[3007] in WWW Security List Archive
Re: CIA Web Page Hacked
daemon@ATHENA.MIT.EDU (Robert Malmgren)
Fri Sep 20 04:53:41 1996
Date: Fri, 20 Sep 1996 09:09:07 +0200 (MET DST)
From: Robert Malmgren <rom@incolumitas.se>
To: c4i-pro@stl.nps.navy.mil, FIREWALLS@GREATCIRCLE.COM, risk@csl.sri.com,
WWW-SECURITY@ns2.rutgers.edu, 76702.3557@compuserve.com
Cc: rom@incolumitas.se
Errors-To: owner-www-security@ns2.rutgers.edu
David Kennedy <76702.3557@compuserve.com> shaped the electrons to form a letter
containing
> o Hacker got in on Wednesday night and the CIA took the system down on
> Thursday morning.
>
> o Part of the hacker's text included "stop lying."
>
It said "Stop lying Bo Skarinder" and the same sentence repeated in swedish
"Sluta ljug Bo Skarinder". Mr. Skarinder is the prosecutor in an ongoing trial,
started this monday, here in Stockholm Sweden, where five men stand trial
for a number of crimes, among others computer intrusion, fraud and industrial
espionage. The group have called themself "Swedish Hackers Association" or SHA.
There was a number of links from the hacked CIA page to different SHA related
information, e.g. their protocols, documents where they brag about things
they've done.
The crimes they are charged for are things they've commited starting in the
early 90's. They have attacked a huge number of sites during their days.
This is the largest such trial in Sweden so far. I believe it is most probable
that they will be convicted for what the've done earlier, some of them are
likely to go to jail.
> o Article states "cyber-attack matched" Department of Justice web server
> compromise.
>
It also matches a number of attacks of other webservers here in Sweden, e.g. the
swedish PTT called "Telia". Some unknown changed their website two times the
same weekend, including changing the name to "Felia", a phun of the swedish word
"fel" which means error or wrong, and changed text, pictures and links.
I heard about it on the news when Telias head of security was interviewed and
told everyone that they had the situation under control since they've changed
all passwords on the machine. It was later the same day they where attacked
again and the pages where distorted even more.
The attack agains telia was, according to some later news, due to the fact
that the webserver was located outside their firewall and that they
NFS-exported their disks R/W to the world.
The moral of the story is that you should always remeber WHY you bought your
firewall in the first place and use it as such. Also a big point to remeber is
that there might be other ways the've penetrated the systems than the one one
suspects (bugs in webserver, bad passwords).
> [DMK: No technical details yet. Surely somebody captured a mirror of it and
> will post it just as the DOJ corruption is available. More as it becomes
> available.]
>
When I checked it was available from
http://www.skeeve.net/cia
http://titus.is.co.za/mikev/cia_hack
and several news sites had it available
http://www.cnn.com/TECH/9609/19/cia.hacker/index.html
http://www.svd.se/svd/ettan/xcia.html
Robert
