Unpatched US Government Website Gets Pwned By Pro-Iran Script Kiddie (arstechnica.com) 87
An anonymous reader quotes a report from Ars Technica: On the heels of the killing of Iranian Revolutionary Guard Corps General Qassem Soleimani by a U.S. MQ-9 Reaper strike on January 2, the U.S. Department of Homeland Security warned of potential cyberattacks against critical infrastructure by Iran. That warning probably didn't apply to the website of the Federal Deposit Library Program, operated by the U.S. Government Printing Office -- which was defaced on January 4 with a pro-Iranian message and an image of a bloodied President Donald Trump being punched by an Iranian fist.
The FDLP website is no stranger to defacement attacks. As a brief analysis of the attack by a security researcher with the Twitter username @sshell_ noted, the site has been defaced twice in the last 10 years -- most recently in 2014, when it was replaced with an electronic dance music video featuring a dancing cat. Based on a fingerprint of the site's files, the site -- based on the Joomla content management system -- had not had its code updated since 2012. And the site had modules that used a version of Joomla's RSForm that had been flagged 11 months ago as being vulnerable to a SQL Injection attack. While the image depicting Trump had no metadata attached to it, another image with text had Exchangeable Image File Format (EXIF) data indicating it had been created with Adobe Photoshop CS 6 for Windows in 2015. As sshell_ noted, the image was used in a defacement reported to the "cybercrime archive" Zone-H by a user identifying themselves as IRAN-CYBER on December 2, 2015. A DHS spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) said that "there is no confirmation that this was the action of Iranian state-sponsored actors."
The FDLP website is no stranger to defacement attacks. As a brief analysis of the attack by a security researcher with the Twitter username @sshell_ noted, the site has been defaced twice in the last 10 years -- most recently in 2014, when it was replaced with an electronic dance music video featuring a dancing cat. Based on a fingerprint of the site's files, the site -- based on the Joomla content management system -- had not had its code updated since 2012. And the site had modules that used a version of Joomla's RSForm that had been flagged 11 months ago as being vulnerable to a SQL Injection attack. While the image depicting Trump had no metadata attached to it, another image with text had Exchangeable Image File Format (EXIF) data indicating it had been created with Adobe Photoshop CS 6 for Windows in 2015. As sshell_ noted, the image was used in a defacement reported to the "cybercrime archive" Zone-H by a user identifying themselves as IRAN-CYBER on December 2, 2015. A DHS spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) said that "there is no confirmation that this was the action of Iranian state-sponsored actors."
Re: (Score:1)
CMS software such as Joomla was never approved for use on any US gov system I supported. How was this even possible?
"approved" vs "whatever the sysadmin wants" isn't always the same thing...
Re:Joomla? (Score:4, Insightful)
The problem here isn't really Joomla. It's that they haven't updated any security fixes since 2012.
Re: (Score:3)
Holy shit, so we're talking Joomla one or early Joomla 2. Not that every version isn't a bitch to maintain, but wow. I'm surprised it hasn't frequently been hacked by accident.
Re: Joomla? (Score:1)
Re: (Score:2)
Re: (Score:2)
For a site that hasn't updated at all in 8 years, what makes you think they were on the leading edge when they were still updating?
Re: (Score:2)
Wasn't the WhiteHouse site built with Drupal?
Re: (Score:3)
Yes, it was. https://www.drupal.org/u/white... [drupal.org]
Re: (Score:3)
Depends on the importance of the system...
A server hosting a public facing website probably doesn't contain any sensitive information, and might not even be connected to a government network (it may be hosted externally)... It might even be entirely managed by a third party.
The worst case is the public embarrassment...
No sensitive data is compromised.
Poor security reputation does not result in loss of business, as this is government and citizens don't have a choice.
Given all the above factors, it's just not
Trillions spent on defense... (Score:4, Interesting)
Trump boasts that the USA has spent trillions on defense but I guess they ran out of money for software updates eh?
I'd much rather that Iran's response was in the form of posting pretty pictures than something more tangible and violent. So far so good!
Re: (Score:2)
Re: (Score:2)
Iran is sexually frustrated, that's all.
Really? Their population growth rate is over 1 percent...
Whatever, the story is war mongering bullshit, "Pro-Iran"? Please!
Re:Trillions spent on defense... (Score:5, Insightful)
their wives are subjugated into being barefoot and pregnant. It's the will of Allah!
Sounds an awful like what Evangelical Christians want to do to this country with the help of Republicans.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
The post made no mention of a race or skin-tone. Thus, your complaint makes no sense to me.
Re: (Score:2, Flamebait)
Nice whataboutism there.
Funny, that's exactly what the con artist does every time one of his crimes is uncovered. "WHAT ABOUT HILLARY?? Why is she being investigated?"
I'm presuming you say the same thing about him, right?
Also, gays have been killed by Christians in this country and several high profile evangelical ministers, not to mention other supposed men of the cloth, have called for gays to be killed.
Re: (Score:2)
I hardly believe that is an issue when Sunni "allies" practice the same thing. You really think that shit comes up in the war room or committee meetings?
Re: (Score:3)
Trump boasts that the USA has spent trillions on defense but I guess they ran out of money for software updates eh?
I'd much rather that Iran's response was in the form of posting pretty pictures than something more tangible and violent. So far so good!
Regardless of who did this*, this was the lowest of the low hanging fruit. A much smarter move would be to not telegraph your capabilities and surreptitiously install hacks and then wait for the right moment to trigger them.
-----
* It could have been Iran, or it could have been another state actor pretending to be Iran and seeing a fun opportunity present itself
Re: (Score:2)
surreptitiously install hacks and then wait for the right moment to trigger them.
Yes! Break the website of the Federal libraries at the most opportune time, comrade!
Re: (Score:2)
Re: Trillions spent on defense... (Score:1)
Re: (Score:2)
Re: (Score:1)
I'd much rather that Iran's response was in the form of posting pretty pictures than something more tangible and violent. So far so good!
Do you think the lack of a violent response is due to a rational and reasonable decision on the part of the Iranians?
Re:Trillions spent on defense... (Score:4, Insightful)
Trump boasts that the USA has spent trillions on defense but I guess they ran out of money for software updates eh?
I'd much rather that Iran's response was in the form of posting pretty pictures than something more tangible and violent. So far so good!
The Iranians have to come up with something spectacular but victimless that does not trigger the full blown war Trump wants for his 2020 election campaign. Doing things like using cyber attacks to take down the electrical grid in parts of the US would probably serve that purpose. If this does end in a war I sure hope that they draft the Trump supporters first as cannon fodder for the ground invasion of Iran, they are the ones who got us into this mess. The Israelis can also contribute some boots, Netanyahu has been itching for a war with Iran for years although I think his plan has been for the US to pay for it, US troops to do the fighting and US troops to do the dying.
Re: (Score:3)
If this does end in a war I sure hope that they draft the Trump supporters first as cannon fodder for the ground invasion of Iran, they are the ones who got us into this mess.
As opposed to Obama supporters that were ok with him giving the terrorists billions of dollars to buy weapons, or maybe the Hillary supporters that were ok with Iran killing Americans in Benghazi and then did nothing about it? Iran killed Americans at an embassy NOT in Iran and so Trump did something about it, as he should have.
You're right about one thing -- Trump supporters will be the ones to fight because they are the only ones in this country who are not cowards. The Islamic Revolutionary Guard Corps in Iran is a modern-day nazi-ss that needs to be wiped from the face of this earth.
Nobody except a bunch of wing nuts who like to use him for pivoting away from the way Trump is currently messing up gives a shit about Obama, he's an ex president. But even if we spend some time on your rant, all you are really doing is arguing Obama did stupid shit so Trump can do stupid shit too.
Re: (Score:2)
Wow, six lies in four sentences. Do you write for Fox News?
Re: (Score:1)
You got the Israel part backwards. Iran has been bucking for a war with Israel down to the last Arab (Iran is Persian). They'll be safely behind them 100%. First up in the cannon fodder line will be Hezbollah, but even Nasrallah isn't stupid enough to put his balls out there where Israel will be happy to step on them. Rather, Iran will use their useful idiots in Syria to take a few pot shots, Israel will take a few pot shots back and that will be that. Unless La Presidenta Tweetie does something further tha
Re: (Score:3, Informative)
You got the Israel part backwards. Iran has been bucking for a war with Israel down to the last Arab (Iran is Persian).
While I appreciate the loyalty to Israel that compels you to whitewash them of any blame in the mess that is the Middle East conflict I feel compelled to point out that when two people are feuding it is never just one of them that is to blame. Just because I pointed out how the Israelis are itching for (the USA) to go to war with Iran because they themselves don't have the capability to do it themselves does not mean that I'm in denial about how much Iran hates Netanyahu's Israel. From a dispassionate Machi
Re: Trillions spent on defense... (Score:1)
Re: Trillions spent on defense... (Score:1)
Re: (Score:1)
More troubling than anything is the outpouring of support for the Islamic Republic of Iran, a fascist theocratic imperialist state that just got through murdering thousands of its own citizens who rose up in protest.
