Hacker Offers Fire Sale On Military, Gov't Websites

A hacker recently made a post stating he'll give anyone willing to pay $499 behind-the-scenes access to confidential network files, including those of the US Army. The hacker posted a price list for access to a range of sites on an underground digital forum, along with offers for other illicit services.

While there's no way to be certain the offer is legitimate, at least one security expert says he's seen evidence which suggests that offer is in fact genuine. (Source: krebsonsecurity.com)

US Military Intelligence Website Vulnerable

Among the most high profile web sites said to be vulnerable is CECOM, an American agency responsible for acquiring military intelligence technology. The post claims to offer complete administrative control of the site, plus access to secure sections, for only $499.

It appears that the US government has taken the threat quite seriously, as the CECOM website was offline at the time of this writing.

State Government Websites at Bargain Basement Prices

The post went on to mention that for $99, one could take control of the official Utah state government site, while more limited access to the Michigan state site could be had for just $55. There are also a range of international sites available, including the Albanian army and several Italian government websites.

Like all good menus, there's also a section of appetizers: $20 buys a list of 1,000 records from an educational or government user database, complete with names, addresses, emails and other contact details of users. There's also an offer on 1MB worth of educational establishment websites for $10, the implication being they would be useful for sending spam that is more likely to get through filters.

The hacker has also promised to break into any web site for as little as $9.99. (Source: pcworld.com)

Database Vulnerability the Key

It appears that the majority of attacks would be made using a method known as an SQL injection attack. The technique works by taking advantage of databases that don't put a tight enough control on what text a user can type into the system. This can allow the user to trick the system by typing in data that acts as a command to the database, usually to gain access to its contents.