So this story caught my eye and I found it pretty interesting as it reads like something out of a Tom Clancy novel crossed with a bunch of script kiddies, a Navy Sys Admin has been charged with conspiracy to hack – the interesting part was that he hacked the Navy (whilst working there..) and also did it from a Nuclear aircraft carrier!
Seems like a pretty interesting scenario, I’m more interested in the technical details but all that’s mentioned is a case of SQL Injection – which isn’t exactly high-tech top tier hacking.
It also seems like the hacks took place a fair time ago back in 2012, but the court case and its details are only surfacing now.
A former systems administrator on a Navy nuclear aircraft carrier has been charged with conspiring to hack into government systems during a digital joy ride that spanned several months in 2012.
Nicholas Paul Knight, 27, who referred to himself as a “nuclear black hat,” was discharged from the Navy after he allegedly attempted to hack into a Naval database while at sea serving as a systems administrator in the nuclear reactor department aboard the U.S.S. Harry S. Truman.
On Monday, he and Daniel Trenton Krueger, a community college student in Illinois, were charged with one count each of conspiracy to hack in the U.S. District Court for the Northern District of Oklahoma.
They were allegedly part of a hacker gang that went by the names Team Digi7al and Team Hav0k. According to court documents, the gang also included at least three minors who have not been identified or charged in the case. Authorities say they were motivated by a combination of anti-government sentiment, boredom, and thrill-seeking.
The gang is accused of using SQL-injection hacks and other methods to gain access to various systems including ones belonging to the U.S. National Geospatial Intelligence Agency, which provides maps and other intelligence to the military, and a system belonging to the Department of Homeland Security’s Transportation Worker Identification system. The latter contains biometric and other sensitive data on workers who are issued special credentials to access secure areas of maritime facilities and vessels.
The group also allegedly hacked or attempted to hack into systems belonging to Los Alamos National Lab, a number of universities and police departments, as well as the personal web site of Rashod Holmes, a musician who sold merchandise from his site.
There’s also a lot of discussion about background checks, with two sides of the camp as usual – how is someone who has a criminal history hired to work for the Navy as a sys admin? And the other side is that maybe his mad l33t hacking skills could be why he got the job in the first place.
Ethically it’s always an interesting debate, should you hire an ‘ex’ hacker – or is a hacker always a hacker? Can people change/reform/become morally sound? Or does having a bit of the dark-side in you make you better at your job? If you haven’t done any malicious activities – can you really understand the mindset of a malicious hacker?
But despite more than two dozens hacks, the group had sporadic success. During an attempted breach of a Los Alamos Lab computer in April 2012, a systems administrator detected the hack and halted it before they could steal much data, according to a court document (.pdf).
The hack of a computer at the National Geospatial Intelligence Agency got them the schematics for more than ten databases, but they failed to download the sensitive agency data they sought from the computer, authorities say.
A May 2012 breach of an AT&T Uverse computer, however, got them mobile phone numbers of about 7,500 customers, as well as some email addresses of customers, physical addresses and cleartext passwords, the government says.
Three months later, according to authorities, they hacked into the website of Rashod Holmes and stole data on 1,000 customers, including the private bank account information of about 70 customers. They also breached the email account of the Ambassador of Peru in Bolivia and made off with the entire email contents of his account.
The group boasted about their exploits through a Twitter account — @TeamDigi7al — and even published the personal information they stole to storage sites where others could access the data, authorities say.
Knight, known online as “Inertia” and “Logic,” began hacking at age 16, according to the government, and was allegedly the self-professed leader of the gang who handled much of the publicity. Krueger, who was studying to be a network administrator and was known online as “Thor” and “Gambit,” allegedly performed most of the technical hacking.
The investigation, conducted by the Naval Criminal Investigative Service, began in June 2012, when a breach of the Navy’s Smart Web Move website and database occurred. The system, also known as Navy-SWM, is used by the Navy to manage the transfer and relocation of personnel and their family members in all branches of the military — Navy, Army, Air Force, Marines and Coast Guard. The database contained more than a decade’s worth of stored sensitive personal data on about 220,000 service members and their families, including Social Security numbers and birth dates. It also stored the answers to security questions that members used to reset their passwords for the system — such as their mother’s maiden name or the names of their children.
We’ll have to see what kind of charges get put up for this, I’m guessing there’s not going to be any ridiculous claims of terrorism in this case? As it’s quite clearly hacking without much of a point other than ‘because we can’.
You’d think someone working for the Navy would be smart enough to not hack the Navy AND get caught, but hey – who are we to judge.
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security
- Navy Sys Admin Hacks Into Databases From Aircraft Carrier
- aidSQL – PHP Application For SQL Injection Detection & Exploitation
- US Veterans Information Leaked on The Web
- The Soft Underbelly? – Database Security
- Don’t Sweat or Scratch Your Face Whilst Flying
Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 73,282 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 53,827 views
- Absinthe Blind SQL Injection Tool/Software - 38,992 views