Again, not really that impressive... I'm not saying they *can't* do really impressive things, I'm saying what most people think of as "hacking" (like what they're doing right now, defacing websites, etc) is the most basic AND easy shit. They do it because it's quick and draws attention.

this is what I'm saying





Now, this shit was much more impressive:
http://arstechnica.com/tech-policy/n...bgary-hack.ars

Read that whole thing and you'll get what I'm talking about.

 

Gaining access to the CIA's front webserver is, imho, an amazing feat...this wasn't a redirect, they physically changed the code on the front end. That's badass.

 

I am not trying to talk down to you ... just understand that the CIA's *front page website* isn't much more secure than s2ki's front page.. or any other website. Possibly less so. The actual data that the CIA has, the actual fundamentals of their systems... that shit is stored on entirely different servers with entirely different security. Getting even the tiniest bit of info out of a secure network is 10000000x harder than getting onto someone's public facing website. It's just like the comic... it's spraypainting their front door versus breaking into their actual building. Ballsy - but not difficult.

 

I remember studying SQL Injection in my App. Sec. class back in college. Any db that's susceptible to that type of vulnerability and the DBAs should be fired.

'or' = 'or'...bam you're in.

 

Completely agree. One of the problems, though, is that it's very hard for government IT to attract intelligent, talented people. Sure, in the CIA's super secret division of counter intelligence or whatever, they probably have very bright people. On their public website? Probably no one important and/or a 3rd party consulting firm. I worked as a consultant for awhile for the state gov and man the stories I could tell you. Many of those people are completely incompetent ... and the people in charge of hiring consultants generally go for lowest cost (duh, it's government) which means even 3rd parties involved end up being useless. Just look at that article I posted on HBGary - one of the key mistakes they made was outsourcing one of their websites to a 3rd party who didn't have anywhere near the levels of security they should have.

Also - side note - sql injection is generally prevented on the application development side, not the DBA's responsibility necessarily. If he/she's at all involved in the process, then sure, that should be addressed... but if someone else is writing the app and the stored procedures and such...

 

Love page 3...social engineering at it's finest.

 

YES! That was one of the biggest takeaways for me when reading that article. All the security in the world can't stop one person being kind of foolish and handing out a password.

 

Jussi is a f@#king idiot.

"Greg doesn't know his username" BIG FAT RED FLAG THERE JUSSI!!

 

What is impressive though is the number that collaborated though; 5,000+ people running LOIC at the same time? That's a lot of pissed off people.