Network News

X My Profile
View More Activity

Pharmacy Spam Blogs At U.S. Nuclear Safety Lab

The Web site for the institution charged with safeguarding the safety and integrity of the U.S. nuclear arsenal has been inadvertently hosting advertisements and blogs that link to illegal prescription drug sites hawking everything from generic painkillers to erectile dysfunction medication, Security Fix has learned.

Dozens of pages belonging to the official Web site of Lawrence Livermore National Labs appear to have been seeded with the unauthorized advertisements. Beneath each of the full-page ads were a series of blog entries that featured a bizarre mixture of information, including what appears to be ill-translated gibberish interspersed with information that is actually relevant to the advertised drugs.

Security Fix located the pharmacy spam pages by conducting a series of simple Google searches, such as this one.

The sites are all now inactive, and it's not entirely clear how long they were up. According to the oldest date on the time-stamped blog entries, the attackers first began planting the ads and blog posts as early as March 2007.

Update, 11:01 a.m., Aug. 27: After this blog post was published, a source of mine pinged me to say that until this past weekend, several pages on the Lawrence Livermore site were redirecting visitors to other sites that tried to take advantage of Web browser security flaws to install malicious software. These weren't just hyperlinks inserted into an existing page on the government site: They were clearly pages on the government server that were created by malicious attackers, the source said.

By Brian Krebs  |  August 25, 2007; 12:50 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Yahoo! Messenger Network Overrun By Bots
Next: Storm Worm Authors Turn to YouTube Lures


Heh. Now you get someone either spoofing the ads, or actual spam in your comments - and your banner picture is replaced with a topless woman...

Posted by: Sean | August 25, 2007 7:49 PM | Report abuse

It's too easy to incorrectly infer from this article that the site was the specific target of the attack or had its security compromised. These sort of spam advertisements appear on most every blog that uses any popular blogging applications. They're the result of applications that crawl the net and post URLs to the comment section as a way of upping the Google placement of sketchy (at best) businesses.

It's a comment posting, and not any sort of security violation whatsoever. Clearly, the folks running the blog need to be more attentive about screening and removing spam, but it's hardly news or worry-worthy.

I think this article is going to give many folks an inaccurate impression. There's certainly room for clearer reporting and better context.

Posted by: JohnW | August 25, 2007 8:49 PM | Report abuse

JohnW, I don't think it's actually clear from the search results that the messages were blog comment spam, which is normally open to the world. If they are in fact blog-related, which is questionable, they look more like actual blog postings, which typically require some form of authentication, unlike comments.

Posted by: antibozo | August 25, 2007 9:30 PM | Report abuse

The term blog spam is a horrible term. These were blatant advertising links placed on a blog accessible to the public. There is nothing new or news worth about this. Am i missing something here?

Posted by: AskTheAdmin | August 26, 2007 6:27 PM | Report abuse

@asktheadmin: Aside from the fact that there was no blog to speak of on the LLNL site before the pharmacy spam/blog showed up? No.

Posted by: Bk | August 26, 2007 7:49 PM | Report abuse

Is the LLNL webmaster "charged with safeguarding the safety and integrity of the U.S. nuclear arsenal"? If not, that phrase just seems to be gratuitous hysteria mongering.

If the WashPost website was hacked, would you consider that a reflection on the news gathering and editorial functions of the paper?

Posted by: burke | August 26, 2007 8:30 PM | Report abuse

Ouch! I've some some sympathy for LLNL -- our research site

has been burned several times when we have not kept our software up to date and a vulnerability is discovered. On the other hand, we don't share LLNL's mission of being "responsible for ensuring that the nation's nuclear weapons remain safe, secure, and reliable". At least it is somewhat reassuring that the compromised LLNL sites are not directly involved with the core mission of nuclear safety, but focused on conferences, speech research and publicity.

Since we were last hacked in early July, we've been monitoring visits to our web site that seem suspicious and see many attempts every day to gain access, typically through crude password guessing and more sophisticated SQL injection attempts.

Posted by: tim finin | August 26, 2007 9:45 PM | Report abuse

Brian, there are two versions of this blog entry: this one, and one with a URL ending in pharmacy_spam_blogs_at_us_nucl_1.html. What gives?

Posted by: antibozo | August 27, 2007 5:13 AM | Report abuse

burke> If the WashPost website was hacked, would you consider that a reflection on the news gathering and editorial functions of the paper?

[Setting aside the fact that the Post's newsgathering organization is actually different from the organization that provides the Post's web presence,] if the Post's web site were defaced, one would regard that as evidence of poor security practices by the Post's IT personnel, and thus one would be concerned about other compromises that are not as evident as a defacement, and how those could lead to false reporting or other disruption of the Post's mission, since the Post fundamentally relies on IT for everything it does. Obviously.

Posted by: antibozo | August 27, 2007 5:21 AM | Report abuse

AskTheAdmin> Am i missing something here?

You appear to be missing the fact that these messages look like actual blog postings, not merely comment spam. It would be unusual for a blog to be set up to allow posting of actual blog entries by the general public.

Posted by: antibozo | August 27, 2007 5:23 AM | Report abuse

The Wayback Machine provides a little more info about these sites. For
example, used to have award nomination submission and
feedback forms:

Perhaps these forms posted content into the site, or perhaps the CGIs
handling those form submissions had a vulnerability.

An alternative explanation is suggested by the presence of "svn" in a
number of the URLs; "svn" is a standard abbreviation for the version
control system Subversion, and this implies that a misconfigured
Subversion installation could have been abused to upload unauthorized
content. For more information on Subversion, see:

Posted by: antibozo | August 27, 2007 9:41 AM | Report abuse

This is just hilarious. With all due respect to tim finin, anyone who doesn't update their servers (at least when they're being paid HUGE loads of cash for it) when vulnerabilities are found just needs to be fired, shot, and burnt. And please don't use "I didn't know about the updates" as an excuse, if I can subscribe to all the security mailing lists then so can the LLNL.

But to be honest the hack isn't even so bad - what's worse is that they seem to not have bothered to make an audit for many months. Even the best security - and one should be able to assume to find nothing less at the LLNL - can be breached, but anyone who assumes their security is perfect - again - needs to be fired, shot, and burnt.

Then again, this is nothing compared to the holes I have to witness (I report them, and then get in trouble for reporting them..) at my employer, a MAJOR company that seems to not care in the slightest about actual security, as long as they follow their (useless) policies.

Posted by: Steffen | September 26, 2007 4:41 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company