The US Government is not having a good time of it. After earlier in the week having the FBI hacked, they now have the U.S Navy and Department of Homeland Security websites hacked by a blind SQL injection.
A group calling themselves “Digital-corruption” hacked into domains of both sites and leaked database information on to the popular hacking dumping ground, pastebin.
The leaked data came from two websites, www.smartwebmove.navsup.navy.mil and twicinformation.tsa.dhs.gov and consisted of a database dump of usernames, passwords, email addresses and more worryingly, security questions and answers.
The original database backend on both sites was Oracle, at the same time ua.edu, the University of Alabama, was also hacked with a MYSQL backend.
The Skiddies used a standard SQL injection scan, searching the internet with automated tools that are widely available. The question then becomes why these types of organisations are not doing their own scans or at least employing an external party to complete these scans on an automated basis.
Metasploit is free, download a copy guys.
The Navy site is still down; the TSA site is up as is the University of Alabama.