U.S. Army website hacked
Have to worry about the Romanian hackers too.
Romanian hackers continue to have a field day with SQL injection flaws in major Website applications: A vulnerability in a U.S. Army Website that leaves the database wide open to an attacker has now been exposed.
“TinKode,” a Romanian hacker who previously found holes in NASA‘s Website, has posted a proof-of-concept on his findings on a SQL injection vulnerability in an Army Website that handles military housing, Army Housing OneStop. TinKode found a hole that leaves the site, which has since been taken offline, vulnerable to a SQL injection attack. “With this vulnerability I can see/extract all things from databases,” he blogged.
What’s with the weak security?
TinKode was able to gain access to more than 75 databases on the server, according to his research, including potentially confidential Army data. He also discovered that the housing site was storing weak passwords in plain text. One password was AHOS, like the site’s name.
“Four-character passwords that are the same name as the database table names are inexcusable,” says Robert “RSnake” Hansen, founder of SecTheory.
Hansen says the ease with which TinKode discovered the SQL injection flaw highlights the state of Web security. “[This is] a good example of how terrible our security posture is, and he didn’t even have to do anything tricky to find the exploit,” he says.
Considering SQL injection is a common vulnerability exploit this re-enforces the need to test systems regularly.
TinKode is among a group of hackers out of Romania who have been disclosing SQL injection flaws in high-profile Websites during the past few months. Most recently hacker “unu” demonstrated a major SQL injection hole in an Intel channel partner events Website that exposed personal passport information. Unu was able to hack into the front-end Web app and, like TinKode, found that the server administrators had their passwords stored in clear text.
SQL injection is a common Website vulnerability that is increasingly being used as a foot in the door to the back-end database.
“Every organization has these problems,” Hansen says. “They may not realize it, but they’re just waiting for a smart kid to come along and copy off every critical piece of information they have.” (Source: Dark Reading)
Of course common sense needs to be used when it comes to passwords as well. Storing in clear text?? Using four character passwords that are the name of the database?? Come on.
Related articles by Zemanta
- Web site scripting flaws are common and slow to be fixed (infoworld.com)
- Web application security is growing problem for enterprises (infoworld.com)
- RockYou Hack: From Bad To Worse (techcrunch.com)
- Useful SQL Injection Info (arnoldit.com)
Posted on January 17, 2010, in attacks, Cybersecurity, Hacking, Security breach, vulnerability, Web and tagged Add new tag, Database, NASA, Plaintext, Proof of concept, Security, SQL injection, Table, vulnerability. Bookmark the permalink. 1 Comment.