Feeds

How zombie LulzSec exposed privates' love lives with PHP hack

Single soldiers site swallowed surprise load

The Power of One eBook: Top reasons to choose HP BladeSystem

A dating website for US soldiers was hacked and its database leaked after it blindly trusted user-submitted files, according to an analysis by security firm Imperva. The report highlights the danger of handling documents uploaded to web apps.

"LulzSec Reborn" hacktivists attacked MilitarySingles.com and disclosed sensitive information on more than 170,000 lonely-heart privates in March this year. Hackers uploaded a PHP file that posed as a harmless text document and then commandeered the web server to cough up the contents of its user and a hashed password database.

Rob Rachwald, director of security strategy at Imperva, said the attack would have been blocked if MilitarySingles.com had filtered user-supplied content.

He added that a similar Remote File Inclusion-style vulnerabilities will exist in other sites that use PHP and actively solicit photos, video and so on.

Imperva reckons more than 90 per cent of the MilitarySingles.com passwords were cracked in nine hours thanks to extended dictionary-based rainbow lookup tables. MilitarySingles.com stored passwords as non-reversible hashes, rather than in plain text, however it did not salt the hashes, which would have made the process of recovering the passwords far more difficult. Insisting on hard-to-guess passwords isn't good enough unless developers pay attention to encryption best practices, said Rachwald.

The attack against MilitarySingles.com is the only notable assault by LulzSec Reborn. Imperva's analysis suggests the group has no more than six members, who set out to "embarrass the military". The crew is apparently "not as motivated" as the original LulzSec, according to Rachwald, adding that it has made little or no contribution to IRC chats and hacker forums.

MilitarySingles.com, which bills itself as the "dating website for single soldiers... and those interested in meeting them", is run by eSingles Inc.

Government and military personnel ought to have special policies regarding social networking to prevent their information from being easily accessed and manipulated. Rachwald told El Reg that an outright ban is likely to be flouted. Instead soldiers should be encouraged to use pseudonyms and particularly warned against disclosing their location, he said.

An analysis of the website breach was published in the May edition of Imperva's monthly Hacker Intelligence, which can be downloaded here. ®

Designing a Defense for Mobile Applications

More from The Register

next story
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.