Network News

X My Profile
View More Activity

Hackers Target House.gov Sites

Hackers broke into more than a dozen Web sites for members of the U.S. House of Representatives in the past week, replacing portions of their home pages with digital graffiti, according House officials.

houseseal.JPG

The landing pages at house.gov for Reps. Duncan Hunter (R-Calif.), Jesse L. Jackson, Jr. (D-Ill.), and Spencer Bachus (R-Ala.) were among at least 18 member pages that were defaced in a series of break-ins that apparently began earlier this month, according to zone-h.com, a site that archives evidence of Web site attacks.

Adam Bozzi, a spokesman for Rep. Harry Mitchell (D-Ariz.), confirmed that Mitchell's site was among those hacked. Bozzi said it appears the attackers broke in by guessing passwords used to administer the site. Bozzi said the messages that the hackers left behind had been erased, and that his office now has stronger passwords for the site.

The hackers replaced portions of the member pages with multiple copies of the message "H4ck3d by 3n_byt3 @ Indonesia H4ck3rs" according to zone-h.com.

Jeff Ventura, a spokesman for the House's chief administrative officer,
said the defacements of several member Web sites began Aug. 1, and were the result of an outside computer vendor failing to adhere to the House's required security standards.

"The defacements were the digital version of graffiti and did not result in the theft or loss of any sensitive data or materials," Ventura said. "Over the last year the House has continued aggressively fortifying its security systems. These improvements to our systems resulted in the swift identification of the site defacements, which were fixed within hours of being detected."

Ventura said Dan Beard, the House's chief administrative officer, has called for an immediate review of the House's relationship with the vendor in question.

The vendor responsible is GovTrends, a Web design company in Alexandria hired to provide Web hosting for about 100 House sites, although not all were affected.

GovTrends founder Ab Emam said the breaches were the result of passwords assigned by GovTrends to member offices that were never changed.

"Most of these passwords could be guessed, they were obvious," Emam said. "That's been changed, and each of these sites is now required to have strong passwords."

edwardshack.JPG

Zone-h categorized the majority of the break-ins as "mass defacements," which generally result from hackers targeting a single, a known security weakness present in one commonly used operating system or Web application. According to Zone-h, the hacker claiming responsibility for the attacks signed his name "3n_byt3," is responsible for at least 797 Web site break-ins, including 366 flagged as mass defacements.

Update, Aug. 7, 11:22 a.m. ET: Rep. Spencer Bachus has sent a letter to the House's chief administrative officer, requesting more information about the attacks. Bachus cites information provided to him by Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham. Warner suggested that the break-ins at the House sites were caused not by password guessing, but by "SQL injection," an attack that exploits security weaknesses in Web server configurations.

"GovTrends refused to provide copies of the logs of the intrusion and deferred to [chief administrative officer]," Bachus wrote. "While GovTrends is speculating to the press that this was a simple password guess, they have referred us to HIR to get evidence supporting their speculation. Please provide copies of the web logs and evidence supporting GovTrends speculation so that we can determine how best to proceed."

A copy of the Bachus letter is available here.

By Brian Krebs  |  August 6, 2009; 10:26 AM ET
Categories:  U.S. Government , Web Fraud 2.0  | Tags: house.gov hack defacement  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Researchers: XML Security Flaws are Pervasive
Next: Russia-Georgia Conflict Blamed for Twitter, Facebook Outages

Comments

And it's quite obvious why he's using the all popularly insecure joomla for his blog. Joomla has been in reports several times for sql injections and yet people still use them it's a shame but maybe now they will change the web application they use.

Posted by: OrderZero | August 6, 2009 4:38 PM | Report abuse

FBI needs to a data base of system administrators...which is around the corner. Most cyber crimes are carried out by present and former admins ...

Posted by: DD163 | August 6, 2009 7:23 PM | Report abuse

Given the rate at which these sites change [glacial?] why even put the content on writeable media? Be a lot harder to hack a CDROM -- or ISO9660 image stored on disk -- or a disk switched to read-only.

The real story isn't that people use idiotic passwords but that they don't even use all of the tools available to prevent crackers from breaking the sites.

Posted by: lembark | August 7, 2009 9:46 AM | Report abuse

Strong passwords? We don't need no stinkin' strong passwords. Duh! The best that can happen here is a stronger impetus on the part of our lawmakers to move the government in the direction of stronger laws and better enforcement of them concerning this sort of activity.

Posted by: peterpallesen | August 7, 2009 10:07 AM | Report abuse

DD163, how do you define "system administrator"?

I submit that every user who updates or installs software on their own computer is a "system administrator"

So you are saying that the FBI should put us ALL in a database?

Posted by: frantaylor | August 7, 2009 11:16 AM | Report abuse

Strange they should say that "most" passwords were simple to guess. I should hope they are referring to event logs indicating numerous failed logins.

Consider the recent excitement over Beladen and others were malware on client computers was specifically looking for webmaster credentials and files. Over a 100,000 websites were ultimately compromised.

Now that said, I'm not privy to any more information than in this article. So, one cannot infer that these sites were compromised in a manner similar to the Beladen stuff. I'm merely suggesting additional possibilities.

Posted by: eiverson1 | August 11, 2009 1:29 PM | Report abuse

BTW, assuming folk thoroughly scoured these webservers for binaries designed to compromise visiting computers and that none was found, and that the only evidence of harm appears to be defacement, that tends to reduce the liklihood of Beladen-like methods and actions.

In a perverse way, its kind of nice to see old fashioned hacker activity where one is not seeking financial gain.

Posted by: eiverson1 | August 11, 2009 1:34 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company