US military agency's website possibly compromised

A GROUP OF HACKERS calling themselves The Craziez claim to have broken into the website of the Defense Information Systems Agency (DISA), from which they claim to have stolen sensitive information.

The hacking outfit expressed its support for several groups including Anonymous, inj3ct0r, and the now-defunct Lulzsec, but it's not clear at this point if it is affiliated with Operation Antisec, a hacking campaign that has the goal of breaking into government and military computers and exposing data.

It seems the group is guided by anti-American feelings. Its members make this clear in their online manifesto, in which they claim "the U.S. government is sucking the civilians' blood."

"It's our first jump in public because we [are] fed up," the hackers write. "Hands of [sic] Libya. Stop killing for oil," they add, warning that "we'll expose them because we had enough of their thoughts and calls for fake freedom."

The hackers leaked SSL certificate revocation lists (CRLs) allegedly taken from the compromised disa.mil website, however it seems the confidential files were also available on an unprotected DISA sub-site.

Certificate revocation lists (CRLs) are normally issued by certification authorities (CAs) and are used by SSL clients to determine what certificates shouldn't be trusted anymore. In this case, the CRLs contained information about certificates issued and revoked by the Department of Defense's own CA.

The Craziez warn that the leaked files represent only five per cent of all the data it managed to extract from the website. The group says the rest will be released this week, but there are doubts that it can deliver on its promise.

DISA is the Department of Defense combat support agency in charge of providing information technology and satellite communications solutions for the US President, Vice President, Secretary of Defense and the combatant commands. It also engages in information sharing.

The agency has not yet confirmed the attack and its website remains online at the time of writing. The hacking announcement was posted on Pastebin on Saturday. If the compromise turns out to be real, it will be the latest entry on what is already a long list of security breaches reported this year involving government computers. µ