I just saw that the U.S. Army’s housing website/database has been attacked successfully with some good ol’ SQL injections. A Romanian hacker who goes by the moniker “TinKode” posted details of the attack on his blog including the specific database tables he was able to access. This same hacker has found similar holes in NASA’s site in the past.
For as much CISSP training the Army has been doling out to its folks and for as many seminars and conferences they’ve held, they seem to be missing some of the basics. The hacker used a very simple SQL injection (‘ OR 1=1; –, 1=2, etc.). One of the first things I learned when working with SQL databases was the PHP function:
mysql_real_escape_string($query)
Not that this simple function will stop every attack, but it certainly can prevent quite a bit, including this recent attack. And we’re not talking about compromising some UFOUO documents here, this is housing data for U.S. soldiers. This information could be sold to quite a few extremists with malicious intentions. I guess I shouldn’t be surprised, but some of this is very new to me and I expect entities such as the military to be a little more careful than your average web designer. I’m rapidly learning that this is not usually the case.
What can be done to “patch” some of these vulnerabilities? Can new technology be developed that doesn’t have these flaws? Will that really solve the issue or will new weaknesses simply come to light? What response does this low intensity “attack” warrant?
No related posts.
