you. Something which you should know by now bingo, I normally stop doing once I realize it is you.
But I'm still responding to you.
Do you know why? Because I'm going to hit that limit And when I do, I'll screen cap it. And win.
So
Re: (Score:2)
Okay so you admit I wasn't a lair.
k thanks.
I win again, twit.
You so fucking stupid :D Its amazing.
Re: (Score:2)
There's no goal post being moved. That is what it means to lie and what it means to tell the truth.
You're the one that is goal post moving. Your claim that I lied was so stupid that even you backed off it and rather than admit you went too far you're now trying to cover your mistake with abuse.
You're pitiful.
And that's another post for me. I can't wait until the stupid thing flags me. Then I shall screen cap it and win.
Keep going. :D
Re: (Score:2)
First, "you"... that implies I did something which I didn't do.
Second, this is continued with you using the word "did" which states that I actually did something which I didn't do.
Third, "exactly" means that something precisely something and you've already admitted that I didn't lie which means I didn't exactly lie.
Fourth, there is that "you" again that suggests I did something.
Fifth, "are" again suggests a state of being but your statement is contradictory with both your own statements and reality.
Sixth, y
Re: (Score:2)
Nope. I didn't lie about anything. I relied upon what the site told me had happened. The next time it does, I'll screen cap the error message for you.
There's no lie.
A lie requires deliberate deception. An error based on putting too much faith in an error message is not a lie by definition unless I knowingly misrepresent my statement. I did no such thing so it was not a lie.
You don't really understand what a "lie" is do you?
See, this is my issue with ACs... you're astoundingly stupid. How can you not know wh
Re: (Score:2)
This thread? who cares. You're following me all over the forum. Who cares what thread we're talking about anymore.
It doesn't matter to you. Why should it matter to me? You already admitted in one of these threads that you were in error on the whole lying thing... You know it. I know it... so who's the liar now?
Re: (Score:2)
Cite a lie I told, fucktwit.
You say I can't undo my record... but I don't need to. And unlike you, I'm not afraid of my record. You are afraid of your record. And yet you presume threaten me with mine? You're a joke.
I am quite happy to stand on my record. Unlike you, I'm not a coward. ;)
*kiss kiss* shithead. :)
Re: (Score:2)
Did too. :)
Re: (Score:2)
Bingo, for me to have lied there, I would have had to known it was not true. You already admitted you fucked up and I didn't lie. So why are you now lying by reversing course and saying I lied about something that you know I didn't lie about?
I mean... who do you think you're fooling here?
Not me obviously. No one else is reading this... so... its you and me... and I'm not fooled... so what is the point?
Re: (Score:1)
Re: (Score:2)
You can still hack that, just need to go after the DNS server instead.
And yes, Government rank reputation very highly when you do a risk review, but IFF there was anything on this server that wasn't UNCLASSIFIED:For Public Release, then there was *already* a breach.
Experience with some corporate wanker does not reflect the way the military/government do security at all.
Re: (Score:2)
hacking a dns server doesn't touch the military webserver. That is bypassing it and hacking public systems to redirect you.
Quite different.
Re: (Score:2)
How does the method change the effect?
Re: (Score:2)
The effect is not the issue here. What actually happened is the issue.
Furthermore, the DNS effects only systems effected by the DNS hack.
If you use a private DNS system... which you should if it is high security... then you would completely ignore the issue.
What some jerkoff sees when he connects to your system is one thing. What actually happened to your systems is another.
Re: (Score:2)
Nope, to all that.
Effect is the entirely the issue. The effort required to ensure this kind of thing *NEVER* happens is entirely disproportionate to the effort required to ensure that there is nothing of real value on an internet accessible server (or from it).
Furthermore, a DNS attack that re-delegates the domain to different DNS servers would mean everyone (other than internal users that wouldn't be be using public DNS servers) would see the affected page, which is what they want, "how" is entirely irrele
Re: (Score:2)
First there is a question of prestige here.
And authority. Who is going to take seriously the idea that backdoored encryption will be be properly safeguarded by the government when just in the past week they just turned over 4 million federal personnel records and an army website over to "hackers"?
One would have to be abysmally stupid to take information security advice from anyone with their track record. The next time you hear a government official claiming that making our systems less secure is a good idea the correct response is open ridicule an
Re: (Score:2)
As to the proper response to idiots in real situations... I've found its best to just humor them and then quietly negate the damage they could possibly do when they're not paying attention.
Re: (Score:2)
Government response: "But, TERRORISM!"
*too many people nod their heads in agreement while the rest of us shake ours in dismay*
Re: (Score:2)
So because a system was hacked, you can't trust anyone working for the government on security? I heard that a corporate web server was hacked, I guess we can't trust anyone working security for corporations anymore, they couldn't know what they are talking about.
Re: (Score:2)
Depends... I'm not familiar with their system. I know lots of exploits and bugs. So maybe.
