Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

LulzSec MilitarySingles data breach caused by weak security

March attack exposed 170,000 user accounts

Article comments

The embarrassing LulzSec data raid on the MilitarySingles.com dating site in March was caused by a catalogue of security problems including poor web application design and the use of inadequate encryption, an analysis from Imperva has claimed.

According to Imperva, the primary weakness was that the attackers were able to upload a PHP script file simply by changing its file extension to make it appear to be an image file, the only category of upload allowed from users.

Because file control (i.e the ability to recognise that the script was not in fact an image) was implemented through the client browser, the attackers then bypassed this using a proxy.

This server was apparently not firewalled from the server holding user data. This gave control of the site to the attackers, Imperva said, but there was worse to come.

Account passwords were encrypted using the relatively weak MD5 hash, which allowed the hackers access to the majority of those with a matter of hours.

During the attack the user names, email addresses, passwords and even IP addresses for around 170,000 MilitarySingles’ subscribers turned up on Pastebin after an attack claimed by a group calling itself ‘LulzSec Reborn’.

It probably didn’t help that large numbers of the passwords were trivial, including ‘password’, 123456’, ‘iloveyou’ and other forms open to dictionary attacks.

At the time of the hack, the operator of MilitarySingles denied that a serious incursion had happened. This position has apparently not changed.

“At this time there is no actual evidence that MilitarySingles.com was hacked and it is possible that the Tweet from Operation Digiturk [regarding the LulzSec hack] is simply a false claim,” read a statement. Despite the denials, this view now looks optimistic.

"Social networking, user-generated content and PHP-based applications are prevalent on the web, but this report gives pause to consider how easily sensitive personal information can be accessed through these channels,” said Imperva CTO, Amichai Shulman.

Imperva didn't say how it researched the chain of security weaknesses at MilitarySingles or could be sure of its facts given the site's denials.

However, the US and other militaries should accept that Web 2.0 social media now posed a significant security risk and develop appropriate policies as a matter of urgency. Failing to do this could put operational and personal data at risk of compromise, he said.

Although passwords policies were being ignored, even strong ones were no longer enough. Carefully designed encryption systems confirming to the latest NIST guidance were essential while web applications needed to assume determined hackers looking for weaknesses.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *