
Vulnerabilities in dozens of Military and Pentagon websites - Garbage
http://pastebin.com/Cpgp9jHE
======
eurodance
I want to see if these are real, but I don't want people knocking on my door
tomorrow morning.

~~~
clicks
Well, HN receives a significant amount of traffic -- probably a good many
people _do_ go on to click the links. It's equivalent at this point to having
the URL featured on some high-traffic tech news site.

If you're still wary, pick the most unremarkable one, that you think most
people are likely to click. That way it seems more normal from their
perspective -- you're just one among many in the wide sea. Here, I'll even
help you out: <https://secureweb.hqda.pentagon.mil/dpo/Details.asp?ID=108>

~~~
btilly
Huh, I thought you had pasted the URL wrong. But it is a bug on this site that
swallowed the quote.

Anyways add a ' to the end of that URL and you'll see clear evidence of a SQL
injection bug. But it is just demonstrating that the bug is there. It would
take more work to get access to their database.

------
vinhboy
I tried a couple of the links. All SQLi vuln. All using microsoft sql server
too it looks like. I don't know why I had this image of .gov and .mil sites
being super secure. I no longer think that...

~~~
Jach
I don't know why anyone would expect a public facing PR website to have the
same level of security as actual military use systems... Obligatory XKCD:
<http://xkcd.com/932/>

~~~
46Bit
Most hackers aren't involved in government procurement and so assume that it
will be done with extra care and attention, rather than the opposite for 10x
the cost.

------
rookadook
I hesitated a while before clicking on that link. At my previous job, I was
responsible for maintaining a ".gov" site and this post got me thinking. Is
there a code of conduct or a professional response that is expected of a web
developer who sees a post like this on pastebin? Are we supposed to just
ignore it? Maybe click the link to make sure we are not on the list? Not click
on the link? I know I would have been thankful if someone had given me a heads
up if my site was on that list.

~~~
tantalor
The ethical thing would be to forward the information to the administrators of
the listed sites. But since it's public now, I don't think you have any
responsibility.

------
D9u
Can you say "HoneyPot?"

~~~
jcfrei
hmm, interesting point - however I doubt they would be this sophisticated.
after all these are just informative web pages for the public and are most
likely not held to the same rigorous standards in security like other systemic
systems of the government.

------
mpyne
This is more than .mil sites, there's also UN, NOAA, DOE.

But it looks like these are mostly NIPR Public Affairs types of sites, from
what I can tell.

------
danso
It's a testament to the power of media that so many people not involved in the
military automatically bequeath them with such impenetrable technical
capability and diligence. One of my best friends served as a sniper but had
slighty less than 20/20 vision. So they had a military surgeon fix that up and
now, several years later, my friend is wearing glasses. It's not that this was
substandard care, but that for someone who already completed elite training,
they opted for nothing-special care.

So why should we expect great diligence when it comes to building
informational websites. Does anyone remember the ease with which Bradley
Manning performed his hack*?

edit: I think I'm getting downvoted because people disagree that Manning
"hacked" something. I don't know why there is disagreement here...he himself
disclosed the methods he used to get over the "air gap". Just because those
methods were trivial doesn't undercut my point, in fact, it underscores my
point that the military's information security is not without flaws:

[http://en.wikipedia.org/wiki/Bradley_Manning#Diplomatic_cabl...](http://en.wikipedia.org/wiki/Bradley_Manning#Diplomatic_cables.2C_Guantanamo_Bay_files)

~~~
mpyne
> Does anyone remember the ease with which Bradley Manning performed his hack?

You're right that the military is hardly going to treat a "Public Affairs"
website with any special care, but I wanted to correct you on your description
of a Bradley Manning "hack".

There was no hack. There was never a hack. Bradley Manning was the proverbial
"insider" threat.

You may remember that in the wake of 9/11 there was a lot of acrimony
regarding how poorly the various Federal agencies worked together. They often
engaged in turf warfare to maximize the agency's important instead of
maximizing the U.S.'s ability to respond to actual threats.

No one shared info with one another, either because they were not sure they
_could_ share info, to prevent aiding other agencies getting more powerful,
etc. And as a result there were thousands of Americans murdered, not to
mention the horrific property losses.

So, one of the "lessons learned" was that the intelligence agencies were going
to work together from then on. Not just work together, they were going to
share the intel. Counterterrorism would become a real mission goal, with real
resources put to it, real organizations aligned around it, etc.

So suddenly, military was working with CIA, FBI, Dept. of State, and more, and
_working together_ to prevent another 9/11 happening, prevent IED attacks
against deployed troops, etc.

There was never a hack. Manning had access to all of that data quite
intentionally, to help him _do his f'ing job_ as an intelligence specialist
analyzing the various Islamist threat groups in his area. He even quoted (and
was quite proud of) an award citation in his chat logs with Lamo that
described how he was aiding the Army in that particular fight.

But not once did he hack anything. He downloaded data he had authorized access
to, and exfiltrated it to persons who did not have authorization.

