[ISN] Airline Database Posted On Defacement

From: InfoSec News (isnat_private)
Date: Tue Apr 23 2002 - 00:11:31 PDT

  • Next message: InfoSec News: "Re: [ISN] Indian hacker turns cyber cop"

    Forwarded from: William Knowles <wkat_private>
    April 22, 2002 
    By Jim Wagner  
    The U.S. Space and Naval Ware Systems Command was defaced Monday
    morning, with presumably legitimate screenshots of database files from
    a major airline and bank.
    Using a common gateway interface (CGI) hack, a defacing team calling
    themselves the Deceptive Duo posted the information on the U.S. Navy
    site to "ensure that the public is aware of the United States of
    America's lack of security."
    At the bottom of the defaced Web page, several screenshots have been
    added, notably what seems to be a flight schedule and passenger
    manifest for a Midwest Express airline database using Microsoft Access
    in Windows XP Office.
    "This situation proves that we are all still vulnerable even after
    9/11," the DeceptiveDuo posted on their defacement. "Tighten the
    security before a foreign attack forces you to. At a time like this,
    we cannot risk the possibility of compromise by a foreign enemy," the
    Web page statement read.
    It also appears the e-mail addresses and full names of Midwest Express
    customers have been compromised with the screenshot, which one
    security expert said, "seemed legitimate, and not just a manipulated
    image map."
    Lisa Bailey, Midwest Express spokesperson, said the two hackers gained
    access to its Web-based user profile database, an area that lets
    customers update their personal information via a supposedly secure
    "Frankly, we're not sure how they got into it," Bailey told
    InternetNews.com. "We hired consultants two weeks ago to go over our
    entire operations, but they hadn't gotten to that (part) yet. We gave
    them a call this morning and they are now."
    In an instant messaging interview with the two members, the Deceptive
    Duo said it was "quite easy" to break into the database of the airline
    and the Union Bank.
    The two wouldn't explain how the bank database was accessible, but
    said they got into Midwest Express because of a relatively common
    vulnerability. The airline uses Microsoft SQL, which has a default
    password to login. It's seems the system administrator didn't change
    the password when the database was implemented and put on a live
    network. The two merely gained access to the corporate intranet and
    typed in the default password to get in the database.
    In a preemptive nod to critics who say Web site defacing/hacking is
    not the way to publicize security breaches, the Deceptive Duo said
    they've already tried getting the affected companies attention in the
    "We've tried subtle ways of informing the (admins of) vulnerable
    servers," one of the duo said. "It seems that it takes drastic means
    for others to realize the severity of this all. And I feel if we show
    the mass public, others will flex and strive to secure their servers
    as well. I mean, we see everyone pushing for stronger security, yet we
    are still witnessing breaches?"
    "Unfortunately, it takes action to get a reaction," they concluded.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Apr 23 2002 - 02:40:12 PDT