It's a testament to the power of media that so many people not involved in the military automatically bequeath them with such impenetrable technical capability and diligence. One of my best friends served as a sniper but had slighty less than 20/20 vision. So they had a military surgeon fix that up and now, several years later, my friend is wearing glasses. It's not that this was substandard care, but that for someone who already completed elite training, they opted for nothing-special care.
So why should we expect great diligence when it comes to building informational websites. Does anyone remember the ease with which Bradley Manning performed his hack*?
edit: I think I'm getting downvoted because people disagree that Manning "hacked" something. I don't know why there is disagreement here...he himself disclosed the methods he used to get over the "air gap". Just because those methods were trivial doesn't undercut my point, in fact, it underscores my point that the military's information security is not without flaws:
> Does anyone remember the ease with which Bradley Manning performed his hack?
You're right that the military is hardly going to treat a "Public Affairs" website with any special care, but I wanted to correct you on your description of a Bradley Manning "hack".
There was no hack. There was never a hack. Bradley Manning was the proverbial "insider" threat.
You may remember that in the wake of 9/11 there was a lot of acrimony regarding how poorly the various Federal agencies worked together. They often engaged in turf warfare to maximize the agency's important instead of maximizing the U.S.'s ability to respond to actual threats.
No one shared info with one another, either because they were not sure they could share info, to prevent aiding other agencies getting more powerful, etc. And as a result there were thousands of Americans murdered, not to mention the horrific property losses.
So, one of the "lessons learned" was that the intelligence agencies were going to work together from then on. Not just work together, they were going to share the intel. Counterterrorism would become a real mission goal, with real resources put to it, real organizations aligned around it, etc.
So suddenly, military was working with CIA, FBI, Dept. of State, and more, and working together to prevent another 9/11 happening, prevent IED attacks against deployed troops, etc.
There was never a hack. Manning had access to all of that data quite intentionally, to help him do his f'ing job as an intelligence specialist analyzing the various Islamist threat groups in his area. He even quoted (and was quite proud of) an award citation in his chat logs with Lamo that described how he was aiding the Army in that particular fight.
But not once did he hack anything. He downloaded data he had authorized access to, and exfiltrated it to persons who did not have authorization.
Yes, no argument here. I wrote "hack" as a shorthand because I was typing via mobile and was lazy this morning :).
edit: (I mean I agree with the background facts you've stated, but I think it is still a "hack" based on other related facts, and it's my fault for not elaborating in the parent comment)
In any case, I was just pointing out that the military's information infrastructure is not bulletproof, so to speak. This applies to public facing websites and in Manning's case, to secure access protocols (for example, in what other organization would unmonitored, unchecked access to critical files be given to someone barely older than a college senior?).
But I do think that this was a "hack", if an unsophisticated one. He may have had authorized access to those files, but he did not have authorization to transfer those files over the "air gap". Here's how he described his exploits to Adrian Lamo in chat logs:
...lets just say someone* i know intimately well, has been penetrating US classified networks, mining data like the ones described ... and been transferring that data from the classified networks over the “air gap” onto a commercial network computer ... sorting the data, compressing it, encrypting it, and uploading it to a crazy white haired aussie who can't seem to stay in one country very long =L [...]*
(02:12:23 PM) bradass87: so ... it was a massive data spillage ... facilitated by numerous factors ... both physically, technically, and culturally
(02:13:02 PM) bradass87: perfect example of how not to do INFOSEC
(02:14:21 PM) bradass87: listened and lip-synced to Lady Gaga's Telephone while exfiltratrating [sic] possibly the largest data spillage in american history [...]
(02:17:56 PM) bradass87: weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis ... a perfect storm [...]
-----
Yes, this "hack" of Manning's required little more than a USB drive, perhaps, but that was my original point: parts of the military system are relatively untested, allowing such critical oversights...so a SQL vulnerability in a public facing military website is not a huge surprise.
Well he would have had technical authorization to transfer files to a CD (I've burned classified CDs myself). It's hard to prepare a classified briefing for your chain-of-command without a way to get the files onto the air-gapped presentation computer without network access, and there are known security issues relating to USB thumb drives so it would make perfect technical sense to require CD drives be used. You just have to label it properly, handle it properly, etc.
You could argue that the system could have technical measures in place to see that the CD-R was being filled, used repeatedly in a short period of time, etc. but that could be worked around too.
He's exactly right that trusting an insider is a perfect example of how not to do INFOSEC, but that was a risk the military judged was of lower danger than the risk associated with artificial constraints on the ability of the military and government to cooperate on anti-terrorism.
Pretty much any measure the gov't and military put in place in this area to protect against the future Mannings of the world will at least slightly inhibit their ability to detect and prevent future terrorist strikes, I guess we'll have to see what they've chosen to do. :-/
In case someone too naive is reading, using something like tor won't give you hacker super powers. The only real protection you can have is knowing what you are doing, and even then you can fail. I wouldn't recommend messing with stuff like this while you are eating a donut and reading hacker news (nor any other moment for that matter).
Well, HN receives a significant amount of traffic -- probably a good many people do go on to click the links. It's equivalent at this point to having the URL featured on some high-traffic tech news site.
If you're still wary, pick the most unremarkable one, that you think most people are likely to click. That way it seems more normal from their perspective -- you're just one among many in the wide sea. Here, I'll even help you out: https://secureweb.hqda.pentagon.mil/dpo/Details.asp?ID=108
Huh, I thought you had pasted the URL wrong. But it is a bug on this site that swallowed the quote.
Anyways add a ' to the end of that URL and you'll see clear evidence of a SQL injection bug. But it is just demonstrating that the bug is there. It would take more work to get access to their database.
I tried a couple of the links. All SQLi vuln. All using microsoft sql server too it looks like. I don't know why I had this image of .gov and .mil sites being super secure. I no longer think that...
I don't know why anyone would expect a public facing PR website to have the same level of security as actual military use systems... Obligatory XKCD: http://xkcd.com/932/
Most hackers aren't involved in government procurement and so assume that it will be done with extra care and attention, rather than the opposite for 10x the cost.
ASP hasn't been updated in about 10 years, so yes it's old.
ColdFusion, however, isn't "very old". It's an actively supported platform with new versions released within the past year (commercially and 2 open source alternatives). It contains current features such as ESAPI support (for security) and web sockets (for the whiz bang buzzwordians). The fact that it was released in 1995 is irrelevant - similarly aged languages include Java, Ruby, JavaScript, and PHP.
You're correct that the age of the websites has much to do with the vulnerabilities. I think "no-one knew what they were doing" borders on insulting for anyone who's been building web apps for more than a few years, however. Rather, things like SQL injection weren't common then, and older, unsupported apps are thus easily exposed.
I'm not being insulting as I'm including myself in that broad brush. By a few years do you mean 8-10 years ago? As that's when VBScript was being phased out. And that's when cfm was even vaguely popular. cfm's dead today like Delphi's dead today.
I actually remember SQLi becoming a hot topic just when I personally was switching from being a VBScript programmer to C#. When all the APIs were introducing parametrized queries and the debate of them vs stored procs was actually still raging.
It was very easy to do stupid things then because all the APIs encouraged bad code, there wasn't much good advice on the net, there was no stack overflow and the books actually told you to write bad code. I'd look up a couple of classics but I've literally just sent all my old programming books to recycling.
So either you weren't professionally programming back then or are looking back with rose tinted glasses. A lot of apps were vulnerable to SQLi back then.
Look at this article from Jeff Atwood back in 2005:
I hesitated a while before clicking on that link. At my previous job, I was responsible for maintaining a ".gov" site and this post got me thinking. Is there a code of conduct or a professional response that is expected of a web developer who sees a post like this on pastebin? Are we supposed to just ignore it? Maybe click the link to make sure we are not on the list? Not click on the link? I know I would have been thankful if someone had given me a heads up if my site was on that list.
The ethical thing would be to forward the information to the administrators of the listed sites. But since it's public now, I don't think you have any responsibility.
hmm, interesting point - however I doubt they would be this sophisticated. after all these are just informative web pages for the public and are most likely not held to the same rigorous standards in security like other systemic systems of the government.
So why should we expect great diligence when it comes to building informational websites. Does anyone remember the ease with which Bradley Manning performed his hack*?
edit: I think I'm getting downvoted because people disagree that Manning "hacked" something. I don't know why there is disagreement here...he himself disclosed the methods he used to get over the "air gap". Just because those methods were trivial doesn't undercut my point, in fact, it underscores my point that the military's information security is not without flaws:
http://en.wikipedia.org/wiki/Bradley_Manning#Diplomatic_cabl...