By Lisa Vaas  |  Posted 2007-09-07 Print this article Print

-Defense Department"> On July 18, Sunbelt Software came across a SQL command passed as a query within a URL belonging to an arm of a European countrys military. With that, any visitor can pass queries in the URL straight to the back-end database and squeeze out any data, no password required. At the time, the URL displayed what Sunbelt President Alex Eckelberry calls an "infantile" security screw-up: Namely, putting production code and a back-end database into the hands of anybody who wanders by. It was, in other words, a serious security vulnerability that even the most basic security policy should have forbidden, never mind the security policy of a major defense agency.
Sunbelt, of Clearwater, Fla., alerted security researchers from the country in question. They in turn assured Sunbelt that they would notify the defense agency.
End of story? Unfortunately not. Six weeks later, Sunbelt checked the site and found it was still a sitting duck, serving up military base information to any visitor who knows how to frame a SQL query, telling potential attackers exactly which database it was running and what operating system it was using, thereby painting a day-glow arrow toward the exact class of known vulnerabilities and exploits that could bring it to its knees. Sunbelt alerted security researchers from the country in question. Again. They in turn assured Sunbelt that they would notify the defense agency. Again. This is far from an anomaly. As evidenced by the recent attack on a portion of the Pentagons network—allegedly perpetrated by the Chinese Peoples Liberation Army—continued vulnerability in defense establishments is leaving governments exposed and populaces at risk. Whats worse, much of it is due to sheer sloppiness: Poor security policies, unpatched systems, you name it—nothing glamorous, nothing cutting-edge, just run-of-the-mill slacker lack of attention. The most malware is made in China. Click here to read more. The Pentagon didnt respond by the time this story was published to eWEEKs requests regarding what, if any, vulnerabilities led to the network penetration. Neither did the U.S. consulate of the European country with the serious security vulnerability, nor the defense agency that runs the site in question. But even without specifics from the horses mouths, finding specific vulnerabilities on these sites isnt particularly difficult. Eckelberry directed eWEEK to simply Google "sex porn" Out of the 10 top hits Sept. 6 at 4:13 EDT, eight were for pornography somehow tied in to Web servers hosted by the government of California. "Pic rough sex Pic revenge sex Pic russian porn free" is a typical return. On the face of it, redirects to porn sites might not seem as serious as a defense agency whose database is a few keystrokes away from being nakedly displayed in public. But these porn sites arent necessarily benign—many serve up Trojans. And the fact that government servers can be used with impudence to plant redirects for spyware and porn sites reflects the fact that the U.S. government, just like the European countrys military and its naked database, has spotty network security. This was made starkly evident last week when the official site of Lawrence Livermore National Labs—the institution entrusted with safeguarding the U.S. nuclear arsenal—was found to be hosting unauthorized advertisements and blogs. According to the Washington Post Aug. 25, the blogs linked to "illegal prescription drug sites hawking everything from generic painkillers to erectile dysfunction medication." Until recently, several pages—not just inserted links, but actual full pages—on the Lawrence Livermore site were redirecting visitors to other sites that tried to exploit browser security flaws to install malware, the Washington Post quoted a source as saying. In addition, Eckelberry said that as of the week of Aug. 27, a number of government sites were redirecting to porn pages requiring visitors to view a sex video by downloading a fake codec—a program that performs encoding and decoding on a digital data stream—that in fact was a piece of malware. Its all happening because of the most banal of reasons: Namely, people arent keeping systems patched, Eckelberry said. An unpatched system is particularly fun for attackers to play with when its supported by spongy security policies. The European countrys defense agencys site is a case in point. Heres a quick tutorial that will demonstrate how mind-bogglingly easy it is to gain entry to a site thats been constructed with poor security parameters. This is a partial chunk of the defense agencys URL, with its name and the search terms used to drain the back-end database obscured, and with certain terms translated to English in order to more thoroughly protect the country in question: http://www. obscuredsitename/obscured/index.asp?npag=1%20&strsql=select+%2A+from+obscuredsearchterm++where+category+like+%00%00 obscuredcategoryname%00%00+++order+by+data%5Fgara+DESC%0C+id+%0B. The text in blue is an SQL query. The URL has been designed to work in production—i.e., it is able to actively query the database and return data as an HTML page. Page 2: No-Defense Department

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel