On Thursday, security vendor Imperva stumbled on a hacker’s offer in an underground forum in the black market of a U.S. Army’s Communications-Electronics Command (CECOM) website for less than US$500.
Imperva’s senior security strategist Noa Bar-Yosef said the hacker claims websites control that includes military, government and universities sites. The price: $33 to $499 depending on the website where one can buy the capability to be the website’s administrator. For $20 per thousand records, the hacker offers the website stolen personal information database which may be used by black hats to break into online accounts. Bar-Yosef saw 16 sites’ administrative privileges for sale. There was also data that the information of 300,000 people was stolen from the site.
Bar-Yosef stated that the seller may have broken into the websites using SQL injection. Hackers have been on the lookout for weakly written web pages especially those with search boxes or data-entry forms connected with back-end databases.
Automated tools make it easy for hackers to attack. There could be a devastating outcome when SQL is used as such as what Albert Gonzales, a notorious hacker, used when he broke into the Heartland Payment Systems and 7-Eleven.
Imperva edited victims’ names from its post. Security blogger Brian Krebs however detailed the incident and hacked sites names which include states like Utah and Michigan, Italian government and the Department of Defense Pharmacoenomic Center that helps drug procurement of the Department of Veterans Affairs.
On Friday, Krebs blogged that in all of the media and public fascination with threats like Stuxnet and weighty terms like ‘cyberwar,’ the more humdrum is overlooked. Security threats persist such as Web site vulnerabilities but none of these distractions should excuse U.S. military leaders from making sure their Web sites aren’t trivially hackable by script kiddies.