~~~
danso
Yes, no argument here. I wrote "hack" as a shorthand because I was typing via
mobile and was lazy this morning :).

edit: (I mean I agree with the background facts you've stated, but I think it
is still a "hack" based on other related facts, and it's my fault for not
elaborating in the parent comment)

In any case, I was just pointing out that the military's information
infrastructure is not bulletproof, so to speak. This applies to public facing
websites and in Manning's case, to secure access protocols (for example, in
what other organization would unmonitored, unchecked access to critical files
be given to someone barely older than a college senior?).

But I do think that this was a "hack", if an unsophisticated one. He may have
had authorized access to those files, but he did not have authorization to
transfer those files over the "air gap". Here's how he described his exploits
to Adrian Lamo in chat logs:

[http://en.wikipedia.org/wiki/Bradley_Manning#Diplomatic_cabl...](http://en.wikipedia.org/wiki/Bradley_Manning#Diplomatic_cables.2C_Guantanamo_Bay_files)

 _...lets just say_ someone* i know intimately well, has been penetrating US
classified networks, mining data like the ones described ... and been
transferring that data from the classified networks over the “air gap” onto a
commercial network computer ... sorting the data, compressing it, encrypting
it, and uploading it to a crazy white haired aussie who can't seem to stay in
one country very long =L [...]*

 _(02:12:23 PM) bradass87: so ... it was a massive data spillage ...
facilitated by numerous factors ... both physically, technically, and
culturally

(02:13:02 PM) bradass87: perfect example of how not to do INFOSEC

(02:14:21 PM) bradass87: listened and lip-synced to Lady Gaga's Telephone
while exfiltratrating [sic] possibly the largest data spillage in american
history [...]

(02:17:56 PM) bradass87: weak servers, weak logging, weak physical security,
weak counter-intelligence, inattentive signal analysis ... a perfect storm
[...]_

\-----

Yes, this "hack" of Manning's required little more than a USB drive, perhaps,
but that was my original point: parts of the military system are relatively
untested, allowing such critical oversights...so a SQL vulnerability in a
public facing military website is not a huge surprise.

~~~
mpyne
Well he would have had technical authorization to transfer files to a CD (I've
burned classified CDs myself). It's hard to prepare a classified briefing for
your chain-of-command without a way to get the files onto the air-gapped
presentation computer without network access, and there are known security
issues relating to USB thumb drives so it would make perfect technical sense
to require CD drives be used. You just have to label it properly, handle it
properly, etc.

You could argue that the system could have technical measures in place to see
that the CD-R was being filled, used repeatedly in a short period of time,
etc. but that could be worked around too.

He's exactly right that trusting an insider is a perfect example of how not to
do INFOSEC, but that was a risk the military judged was of lower danger than
the risk associated with artificial constraints on the ability of the military
and government to cooperate on anti-terrorism.

Pretty much any measure the gov't and military put in place in this area to
protect against the future Mannings of the world will at least slightly
inhibit their ability to detect and prevent future terrorist strikes, I guess
we'll have to see what they've chosen to do. :-/

------
kbar13
huh

~~~
personalcompute
These are all SQL Inection vulnerabilities. You replace the (usually numeric)
url parameter with crafted SQL.

More info: <https://www.owasp.org/index.php/SQL_Injection>

