08 November 2010

Microsoft strikes again

BBC News reports that the Royal Navy’s Web site has been compromised by a Romanian hacker. According to their report, the attacker used SQL injection to gain entry; that made me wonder, of course, what database software was running on the server that allowed an attacker to crack the Royal Navy’s site. A handy little command-line tool called curl showed me—run curl -I http://www.royalnavy.mod.uk and you get the following:

HTTP/1.1 200 OK
Content-Length: 70
Content-Type: text/html
Content-Location: http://www.royalnavy.mod.uk/index.html
Last-Modified: Sat, 06 Nov 2010 13:27:40 GMT
Accept-Ranges: bytes
ETag: "0ee7b62b67dcb1:7904"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 08 Nov 2010 17:46:10 GMT

(There are, of course, lots of ways to look at a Web page’s headers; this is just handy way that doesn’t require actually loading the page in a browser.)

Somebody decided to host the Royal Navy’s Web site on a Windows server. Oddly enough, the BBC’s reporters didn’t think that little bit of information was an important part of the story. If I were in the Ministry of Defence, I’d be asking questions right now about how defence IT infrastructure was allowed to use such an infamously insecure system—as well as wondering if anything more critical to national security than a public Web site is similarly exposed.

Luckily, the U.S. Navy would never be so foolish as to do something like that. Right?

Let’s see... curl -I http://www.navy.mil:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Location: http://www.navy.mil/usnhome.html
Last-Modified: Thu, 11 Oct 2007 20:24:13 GMT
ETag: "8094fdaf44cc81:287"
Server: Microsoft-IIS/6.0
Header: US Navy
X-Powered-By: ASP.NET
Cache-Control: max-age=502
Date: Mon, 08 Nov 2010 18:03:59 GMT
Connection: keep-alive

Ah, I see. Well, at least the Marine Nationale and the Deutsche Marine use Apache. Oh, and so does the Chinese defence ministry. (The Russians use Russian-developed open-source software to run their Ministry of Defence site.)

No comments:

Post a Comment