Feeds

How zombie LulzSec exposed privates' love lives with PHP hack

Single soldiers site swallowed surprise load

SANS - Survey on application security programs

A dating website for US soldiers was hacked and its database leaked after it blindly trusted user-submitted files, according to an analysis by security firm Imperva. The report highlights the danger of handling documents uploaded to web apps.

"LulzSec Reborn" hacktivists attacked MilitarySingles.com and disclosed sensitive information on more than 170,000 lonely-heart privates in March this year. Hackers uploaded a PHP file that posed as a harmless text document and then commandeered the web server to cough up the contents of its user and a hashed password database.

Rob Rachwald, director of security strategy at Imperva, said the attack would have been blocked if MilitarySingles.com had filtered user-supplied content.

He added that a similar Remote File Inclusion-style vulnerabilities will exist in other sites that use PHP and actively solicit photos, video and so on.

Imperva reckons more than 90 per cent of the MilitarySingles.com passwords were cracked in nine hours thanks to extended dictionary-based rainbow lookup tables. MilitarySingles.com stored passwords as non-reversible hashes, rather than in plain text, however it did not salt the hashes, which would have made the process of recovering the passwords far more difficult. Insisting on hard-to-guess passwords isn't good enough unless developers pay attention to encryption best practices, said Rachwald.

The attack against MilitarySingles.com is the only notable assault by LulzSec Reborn. Imperva's analysis suggests the group has no more than six members, who set out to "embarrass the military". The crew is apparently "not as motivated" as the original LulzSec, according to Rachwald, adding that it has made little or no contribution to IRC chats and hacker forums.

MilitarySingles.com, which bills itself as the "dating website for single soldiers... and those interested in meeting them", is run by eSingles Inc.

Government and military personnel ought to have special policies regarding social networking to prevent their information from being easily accessed and manipulated. Rachwald told El Reg that an outright ban is likely to be flouted. Instead soldiers should be encouraged to use pseudonyms and particularly warned against disclosing their location, he said.

An analysis of the website breach was published in the May edition of Imperva's monthly Hacker Intelligence, which can be downloaded here. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.