Plastic brick theme park Legoland has had its UK website defaced by a hacker who took advantage of an inadequately secured SQL server.

The front page of the Legoland.co.uk site was replaced on Friday with a message from the hacker and a picture of a spacecraft made from Lego. The site was down on Monday morning, but was restored by midday.

The hacker, called Herbless, used the same method to hack several UK government websites last month. Experts said administrator error rather than a weakness in SQL server was to blame for leaving the websites open to attack.

Herbless used the attack to post a rant supporting DVD cracking software. The DeCSS software allows the decryption of DVDs. Several major Hollywood film studios last month won their fight to prevent the publishing of the software by the 2600 hacker magazine and website.

When SQL server is set up there is a simple default password for the SQL administrator. Unless the system is being used on a trusted network, which the company owns entirely, Microsoft recommends this password be changed. In an unchanged configuration hacks can take place.

Matt Tomlinson, business development at security consultancy MIS, said: "The majority of internet-facing servers running SQL server will be protected by port filtering and firewalls, exposing access to only HTTP ports. The wider implications are for those organisations that do not protect internal servers from internal users.

"Any organisation with any resemblance of an IT security policy will have changed the default (blank) password and put other protection methods in place."

In a statement, Legoland confirmed that its website had been compromised. It said sensitive booking information including credit card details is hosted on a separate secure server with an established internet bank and this information was not compromised.

Legoland said the security weakness on its site had been reviewed and measures taken to ensure that this type of attack could not be repeated.

See also:

Hackers attack techie site Slashdot

Hackers have turned on their own by breaking into Slashdot, a website for technology and open source enthusiasts.  29 Sep 2000

HSBC web host under fire over fuel hack

The external supplier believed to be responsible for managing the areas of HSBC's website vandalised by a hacker this week has been criticised in connection with the incident.  22 Sep 2000

Herbless - five weeks of 'hacktivism'

From Sheffield City Council to Hong Kong and Shanghai Banking Corporation, via Legoland.  21 Sep 2000

Fuel protest hacker Herbless quits

EXCLUSIVE: Herbless, the hacker who defaced the websites of HSBC, Legoland and 450 others as part of the fuel protest in the last month, has announced his sudden exit from the hacking scene.  21 Sep 2000

Security attitudes in the firing line

Prepare for the worst with a security policy that defends your network against hacker attacks and malicious emails.  20 Sep 2000

HSBC reassures customers after hack attack

HSBC said no customer details or bank accounts were at risk when a hacker broke into several of its websites on Tuesday night.  20 Sep 2000

HSBC internet sites hacked

HSBC's UK internet site and three of its international sites have been hacked as part of an ongoing campaign in support of the fuel protest.  20 Sep 2000

Fuel protestor hacks 168 websites

A hacker has successfully attacked more than a hundred corporate websites to post a message in support of demonstrators protesting against high fuel taxes in the UK.  15 Sep 2000

Ticketmaster hacked by music fans

Online ticket seller Ticketmaster has become the latest victim of a hack attack after a group of rap music supporters defaced its website.  23 Aug 2000

Hollywood wins DVD cracking case

Hollywood has won its legal battle to prevent the spread via the internet of software that facilitates the decryption and copying of DVDs.  18 Aug 2000

Bug Watch: are you safe from hackers?

The end of last week saw further exploitation of UK company websites by what is a recurring threat in the IT world - the hacker. Five companies were hacked last week, but not by bored 'script kiddies', or those who do it just for fun. Three of the hacks were executed by GForce, a group which aims to raise awareness of the Indian government's treatment of Kashmir nationals.  11 Aug 2000

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!