They went straight on supporting Shiia militias in Iraq trying to undermine Iraq's own governing structures to gain influence there, ethnically cleansed Sunni areas under the guise of fighting ISIS, and are a major reason why Assad has survived by supporting his violent oppression of his peopl
Re: (Score:3)
Iraq's own governing structure? You mean the puppet government that the US put in power? May as well stop reading there.
Re:Trillions spent on defense... (Score:4, Insightful)
"wipe Israel off the map"
That idiom doesn't even exist in Farsi, it was gratuitously inserted into a "translation" of a speech by Memri, a rather shadowy organization made up mostly of former Israeli intel agents who do free translations from Arabic, Farsi and Pashtun to English for the western media. Since using Memri is cheaper than actually paying someone to do a competent translation that bit of fiction is now widely accepted in the West. Well done, guys. Sleazy, but well done.
At least five missions have gone to Iran to inspect the nuclear processing facilities, **none** have found any evidence that they're enriching uranium beyond what is useful for nuclear power plants. Multiple high-ranking mullahs have issued fatwas against WMD in general and nukes in particular. They don't seem to be working on a nuke. Besides, if they were actually interested they could have bought a former USSR one from Condi Rices' former business partner Victor Bout for only $60 million back when they were buying ex-Soviet tanks from him.
They want to break into the lucrative market for power plant fuel. It's not an accident that NBC is one of the anti-Iran propaganda leaders, since they're owned by nuclear fuel supplier GE.
Re: (Score:2)
So did you go out and cut the straw for that man all by yourself, or did you just go down and buy a bale?
Re: (Score:1)
Re: (Score:2)
Trump boasts that the USA has spent trillions on defense but I guess they ran out of money for software updates eh?
Trump demanded they change update providers:
"It sounded bad to me. Digital. They have digital. What is digital? And it's very complicated, you have to be Albert Einstein to figure it out. [...] I said, 'What system are you going to be--' 'Sir, we're staying with digital.' I said, 'No you're not. You going to goddamned Steam [steampowered.com], the digital costs hundreds of millions of dollars more money and it's no good.'"
Free external security audit (Score:3)
Re: Free external security audit (Score:1)
I'm not sure (Score:2)
To get serious (Score:4, Interesting)
If pro-Iran hackers really wanted to strike back what they should do is break into every one of the private e-mail servers in use by Trump, his kids, and cabinet members and staff. You know -- the kind that they wanted to "lock her up" for?
I am sure there is enough material there to do more damage than any physical attack anywhere.
Re:To get serious (Score:5, Funny)
They could break into Donald Trump's Twitter account and start posting sensible, rational, coherent tweets. The GOP would probably collapse at that point.
Re: (Score:1)
I'd panic also. It could mean the "new" President had become an avatar.
(Although, rumor has it the current one is a child avataring in an adult's body. It happens. [fandom.com])
Re: (Score:2)
I'd panic also. It could mean the "new" President had become an avatar.
I'm not seeing the downside.
Re: (Score:1)
Well, the avatar could end up being controlled by, well, um ... okay, I see your point.
Re: (Score:2)
They could break into Donald Trump's Twitter account and start posting sensible, rational, coherent tweets.
Would Trump deny responsibility or take credit? And would people believe him or not believe him if he did one or the other?
Re: (Score:2)
They could break into Donald Trump's Twitter account and start posting sensible, rational, coherent tweets.
Would Trump deny responsibility or take credit?
Yes
And would people believe him or not believe him if he did one or the other?
Yes
Re: (Score:2)
They have been targeting Trump properties for decades. That's why they ask have bed bugs, design reminiscent of Saddam's abandoned palaces and smell of elderberries.
and now that Kiddie can face adult solder time (Score:2)
and now that Kiddie can face adult solder time.
But will that be in an nice POW camp with an get out free when the war is over?
Re: (Score:2)
Adult solder time? What will he be soldering? Do you think he'll be a better hardware hacker than he was a script kiddie? :-)
Is an state hacker an soldier under the Geneva con (Score:2)
Is an state hacker an soldier under the Geneva convention??
Re: (Score:2)
Ah, you didn't see the misspelling, 'solder' for 'soldier'.
No, I don't believe that a hacker would be considered a soldier under the Geneva Convention unless they're uniformed, no more than a janitor at the Pentagon would be.
Re: (Score:2)
Persons who accompany the armed forces without actually being members thereof, such as civilian members of military aircraft crews, war correspondents, supply contractors, members of labour units or of services responsible for the welfare of the armed forces, provided that they have received authorization from the armed forces which they accompany, who shall provide them for that purpose with an identity card similar to the annexed model.