I know I could secure it though.
Re: (Score:2)
I do quite well actually... and if everything is locked down and I'm alerted when there is an issue... then what exactly do I have to do?
A lot of bad administration is a lack of automation. Its why the security gets lax half the time. They say "well we'd need more IT people to handle that"... for security you really don't need that many. You just need to the systems to be set up to call for help when something happens. And then have them be fool proof enough that only rarely does anything happen.
Re: (Score:2)
I can't disagree... the thing fucking pissed me off with all its problems. The web admin told me that it couldn't be secured without completely rewriting the whole site and upgrading lots of crap in it along the way.
And I thought to my self... "and how long will that work?"... and I concluded that I'd be having the same conversation with the guy in two years.
So I tried to draw him into a discussion about securing the site without bothering with Wordpress's endless bullshit. And he basically had no idea wha
Re:Obligatory (Score:4, Insightful)
It's about as significant as shitting through a recruiting office letterbox in a mall.
Unless they dropped some malware on the site and infected the people who unknowingly visited the page.
Re: (Score:2)
It's about as significant as shitting through a recruiting office letterbox in a mall.
Unless they dropped some malware on the site and infected the people who unknowingly visited the page.
Which is about the same as someone sending you tissue full of mucus and flu germs through the mail. If you're only at threat if you dont throw it away and wash your hands.
Re: (Score:2)
Agreed. It's the Internet equivalent of graffiti. It's an embarrassment, to be sure, but breaking and entering, it is not.
Different goals (Score:4, Interesting)
I guess you can tell the ambition of an attack based on how obvious it is.
When the Syrian Electronic Army hacks a website, they simply vandalize it and make a lot of noise. When someone else, say the Chinese government, hacks a web address, they ignore the front pages altogether and go straight for the data centers. Way more discrete, way more dangerous.
I could make a fart analogy out of this. So I will.
The silent ones are the ones you need to fear.
Re: (Score:2)
Re: (Score:1)
That could very well be true. Think of the quietest, closest, most drawn out fart imaginable. Terrifying. Then trying to find out who exactly the culprit is... nobody wants to fess up to something that odorous.
But it does make me wonder; How well is the U.S. set up in China? We HAVE to be snooping in on them, even if it isn't made public nearly as often. That tells me that either we aren't very good at getting sensitive data, or our farts are tremendously delayed and powerful. hmmm...
Re: (Score:2)
The Chinese and Russian are both losing interest in the US government and are focusing on where the real power is, US corporations and their executives and board members. Why spy on the puppet, when it is much more effective to spy on the corruption at actual real top.
Manning's USB stick (Score:2)
Captain Hindsight (Score:4, Funny)
Oh good job, Captain Hindsight! You are absolutely right! Manning should have never been able to use a USB stick [takes notes]. Also Snowden should have never been given so much access [takes notes].
"...this would have never happened."
Oh excelsior! Your powers of observation and hindsight deduction are without compare. Between that and your three split infinitives all I can say is BRAVO, SIR, BRAVO! You truly have your finger on the pulse of ... everything that's that wrong.
Re: Captain Hindsight (Score:1)
Re: (Score:3)
Re: (Score:2)
It's grammar, not grammer, and you're welcome, illiterate swinehunt.
failure on the social level (Score:2)
Forbidding portable media didn't work well in the days of the floppy disk, and doesn't work now. Much better to talk to people, make sure no one has a justifiable grievance against an immediate supervisor. If someone sees something to blow a whistle about, give them a way to do so that isn't so damaging and doesn't have a bunch of organization men conflating treason to the nation with refusal to look the other way when they lie and cheat. We should be grateful to whistleblowers, not treat them with suspi
Re: (Score:2)
Old hat (Score:2)
Really? Is hacking the US gov. still a thing?
Re: (Score:2)
Damage is exagerated (Score:2)
I think that the damage to USA is very much over-exaggerated. So, the article says, that the informational gate to one of the websites has been messed up for some time.
So here is the prospective: if 50 years ago some some villages boys would have desecrated the entry of the US military base by peeing on the gates, or dropping a dead animal, nobody would care.
Same with the desecration of US website. The readiness and combat abilities did not decreased at all.
sadly, yes (Score:1)
In the early days of the rebellion, there was hope that moderates would rise up, and turn Syria into a moderate Republic. However, the CIA could not find enough militant moderates. Branches of al qaeda in Syria and Iraq have since taken over the rebellion. al qaeda in Iraq broke off, and became ISIS. al qaeda in Syria is still on good terms with al qaeda HQ, and is now called Nusra Front. The moderates don't care if al qaeda conquers Syria. They want Assad dead. So does the European media.
Sure sure. I believe you. (Score:1)
I bet ten hard drives that the Army hacked it's own site and blamed it on Syria for propaganda reasons. Any takers?
Re: (Score:2)
Has anyone ever hacked /.? (Score:2)