Re: [ISN] DoD offering admin privileges on .mil Web sites

From: InfoSec News (isnat_private)
Date: Mon Jan 27 2003 - 03:03:05 PST

Next message: InfoSec News: "[ISN] Tool: Sapphire SQL Worm Scanner"

Previous message: InfoSec News: "[ISN] '40-50 Indian sites hacked by Pak cyber criminals monthly'"
Maybe in reply to: InfoSec News: "[ISN] DoD offering admin privileges on .mil Web sites"
Next in thread: InfoSec News: "RE: [ISN] DoD offering admin privileges on .mil Web sites"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: MacRohard <macrohardat_private>

This story may not be as big as it seems. It has always been possible
to apply for a .mil domain using the domain templates available
initially from rs.internic.net and later on nic.ddn.mil (even now
infact @ www.nic.mil/ftp/templates/domain-template.txt). The form
found on the web may not do much more than complete and email one of
these templates to hostmasterat_private who would probably check a few
details, chuckle to himself and delete the email.

-MacRohard

On Sat, 25 Jan 2003, InfoSec News wrote:

> http://www.theregister.co.uk/content/55/29026.html
> 
> By Thomas C Greene in Washington
> Posted: 24/01/2003 at 21:22 GMT
> 
> Care to register a .mil Web site of your own for free? The DoD has
> gone out of its way to make it a snap. An unbelievably
> badly-protected admin interface welcomes you to register whatever
> domain you please (http://Rotten.mil anyone?), or edit anything
> they've already got. The interface is so ludicrously unprotected
> that it's been cached by Google and fails to mention that you must
> be authorized to muck about with it. Incredibly, default passwords
> are cheerfully provided on the page.
> 
> Following an anonymous tip from an observant Reg reader, we've
> encountered the page in question in the Google cache, and after a
> bit of our own poking about have also discovered an equally
> unprotected (and Google-cached) admin interface encouraging us to
> add a new user, like ourselves, say, which requires no
> authentication.
> 
> All you have to do is find that page and you can set yourself up
> with a user account, manage your new .mil Web site, fiddle about
> with other people's .mil Web sites, and generally make an incredible
> nuisance of yourself. We are, of course, straining against every
> natural, journalistic impulse in our beings by neglecting to mention
> any useful search strings with which to find it.
> 
> Another unprotected and cached page, this one discovered by our
> tipster, lists traffic to a major DoD Web site by URL/IP address.
> This worries us because it may list .mil sites and networked DoD
> machines that are not public, not hotlinked anywhere, and which
> might contain (or be networked with other machines that contain)
> sensitive data.  Merely knowing that all those URLs and IP addys are
> valid and owned by DoD would give a significant advantage to
> attackers by narrowing their target area dramatically.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Tool: Sapphire SQL Worm Scanner"
Previous message: InfoSec News: "[ISN] '40-50 Indian sites hacked by Pak cyber criminals monthly'"
Maybe in reply to: InfoSec News: "[ISN] DoD offering admin privileges on .mil Web sites"
Next in thread: InfoSec News: "RE: [ISN] DoD offering admin privileges on .mil Web sites"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 05:46:55 PST