Re: (Score:2)
Welp that's it (Score:2, Funny)
Low hanging fruit? (Score:2)
This seems like a site that is designed to be taken over by any enemy who wishes harm to us. It's not that important, and not patched up to date in years. Now we have proof Iran wants to mess with our IT... shields up everyone!
The real question (Score:2)
Where's the link to the electronic dance music video featuring a dancing cat?
It begins (Score:4)
Some Iran-Americans got blocked or flatly refused entry at the Canadian border when they tried to get home from a concert so I guess Trump and his goons will open new concentration camps for the 2 million living in the US, they still have the plans from when they did it to the Japanese during WWII.
Re: (Score:2, Troll)
You mean how the Republican President, FDR, locked up all those Japanese American citizens? Oh wait....
Lets get history straight here. FDR needed support from the right wing nut jobs so he was in no position to appose their demands. Before the war he could not even push through legislation to outlaw lynchings and make it a federal crime. During the war he could not integrate the services because of the racist nut jobs. FDR was a great leader for the very reason that he found room to compromise with the assholes who would rush to judge other humans in prejudice by race. Even he could not reign in the greatest
Re: (Score:1)
The facsist democrats in Virginia are preparing to lock people up for not following their new gun seizure scheme. They actually said they were increasing the budget to put Virginians in jail.
Democrats/socialist/communists/fascist put people in concentration camps. Look at your history.
the huge consequences of 1953 (Score:5, Informative)
The tactics of the CIA under the thinly veiled guise of "fighting international communism" is in reality the huge lie which any sane individual can see through. The reality is that the tactics used by players like E. Howard Hunt and the others in the CIA are just another form of fascism in disguise. I do not know if the US can dig itself out of the hole it has created since the inception the CIA, I fear the hatred of what the CIA has done internationally even where undeserved is too strong. The Russians are certainly no better bed fellows in this regard but the damage done by the cold war and corporate sponsored international anti democratic actions by the CIA runs deep. People are not stupid they know who is stopping democracy, it matters little whether it is the actors in the CIA or what was the KGB the truth about what is really happening is well understood by the common folk.
I am deeply afraid that the situation this time around cannot be resolved until the US owns up to the crimes it has committed against democracy. And finally stops supporting corporate and economic terrorism world wide.
Re: (Score:3)
Well, there was the action in 1953, but also supporting the Shah while he massacred 8-10% of the population of the country, then feeding chemical weapons to Iraq during the Iraq/Iran war as well feeding both sides intel to keep the war going longer, and most recently the illegal embargoes that have given a gut-punch to the local standard of living. The Iranians have lots of reasons to hate the US government, although surprisingly they seem to hold little to no acrimony against the regular US citizens.
Re: (Score:2)
The Shah did not do any massacres .... ... so he could not feed any chemical weapons to anyone. ... so why the funk would he give chemical weapons to Iraq and sent intel to both of them?
During the Iran/Iraq war, he was long disposed
And your posts makes double plus ungut no sense: as the Shah was the ruler of Iran
Re: (Score:2)
The Shah's secret police killed or disappeared tens of thousands, the police and military ran rampant and killed with impunity, and the minority groups were subject to repeated massacres any time they stepped out of line. Protests were machine gunned. Of course we didn't hear about that in the west, since the Shah was "our" ally he had to be a a good guy after all. Remember, we didn't hear about the 'disappeared' in Argentina until the Junta had been removed, or even about East Timor until Suharto was lo
Re: (Score:3)
The Shah's secret police killed or disappeared tens of thousands, No, they/he did not.
the police and military ran rampant and killed with impunity, and the minority groups were subject to repeated massacres any time they stepped out of line. nope.
Protests were machine gunned. nope.
Actually the only ones who protested were former nobility from which he took the land and distributed it to the poor.
The Shah was a Robin Hood for Iran. There were no protests big enough that a machine gun would be useful.
He was
Re: (Score:2)
If the US (and UK) had not overthrown the democratically elected leader of Iran in order to protect the British AIOC oil company (which would later become BP) then Iran likely wouldn't be a problem (or an Islamic dictatorship)
Re: (Score:2)
“I spent 33 years and four months in active military service and during that period I spent most of my time as a high class muscle man for Big Business, for Wall Street and the bankers. In short, I was a racketeer, a gangster for capitalism. I helped make Mexico and especially Tampico safe for American oil interests in 1914. I helped make Haiti and Cuba a decent place for the National City Bank boys to collect revenues in. I helped in the raping of half a dozen Central American republics for the benef
Dozens of visitors? (Score:2)
That site gets dozens of visitors. Dozens!
therearedozensofus.jpg