//
you're reading...
Security

US Senate website Compromised by ‘Laughing Hackers’

A US Government web server has been infiltrated by the Lulz group of Hackers.
Release of information
Well, to prove their point Lulz have released the results of some system commands they were able to run.
These commands reveal at least superficial access to the file system and operating system and thus log data on the system. For example, lists of mounted filesystems (df command) and recent logins (last command).
The groups statement claims that they revealed the information to “In an attempt to help them fix their issues” and “just-for-kicks”.


Senate Confirmation
A statement by spokesperson for the US Senate Sergeant at Arms confirmed that they were aware of an infiltration on the web service over the weekend. They also state that no internal governmental system or server was compromised as part of this attack. Indeed , the web server holds no user account data that could then be used for further compromises, it is further stated. The vulnerability lay in a sub site wholly maintained by a specific but unnamed Senate office. Steps have been taken to rectify the situation and an investigation has been started.
Worrying?
The US governmental sites come under attack almost continuously. As tools and attacks become more sophisticated it is inevitable but unfortunate that some succeed. The trick is, with a public service, that only public information is accessible. The administrators of this service appear to have achieved this where Sony and so many others have failed.
We need to ensure that in the event of a compromise only the minimum amount of information is exposed. Certainly No further systems should be approachable through these unregulated channels.
Information exposure from a public forum is unfortunate but as long as the firewalls and security features of the infrastructure prevent access to the internal network, most of the time this is only an inconvenience and embarrassment. If the entire public system is a client (to which data is Pushed) then the damage can be limited to possible defacement or public exposure of public information.
This is not a Gateway
Not in this case, but in many others – like PSN, the web or Internet service is a convenient gateway to allow access to premium or restricted material.
This would be where the majority of security professionals get twitchy and extremely protective. The risk of internal data exposure here is multiplied.
Secondary Vulnerabilities
But don’t be too complacent. The passive nature of a service does not mean it cannot be used to launch attacks on the internal systems. Many firewalls and protocols have been found to ‘accidentally’ allow reverse communication. An HTTPS outbound connection can be used to control the internal system from outside, for example, with piggybacking protocols and clever encryption this is hard to prevent.
This kind of attack is a “foot in the door”. If they had time there is a reasonable chance of kicking it n and stealing the silver.
References
Lulz statement (Warning!!!! At own risk.)
– Posted using BlogPress

Advertisements

About harlekwinblog

"Thoughts of an idle mind." Information Security professional.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: