SQL Injection

Attacking web sites by going to the source, targeting DNS servers rather than the web sites themselves shows both the boldness of hackers as well as the fragility of the Internet.

While not new, DNS hijacking attacks took an important turn this year showing how much we rely on the web and now little we care for its protection. In the past DNS hijacking required complete control over the DNS server. In recent years most applications are controlled through a web interface, including DNS servers. Earlier this year attackers found an XSS vulnerability in a common DNS platform to hijack unused DNS entries for phishing

But this was only a small prelude to the real thing. CNet reports that this time hackers took over an entire TLD (Top Level Domain, or country) DNS server using SQL injection, virtually defacing the Puerto Rican site of companies such as Google and Microsoft.

The amazing story unfolds in the comments to CNet story, which outlines a mischievous professor and slow authorities who let him privatize and monetize on domain registration in Puerto Rico without any control.

The question we are left with is whether other countries and geographies different? Or even other industries for that matter?

Information Week reports that a well known Turkish hacker penetrated two sensitive US army servers, one at McAlester Ammunition Plant in McAlester, Okla., and the other at the U.S. Army Corps of Engineers' Transatlantic Center in Winchester, Va. The hacks are the currently under criminal investigation by Defense Department officials.

The breaches where not publicly disclosed and the level of exposure is therefore not known. It is known however that web site visitors where redirected to a site protesting against climate change.

The Register speculates that the attack method was SQL injection.

After focusing earlier this year on Anti-Virus vendors, Uno, the Romanian Hacker is now back and reports in his blog that an Orange France web site dedicated to photo management is vulnerable to SQL injection and that he was able to access 245,000 records from the web site.

Another week, another hack by the HackerBlog, and when it targets an important web site and the impact is severe it is worthy of WHID. This time the Romanian hacker used blind SQL injection to penetrate to the web site of the Telegraph, a leading English daily paper.

Among his findings is a table including 700,000 e-mails, which would be a gold mine for spammers.

The Telegraph response was published on their official blog.

A very interesting report by the FBI together with the US Secret service outlines a scheme exploiting SQL injection to steal credit card information from financial institutes.  The attack involves directly attacking HSMs, the banks key vaults in charge of verifying ATM PINs in order to brute force PIN numbers.

It wasn't surprising that after attacking a Kaspereski and a BitDefender web sites, Uno, the Romanian hacker,  would continue to strike anti-virus vendors. This time he found a vulnerability in the web site of Finish AV vendor F-Secure. Somewhat less severe than the others, the vulnerability enabled the hacker only to access virus statistics.

I must admit that Uno, the Romanian hacker behind a series of intrusions in recent days is a bit of a cheat for the Web Hacking Incident Database. We usually do not report vulnerabilities that where not exploited. While we understand their importance, they do not fall under the criteria set for WHID. For now we list them in a separate page, waiting for a place to be files in.

Uno, the Romanian hacker responsible for penetrating the Kasperski web site, reported repeating the trick also on the web site of the Polish distributor of BitDefender, another anti-virus software vendor.

Update (Feb 22^nd 2009) - We were probably not the only ones not satisfied with Kasperski official press release on the subject. An interesting report on Kasperski viruslist blog by a person on the investigating team provides answers: the data was neither secured well nor the hacker incapable. The hacker made a mistake in his attack vector and decided to pursue no further. The data was available for any hacker who was really after it.

MetaFilter philosophy is that social norms and peer pressure, referred to as "self-policing", will ensure the quality of the content of the site. However is seems that this philosophy does not extend to hackers who abuse the site's software to plant Malware affecting MetaFilter users.