Establishing Digital Trust: Don't Sacrifice Security for Convenience
Using a common gateway interface (CGI) hack, a defacing team calling itself the Deceptive Duo posted the information on the U.S. Navy site to "ensure that the public is aware of the United States of America's lack of security."
At the bottom of the defaced Web page (which has since been taken offline), several screen shots have been added, notably what seems to be a flight schedule and passenger manifest for a Midwest Express airline database using Microsoft Access in Windows XP Office.
"This situation proves that we are all still vulnerable even after 9/11," the DeceptiveDuo posted on its defacement. "Tighten the security before a foreign attack forces you to. At a time like this, we cannot risk the possibility of compromise by a foreign enemy," the Web page statement read.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i Officials at Midwest Airline and the Department of the Navy were not immediately available for comment.
It also appears the e-mail addresses and full names of Midwest Express customers have been compromised with the screenshot, which one security expert said, "seemed legitimate, and not just a manipulated image map."
In an instant messaging interview with the two members, the Deceptive Duo said it was "quite easy" to break into the database of the airline and the Union Bank.
The two wouldn't explain how the bank database was accessible, but said they got into Midwest Express because of a relatively common vulnerability. The airline uses Microsoft SQL, which has a default password to login. It's seems the system administrator didn't change the password when the database was implemented and put on a live network. The two merely gained access to the corporate intranet and typed in the default password to get in the database.
In a pre-emptive rebuttal to critics who say Web site defacing/hacking is not the way to publicize security breaches, the Deceptive Duo said it has attempted to gain the attention of the affected companies attention in the past.
"We've tried subtle ways of informing the (admins of) vulnerable servers," one of the duo said. "It seems that it takes drastic means for others to realize the severity of this all. And I feel if we show the mass public, others will flex and strive to secure their servers as well. I mean, we see everyone pushing for stronger security, yet we are still witnessing breaches?"
"Unfortunately, it takes action to get a reaction," the duo concluded.
This story was first published on InternetNews, an internet.com site.