The Ministry of Defence has confirmed that the Royal Navy website has been suspended after it was hacked into
The Royal Navy may rule the waves, but their web surfing skills have been exposed after a hacker broke into its main website (www.royalnavy.mod.uk) and revealed people’s usernames and administrator passwords.
The embarrassing attack last Friday night led to the Royal Navy taking the decision to suspend the website. And the site is still down as of late Monday afternoon.
No Malicious Damage
“We can confirm that there was a compromise of the Royal Navy public-relations inter-net website over the weekend,” a Royal Navy spokeperson told eWEEK Europe UK in an emailed statement. “There has been no malicious damage; but as a precaution, the RN website has been temporarily suspended. Security teams are investigating. Access to this website did not give the hacker access to any classified information.”
This view was backed up by Sophos security expert Graham Cluely, who said that the hacker responsible is a Romanian national who calls himself TinKode, and that his actions were more mischievous than dangerous.
TinKode did not take long to boast about his attack, using his blog to publicise it and the sensitive passwords he was able to uncover. Messages of congratulations were reportedly posted on his blog after news of his security breach spread.
TinKode has prior form in this area as he has also revealed security holes in NASA’s website, and has published information about SQL injection vulnerabilities in sites belonging to the US Army.
“The MoD is lucky that on this occasion, those behind the hack have been motivated more by mischief than malice,” said Cluley. “With luck this security breach is more of an embarrassment to the Ministry of Defence than a more significant assault on a website presenting the public face of an important part of the armed forces.
“All website owners should take note of this attack and the need to build secure websites that cannot be breached easily by hackers,” he added. “The Royal Navy could have found itself in a far more sinister situation if hackers had chosen to embed spyware onto the website and infected visitors’ computers to steal classified information. Owners of other websites shouldn’t be under the misapprehension that it couldn’t also happen to them.”
This hack has demonstrated the increasing need for the government to take the cyber threats more seriously. And it comes just weeks after the coalition government earmarked £650 million for a national cyber security programme.
Cyber Defence Programme
“This money will significantly enhance our ability to detect and defend against cyber attacks and fix shortfalls in the critical cyber infrastructure on which the whole country now depends,” said Prime Minister David Cameron at that time.
And Home Secretary Theresa May has promised increased support for cyber-warfare measures following the warning last month from the boss of GCHQ (the UK agency responsible for gathering intelligence, eavesdropping and breaking codes) that the UK is facing ‘real and credible’ threats from cyber attacks on its critical infrastructure.
GCHQ director Ian Lobban said that government systems are targeted 1,000 times each month. He said that such attacks threatened Britain’s economic future and added some countries were already using cyber assaults to put pressure on other nations. “Cyberspace is contested every day, every hour, every minute, every second,” he said.
This was starkly illustrated when it emerged recently that the Iranian Cyber Army (which had previously attacked Twitter), is now offering to sell access to its botnets.
And last week The Cyber Europe 2010 test took place, which simulated an attack designed to cut Europe’s nations off from one another, with critical systems targeted. This happened to the Asian nation of of Myanmar, formerly Burma, after it was hit by a massive denial-of-service attack last week.