[ISN] Database hacking spree on US Army, NASA, and others costs gov’t millions

http://arstechnica.com/security/2013/10/database-hacking-spree-on-us-army-nasa-and-others-cost-gov-millions/ By Dan Goodin Ars Technica Oct 28 2013 Federal prosecutors have accused a UK man of hacking thousands of computer systems, many of them belonging to the US government, and stealing massive quantities of data that resulted in millions of dollars in damages to victims. Lauri Love, 28, was arrested on Friday at his residence in Stradishall, UK following a lengthy investigation by the US Army, US prosecutors in New Jersey said. According to prosecutors, the attacks date back to at least October 2012. Love and other alleged hackers are said to have breached networks belonging to the Army, the US Missile Defense Agency, NASA, the Environmental Protection Agency, and others, in most cases by exploiting vulnerabilities in SQL databases and the Adobe ColdFusion Web application. The objective of the year-long hacking spree was to disrupt the operations and infrastructure of the US government by stealing large amounts of military data and personally identifying information of government employees and military personnel, a 21-page indictment said. “You have no idea how much we can fuck with the US government if we wanted to,” Love told a hacking colleague in one exchange over Internet relay chat, prosecutors alleged. “This… stuff is really sensitive. It’s basically every piece of information you’d need to do full identity theft on any employee or contractor” for the hacked agency. According to prosecutors, Love used automated scanners to identify vulnerabilities in large ranges of IP addresses. He would then exploit them to inject powerful SQL commands into a site’s backend database. He exploited similar types of vulnerabilities in sites that used ColdFusion, the Web application software whose full source code was recently found on a server operated by hackers. The ColdFusion security flaw, which has since been corrected, allowed Love to gain administrator-level access to computer servers without proper login credentials, a separate criminal complaint filed in a Virginia federal court alleged. After breaching the websites, Love allegedly planted backdoor code on the servers that gave him persistent access to the networks so he could return at a later date and steal confidential data. […]