The embarrassing LulzSec data raid on the MilitarySingles.com dating site in March was caused by a catalogue of security problems including poor web application design and the use of inadequate encryption, an analysis from Imperva has claimed.
According to Imperva, the primary weakness was that the attackers were able to upload a PHP script file simply by changing its file extension to make it appear to be an image file, the only category of upload allowed from users.
Because file control (i.e the ability to recognise that the script was not in fact an image) was implemented through the client browser, the attackers then bypassed this using a proxy.
This server was apparently not firewalled from the server holding user data. This gave control of the site to the attackers, Imperva said, but there was worse to come.
Account passwords were encrypted using the relatively weak MD5 hash, which allowed the hackers access to the majority of those with a matter of hours.
During the attack the user names, email addresses, passwords and even IP addresses for around 170,000 MilitarySingles’ subscribers turned up on Pastebin after an attack claimed by a group calling itself ‘LulzSec Reborn’.
It probably didn’t help that large numbers of the passwords were trivial, including ‘password’, 123456’, ‘iloveyou’ and other forms open to dictionary attacks.
At the time of the hack, the operator of MilitarySingles denied that a serious incursion had happened. This position has apparently not changed.
“At this time there is no actual evidence that MilitarySingles.com was hacked and it is possible that the Tweet from Operation Digiturk [regarding the LulzSec hack] is simply a false claim,” read a statement. Despite the denials, this view now looks optimistic.
"Social networking, user-generated content and PHP-based applications are prevalent on the web, but this report gives pause to consider how easily sensitive personal information can be accessed through these channels,” said Imperva CTO, Amichai Shulman.
Imperva didn't say how it researched the chain of security weaknesses at MilitarySingles or could be sure of its facts given the site's denials.
However, the US and other militaries should accept that Web 2.0 social media now posed a significant security risk and develop appropriate policies as a matter of urgency. Failing to do this could put operational and personal data at risk of compromise, he said.
Although passwords policies were being ignored, even strong ones were no longer enough. Carefully designed encryption systems confirming to the latest NIST guidance were essential while web applications needed to assume determined hackers looking for weaknesses.