Wednesday, July 25, 2007

Anatomy of a hack: It only takes a few minutes - 19 May 2005

InternetThousands of companies have left their core data vulnerable to unauthorised access through badly designed websites. With the assistance of Bawden Quinn's Stewart Twynham, it took little more than 20 minutes to crack a typical site.

According to Twynham, one of the top 10 vulnerabilities is a result of companies hosting their websites on the same database as their operational and financial management systems.

Maintaining the one database saves money on software licence costs, but if precautions are not put in place to lock down the non-web database tables, intruders can quickly gain access to your data.

In a 30-minute demonstration for AccountingWEB, Twynham demonstrated how easy it is to "crack" a typical site through a process known as SQL injection. Using SQL database commands such as select, group and union, it is possible to map the server's SQL data tables and ultimately extract details. The information that can be accessed often includes sensitive data such as user identities, passwords and bank account details. Should the hacker identify administrator-level passwords, they can effectively take control of your database and change the information it contains.

"This technique does not only affect your website - it talks to the database that runs your businesses. Once the cracker has broken in, they have access to your whole network," says Twynham.

To confirm that he was not just running through a Blue Peter-style pre-prepared exercise, Twynham connected to the websites of two leading accountancy software suppliers that contained the same vulnerability.

If you think that firewalls and anti-virus software will protect your systems, think again. Twynham comments that the software industry is keen to supply highly functional tools - but is not so diligent about training its customers on their inherent weaknesses.

If you are worried by the implications of this article, Twynham explains that the solution is not necessarily about spending more money on clever hardware or software, it's more a question of learning more about the vulnerabilities and adjusting your system configuration to minimise the risks.

"Error messages can tell you all sorts of things about a site and the underlying database if the error message is passed to the browser," he says. "Inexperienced web designers will often allow this to happen, but the first rule of design should be that if an error occurs, return the message, 'We're sorry, but an error has occurred' - and nothing else."

Directing the novice cracker to the website of a recruitment consultancy named "Grabbit & Runn", Twnham explained how to inject an SQL statement into the underlying database via the site's user login box.

After receiving the partial SQL query, the website returned the message, "Microsoft OLE DB Provider for SQL Server error' unclosed quotation mark after password."

The message confirmed that there is an SQL Server database hosting the site - one that will happily divulge its contents through a series of "group by" statements. The first such query identified the first column within the data table to be "idno" and further queries revealed column names such as "username", "password" and "realname". It was then a matter of forcing the error message to reveal actual usernames and passwords from the database.

Like many SQL Server-based websites, Grabbit & Runn uses SQL Server data tables to hold the content published on its website. This can often be detected in the URLs of web pages that include code such as: "news.asp?content=19"

By clicking on a news content page, and replacing the data string following "content=" with a single apostrophe, the page returns one of the hacker's favourite error messages:

"Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string 'news'."

Through a process of trial and error, it was then possible to identify the number of data columns within the table and we were then able to read the contents of any of the tables within the database at will.

By sending SQL commands to the database from the web URL, it is not difficult to alter and delete data contained within the database. And if your accounts information, customer contacts, bank details and personnel data are held on the same server, they could be vulnerable.

"SQL Server, mySQL, PostgreSQL and other systems are not databases. They're database management systems," explains Twynham. "As well as holding your data, they have functions that enable them to control lots of databases. And they hold the information on all your data in their own database tables.

"Every DBMS has these tools for database adminstrators," he warns Twynham. "If you don't deactivate these control functions, they're there for the hacker to use."

If your website is compromised, unauthorised users can access the information contained in all of the data tables on your database server. Running an "extended stored procedure" allowed us to open a command shell, create a brand new administrator account, and minutes later we had logged onto the server remotely.

Leaving the Grabbit & Runn demo site, we visited the websites of two well known accountancy software suppliers. Injecting a SQL statement returned the same telltale error messages indicating the visitor could get in.

"As software developers themselves, these are companies who should know better," says Twynham, who has informed the companies of the vulnerabilities.

"The usual response - as we have seen here - is to ignore the warnings," he notes.

"The problem is most prevalent among smaller businesses who keep all of their information on the same server to save a few thousand pounds. The developers will sell you firewalls and so on, but if you don't know what you're doing, you can open your business to hackers who can steal and delete information.

"Things are changing in the hacker community, two or three years ago, it was people who wanted to see what damage they could do. But with phishing attacks and identity theft, it has become a lot more money-oriented. Stolen identities can be a lot more useful than just money to criminals. Recruitment companies for example might not have to worry about losing credit card data, but they probably hold thousands of identities on their books that are now very valuable."

Quoting an incident that happened to one of his clients, Twynham says an intruder managed to break into a database containing bank account numbers and overwrite the sort codes and account numbers.

"We could be doing this from a cybercaf© and do things like shut down the entire database - leaving the target company unaware of why it happened."

As Twynham points out, SQL injection is just one of many techniques widely documented on the web on how to gain unauthorised access. If you want more information on the potential vulnerabilities that may affect your system, visit the OpenWeb Application Security Project website.

No comments: