Wired Threat Level reports that Nicholas Paul Knight, 27, who called himself a “nuclear black hat,” has been charged with hacking a Navy database while working onboard the nuclear-powered USS Harry S. Truman aircraft carrier (at which point he was caught and discharged from the service). Knight was part of a hacking group called Team Digi7al (pronounced “Digital”) that publicly disclosed sensitive information and boasted of their exploits via Twitter.
A list of the aliases/handles used by the alleged hackers.
Daniel Trenton Krueger, a community college student in Illinois, was charged as a co-conspirator, along with three unidentified minors in Montgomery, AL; Pitkin, LA; and Decatur, GA. Among the 30 organizations Team Digi7al targeted was the Navy and its "Smart Web Move" database, which contained social security numbers and other personal information for more than 220,000 service members for the purpose of managing duty station transfers. The Navy spent $514,000 responding to the attack, assessing the damage, and paying contractors and employees to repair the damage. One of the things I especially enjoy about these stories is reading the U.S. Department of Justice affidavits. These court documents usually have juicy background details – plus it’s interesting to see how prosecutors and law enforcement personnel explain complex hacking schemes in layman terms. In this affidavit, we learn that:
- The attacks began when a member of the group “scanned Internet sites for security vulnerabilities on protected computers, taking a particular interest in hacking government websites, including military, educational, intelligence, homeland security, and critical infrastructure sites.”
- “Second, a member exploited the vulnerability, frequently using a structured query language (“SQLi”) method. This exploitation involved gaining access to a website’s databases’ schema and when possible, the sensitive private data contained in the database.” We learn that the group often posted the database schema as well, exposing the databases’ internal table structures to other hackers and making them even more vulnerable to subsequent attacks. (The Navy database was shut down and never resumed operation.)
- The affidavit goes on to describe how the group used Team Digi7al’s Twitter account to announce the successful hack, stating that Navy.mil had been “owned” and the team had hacked “MY OWN BOAT." They also used Twitter to post a link to the sensitive information (which had been uploaded to a cloud storage site), and traded barbs with Digital Corruption, a rival group that claimed credit for one the hacks (“really? your own work. give me a few seconds to upload some screenshots and i’ll prove you guys stole my hacks (7hor)”).
- As they sensed the Naval Criminal Investigative Service (NCIS) closing in on them (“navy got pissed” they communicated in an online chat), Knight sent Krueger a FB message that “if anything happens...send me a message saying goodbye so wo [sic] know one of us is caught.” Later they tweeted “For the information of everyone, we will not be using twitter an longer to post our hacks...good day sirs and ma’ams”.
In addition to targeting the Navy database, most of the other attacks were directed at public-facing sites such as the retail website of Rashod Holmes, a musician who sold merchandise on his site; AutoTrader.com; and the Toronto Police Department. So what can we learn from this?
- Our websites are constantly exposed to cyber-attackers located anywhere in the world, who easily scan for common vulnerabilities such as SQL injection – as often as they like – using freely-available, automated tools. In comparison, most organizations only scan their websites a few times per year – making them easy targets for attackers.
- SQL Injection is still a common attack vector. That’s why it’s been a “greatest hit” on the OWASP Top 10 for years. OWASP describes Injection Flaws as a class of vulnerabilities that “occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.” The good news is that SQL injection vulnerabilities can easily be found using either static analysis (SAST) to test code early in the Software Development Lifecycle (SDLC) or dynamic analysis (DAST) to test web applications in production.
- Cyber-activists like Team Digi7al are just one type of threat faced by enterprises. One conspirator stated online that the group was “somewhat politically inclined to release the things [they had],” but also because it was “fun, and we can.” Financial gain was not their principal motivation.
Potentially more serious threats include:
- Cyber-criminals like the organized crime gang from eastern Europe that attacked Target for its credit card information, netting them around $53.7M from cards that were successfully sold on the black market and used for fraud before banks got around to canceling the rest
- Cyber-espionage units, typically from “nation-states” that steal our valuable intellectual property such as product designs, algorithms and oilfield data
Thoughts? Why is it taking so long for enterprises to perform the basic checks that would prevent these types of cyber-attacks?