Feeds

They've only gone and HACKED the WEATHER

Hackers punch into NOAA, in 'vengeance for Stuxnet'

Using blade systems to cut costs and sharpen efficiencies

Hackers have lifted potentially sensitive data from the US National Weather Service after exploiting a vulnerability in the weather.gov website.

A previously-unknown group called Kosova Hacker's Security claimed credit for the hack in a lengthy post on pastebin, containing a stream of data lifted as a result of the hack. Leaked data includes a list of partial login credentials, something that might give other hacking crews a head start in attacking the website, as well as numerous system and network configuration files.

The leaked information appears to consist only of system files and the like rather than scientific data, something that strongly distinguishes the breach from the so-called ClimateGate hack against the Climatic Research Unit (CRU) at the University of East Anglia back in November 2009.

The hacking crew said it took advantage of "local file inclusion vulnerability" that allowed it to ransack the weather.gov servers. Kosova Hacker's Security said the hack was carried out in retaliation for American aggression against Muslim nations, including the Flame and Stuxnet malware attacks against the Iran nuclear program.

"They hack our nuclear plants using STUXNET and FLAME like malwares, they are bombing us 27*7, we can't sit silent - hack to payback them," The Hacker News quotes the hackers as saying.

KHS' supposed grievance makes weather.gov a bit of of an odd target. However the group threatened to carry out further attacks against US government systems.

The weather.gov website was back up and running at the time of writing on Friday afternoon.

A post on Sophos's Naked Security blog reports that the local file inclusion vulnerability was quickly patched but at least one other vulnerability, a cross site scripting hole, was subsequently discovered on the site. It's unclear if the XSS vulnerability, which is the sort of thing that's most useful for those interested in running phishing attacks rather than punching through web servers to hack into back-end databases, has been fixed as yet.

Weather.gov is run by the US National Weather Service, part of the National Oceanic and Atmospheric Administration (NOAA). NOAA is a unit of the US Department of Commerce in charge of providing "weather, water, and climate data, forecasts and warnings for the protection of life and property and enhancement of the national economy". It's also well known as custodian as one of the three main databases used to measure global warming: the other two belong to NASA and the British Met Office's Hadley Centre. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.