U.S. Army website hacked


Have to worry about the Romanian hackers too.

Romanian hackers continue to have a field day with SQL injection flaws in major Website applications: A vulnerability in a U.S. Army Website that leaves the database wide open to an attacker has now been exposed.

“TinKode,” a Romanian hacker who previously found holes in NASA‘s Website, has posted a proof-of-concept on his findings on a SQL injection vulnerability in an Army Website that handles military housing, Army Housing OneStop. TinKode found a hole that leaves the site, which has since been taken offline, vulnerable to a SQL injection attack. “With this vulnerability I can see/extract all things from databases,” he blogged.

What’s with the weak security?

TinKode was able to gain access to more than 75 databases on the server, according to his research, including potentially confidential Army data. He also discovered that the housing site was storing weak passwords in plain text. One password was AHOS, like the site’s name.

“Four-character passwords that are the same name as the database table names are inexcusable,” says Robert “RSnake” Hansen, founder of SecTheory.

Hansen says the ease with which TinKode discovered the SQL injection flaw highlights the state of Web security. “[This is] a good example of how terrible our security posture is, and he didn’t even have to do anything tricky to find the exploit,” he says.

Considering SQL injection is a common vulnerability exploit this re-enforces the need to test systems regularly.

TinKode is among a group of hackers out of Romania who have been disclosing SQL injection flaws in high-profile Websites during the past few months. Most recently hacker “unu” demonstrated a major SQL injection hole in an Intel channel partner events Website that exposed personal passport information. Unu was able to hack into the front-end Web app and, like TinKode, found that the server administrators had their passwords stored in clear text.

SQL injection is a common Website vulnerability that is increasingly being used as a foot in the door to the back-end database.

“Every organization has these problems,” Hansen says. “They may not realize it, but they’re just waiting for a smart kid to come along and copy off every critical piece of information they have.” (Source: Dark Reading)

Of course common sense needs to be used when it comes to passwords as well.  Storing in clear text??  Using four character passwords that are the name of the database??  Come on.

Reblog this post [with Zemanta]
Advertisements

About brvanlanen

Just a thirty-something guy currently hanging it up in the greater Green Bay area. My post-high school educational background is mainly in the Information Technology field. Specifically I have an A.A.S. in Computer Network Systems and a B.S. in Information Systems Security, both from ITT Technical Institute, in addition to A and MCDST certifications. In my free time I enjoy spending time with my family, cooking and sports. My Christian faith is also important to me as a Missouri-Synod Lutheran and all my children attend a Lutheran grade school. When it comes to political leanings I am a conservative first and foremost which you will discover rather quickly. As for sports I am a huge fan of the Green Bay Packers.

Posted on January 17, 2010, in attacks, Cybersecurity, Hacking, Security breach, vulnerability, Web and tagged , , , , , , , , . Bookmark the permalink. 1 Comment.

%d bloggers like this: