In its report 'Dissecting a Hacktivist Attack', Imperva explained LulzSec was able to gain access to personal information of users on the MilitarySingles.com by using a remote file inclusion (RFI) attack against PHP-based applications, which compromise 77% of web applications.
In March Lulzsec Reborn said it had hacked into the MilitarySingles.com website and posted emails and other personal data of 170,937 accounts from MilitarySingles.com on Pastebin as part of the group’s Operation Digiturk.
LulzSec exploited a vulnerability in the photo upload functionality on MilitarySingles.com to upload an executable file disguised as an image file and gained control over the server, Imperva explained.
“The hackers in this case were able to use a web application vulnerability, which allowed them to upload an executable file and take over the web server”, said Tal Beery, web security research team leader at Imperva’s Application Defense Center.
“The ability of uploading content generated by untrusted parties, such as the user, to the trusted platform, such as the server, is really problematic”, Beery explained. Websites should separate the untrusted user-generated content from the trusted applications, he added.
Despite evidence in the form of published user account information, the web administrator for MilitarySingles.com adamantly denied that the site had been attacked.
“It really showed that when you have no visibility you really don’t know anything about the security of your website”, Beery told Infosecurity. “When you don’t have the right tool to monitor traffic to the site, your site can be hacked and you won’t be aware of it because there aren’t any symptoms”, he added.
Imperva estimated that, because of “archaic methods of password encryption”, more than 90% of the MilitarySingles.com passwords were cracked within nine hours. “Strong password policies aren’t enough. In addition, enterprises must use of a special form of encryption known has ‘salted digests’. A salted value should increase the cost of guessing the password so that financially motivated hackers will not make such an investment”, the report argued.
Imperva also questioned whether it is appropriate for military and government employees with links to sensitive information to participate in social networking websites and suggested that new public security policies may be required to prevent future breaches.