UN's website still vulnerable after 4 years

More than four years ago, the UN website was hacked via SQL injection. They haven't fixed their problem since then, which I've pointed out over and over and over. This last week, #Anonymous hacked them yet again using the same technique. If, after 4 years, the UN still can't protect their website, it's unlikely that they ever will.

But SQL injection is the easiest of all bugs to fix: simply stop treating data as code (use parameterized queries instead). The difference between the correct way, and the wrong way, is obvious and impossible to miss. Most hacker attacks are hard to understand, and hard to fix, but SQL injection isn't one of those.

Chronic Threats: SQL injection

What is the reason for the recent rash of hacking? Why was LulzSec able to take on high-profile victims like Sony, the FBI, and the CIA?

The answer is this: hackers aren't necessarily smart; the problem is that the victims are stupid. Hackers like LulzSec exploited "obvious" problems in the victim websites. But for all their obviousness, we (as an industry) still don't know how to fix them.

UN's website still vulnerable after 3 years

In what's become a yearly blogpost, the UN still has not fixed the SQL injection problems that led to their website being hacked back in 2007.

They have finally fixed the specific bug that led to their website being hacked (maybe because my blogpost last year was Slashdotted), but the site is full of similar SQL injection bugs. For example, if you click on "print this article", then use that URL instead, the SQL injection still works. This is shown in the picture below (using the URL http://www.un.org/apps/news/infocus/sgspeeches/print_full.asp?statID=10'5):

(This example doesn't hack the UN site -- it just shows how the site can be hacked.)

I look forward to next year's post.

SQL injection not sophisticated

I was reading this news story about the recent 130-million stolen credit card numbers. The story says:

According to the Justice Department, the suspects used a sophisticated hacking technique called an "SQL injection attack"...

SQL injection is not sophisticated. It is extremely easy. A million teenage hackers around the world know how to break into websites using SQL injection.

This is the reason SQL injection is so common. The programmers who create websites believe that SQL injection is a "theoretical" vulnerability that does not endanger their websites in practice. They are wrong -- it's easy for someone of average hacking skill to exploit.

Because these programmers don't believe in the problem, SQL injection problems are wide-spread. They seem to be everywhere I look. Here are some recent examples:

• Breitbart.com
  
• UN.org
  
• http://dev.indigopapa.tv/clients/arctic/statsXML.php?name=pe'n
  

The news article should have instead said "Hackers used the well-known SQL injection technique" rather than the "sophisticated" technique.

UPDATE: Dan Goodin at The Register gets it right, describing it as a garden-variety exploit. I guess that's the difference between IT press and mainstream press: for one, it's "garden-variety", for the other, it's "sophisticated".

UN's website still vulnerable after 2 years

Two years ago today, I blogged about a defacement of the UN.org website. I noted that while they removed the defaced webpages, they had not yet fixed the vulnerability.

I checked today, and they STILL haven’t fixed the SQL injection vulnerability that led to their defacement. Hackers can still deface their website at will. Just put a quote in the ASP parameter and off you go, such as http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=10'5.



There are a couple lessons here. The first is that no matter how simple the fix, organizations like the UN cannot do it. Despite the fact a high-school intern can fix the bug in 5-minutes, the bureaucracy means that the organization must spend tens of thousands of dollars to fix the bug. A project manager needs to coordinate with external consultants. They need to plan the timeline of the change, and verify it works. They need to get agreement from various levels of management who don’t understand cybersecurity and are likely to veto the change.

The other lesson is that the cost of NOT fixing the bug is low. The UN can simply live with the problem, and clean up after every hack. The site only contains articles, it contains nothing else interesting (like private financial information). Even with such a simple and obvious vulnerability, they are unlikely to get hacked more than once or twice a year (indeed, it appears they haven’t gotten hacked for the last two years).

Together, both these things means that it’s cheaper for the UN to cleanup after each break-in rather than fix the vulnerability. At least, this is what their management feels.

Scan 3rd party websites for safeness

Since I'm a right-wing wacko who enjoys Druge Report, I noticed this this article that claims the U.S. Attorney's Office in Massachusetts told employees not to log onto the Drudge Report because it contained viruses.

Drudge itself isn't hosting malware intentionally, but malware may get through. One possible reason is that they are using a advertising aggregator that isn't too picky about which adds it serves. Another possible reason is it has an exploitable bug, hackers have broken in, and are now attacking visitors.

A good example of this is the related news aggregator BreitBart.com which right this moment has an obvious SQL injection vulnerability. Pick any article with an "id" field in the URL, add a quote, and you get an SQL error message back. If you edit the following URL as shown to add a quote ' character in the id field, you will get the following SQL error message:
URL:http://www.breitbart.com/article.php?id=D986V0E80
Edit:http://www.breitbart.com/article.php?id=D986'V0E80
Message:

Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'V0E80' ORDER BY issue_date DESC LIMIT 1' at line 3

This means that BreitBart has probably been taken over by hackers, who are either now delivering malware, or are waiting for the next QuickTime/Flash/PDF 0day in order to deliver that.

I feel safe browsing these websites because I browse inside a virtual machine, which has non-root privileges, using NoScript and AdBlock within Firefox. I may be a little extreme, but at MINIMUM, user should browse the Internet without root privileges.

Large organizations might consider scanning websites that are popular among their users to look for obvious vulnerabilities like SQL-injection. Like it or not, popular websites like CNN are part of your infrastructure, and when they get hacked, your users can get hacked.