The Web pages of three US Government agencies, including NASA’s Goddard Flight Center, have been defaced by a cracker who is worried that US government security systems are vulnerable to cyberattack.
The front pages of the sites for NASA’s Goddard Flight Center international page, the Bureau of Land Management’s National Training Center, and the Defense Contracts Audit Agency, on Wednesday were replaced with a page showing a cartoon of a hooded hacker wearing a peace symbol necklace and a message warning of Web site security holes.
“To the US government and military — I have warned you about these security flaws,” wrote ytcracker on the Flight Center’s front page. “Please secure our military systems to protect us from cyber attack.
Identifying himself as a 17-year-old high school student from Colorado Springs, Colorado, ytcracker (for whitey-cracker) said he defaced the sites as a warning to the US government.
“I’m not about being malicious,” he said. “A lot of other countries are planning cyberwarfare on the US government. If other countries have malicious intent, how can we as US citizens feel safe? I did this to let them know they really have to prepare for these things.”
Ytcracker said he chose the sites after scanning numerous government agencies for those most vulnerable.
The three sites were penetrated using a well-known trick that should have been known to the administrators and plugged, ytcracker said.
Furthermore, he said, the administrators had been recently notified of the security hole but had ignored the warnings.
“It seems the only way to get their attention is to show them,” he said.
The DCAA was cracked early Wednesday, followed by BLM and then NASA early Wednesday afternoon, ytcracker said.
Speaking only minutes after cracking the NASA site, ytcracker declined to give his real name but said he has done very little to cover his tracks.
As well as being able to follow the sites’ server logs, which track visitors to the site, a link on the cracked NASA page leads more-or-less straight to his home page.
“If they want to find me, it won’t be very hard,” he said. “I don’t want them to misinterpret my actions. I didn’t do it to offend them or show them up. It’s basically to alert them. All I can do is pray to God and hope they do.”
NASA spokeswoman Janet Ruff said the organization took security “very seriously… when things like this happen they require a fast response.” Ruff said NASA was continuing to investigate the breach, but that she could not comment further.
However, B.K. DeLong, curator of Attrition.org’s Web site defacement archive, which has mirrored the cracks, said the US government doesn’t take the defacement of its Web sites kindly.
DeLong noted that another cracker, known as Zyklon, was sentenced to 15 months in jail and a $36,000 fine last week for defacing the White House’s Web page.
DeLong said the cracks were significant security breaches.
“Any government, military, or high-profile corporation is a significant hack,” he said. “It shows once again that they’re lacking in security.”
DeLong said the crack exploited the remote administration capabilities of Windows NT systems and isn’t particularly difficult to perform.
Before hanging up, ytcracker said: “I’m very much a patriot. I promote the same democratic ideals as the government endorses. I believe strongly in peace and harmony.”