Sinking a battleship
A Royal Navy website was taken offline following claims by a Romanian hacker that he had breached the site and stolen the login details of the administrators.
The hacker who goes by the name Tin Kode published information on the net claiming success in penetrating the Navy website. This hacker seems to take particular pleasure in attacking the military and has previously published information about SQL injection weaknesses at the US Army website and also on NASA's site. Fortunately, he (or she) seems more interested in creating mischief rather than causing any lasting damage.
As is often the case, this attack was more of an embarrassment than a national security issue. The site concerned, royalnavy.mod.uk, is primarily a recruitment and public facing brochure site. It is not part of the strategic defence networks, no battleships were put at risk from this attack, and no launch codes for Polaris were stolen. It is easy to play down this sort of attack but one thing we should always remember and learn from is that people have a bad habit of using the same passwords for all the systems they use. A hacker finding a password from an inconsequential low security system might gain good insights into how to penetrate your higher security systems. For this reason I suggest the following three rules for passwords.
1) Treat every password as if it is the password to your own bank account.
2) Use different passwords for different accounts. Don't use the same password on your crucial systems as you do on your Hotmail account.
3) Repeat rule 1 because sooner or later you will forget rule 2.
23rd November 2010