-Defense Department"> On July 18, Sunbelt Software came across a SQL command passed as a query within a URL belonging to an arm of a European countrys military. With that, any visitor can pass queries in the URL straight to the back-end database and squeeze out any data, no password required. At the time, the URL displayed what Sunbelt President Alex Eckelberry calls an "infantile" security screw-up: Namely, putting production code and a back-end database into the hands of anybody who wanders by. It was, in other words, a serious security vulnerability that even the most basic security policy should have forbidden, never mind the security policy of a major defense agency.End of story? Unfortunately not. Six weeks later, Sunbelt checked the site and found it was still a sitting duck, serving up military base information to any visitor who knows how to frame a SQL query, telling potential attackers exactly which database it was running and what operating system it was using, thereby painting a day-glow arrow toward the exact class of known vulnerabilities and exploits that could bring it to its knees. Sunbelt alerted security researchers from the country in question. Again. They in turn assured Sunbelt that they would notify the defense agency. Again. This is far from an anomaly. As evidenced by the recent attack on a portion of the Pentagons networkallegedly perpetrated by the Chinese Peoples Liberation Armycontinued vulnerability in defense establishments is leaving governments exposed and populaces at risk. Whats worse, much of it is due to sheer sloppiness: Poor security policies, unpatched systems, you name itnothing glamorous, nothing cutting-edge, just run-of-the-mill slacker lack of attention. The most malware is made in China. Click here to read more. The Pentagon didnt respond by the time this story was published to eWEEKs requests regarding what, if any, vulnerabilities led to the network penetration. Neither did the U.S. consulate of the European country with the serious security vulnerability, nor the defense agency that runs the site in question. But even without specifics from the horses mouths, finding specific vulnerabilities on these sites isnt particularly difficult. Eckelberry directed eWEEK to simply Google "sex porn site:.gov." Out of the 10 top hits Sept. 6 at 4:13 EDT, eight were for pornography somehow tied in to Web servers hosted by the government of California. "Pic rough sex Pic revenge sex Pic russian porn free" is a typical return. On the face of it, redirects to porn sites might not seem as serious as a defense agency whose database is a few keystrokes away from being nakedly displayed in public. But these porn sites arent necessarily benignmany serve up Trojans. And the fact that government servers can be used with impudence to plant redirects for spyware and porn sites reflects the fact that the U.S. government, just like the European countrys military and its naked database, has spotty network security. This was made starkly evident last week when the official site of Lawrence Livermore National Labsthe institution entrusted with safeguarding the U.S. nuclear arsenalwas found to be hosting unauthorized advertisements and blogs. According to the Washington Post Aug. 25, the blogs linked to "illegal prescription drug sites hawking everything from generic painkillers to erectile dysfunction medication." Until recently, several pagesnot just inserted links, but actual full pageson the Lawrence Livermore site were redirecting visitors to other sites that tried to exploit browser security flaws to install malware, the Washington Post quoted a source as saying. In addition, Eckelberry said that as of the week of Aug. 27, a number of government sites were redirecting to porn pages requiring visitors to view a sex video by downloading a fake codeca program that performs encoding and decoding on a digital data streamthat in fact was a piece of malware. Its all happening because of the most banal of reasons: Namely, people arent keeping systems patched, Eckelberry said. An unpatched system is particularly fun for attackers to play with when its supported by spongy security policies. The European countrys defense agencys site is a case in point. Heres a quick tutorial that will demonstrate how mind-bogglingly easy it is to gain entry to a site thats been constructed with poor security parameters. This is a partial chunk of the defense agencys URL, with its name and the search terms used to drain the back-end database obscured, and with certain terms translated to English in order to more thoroughly protect the country in question: http://www. obscuredsitename/obscured/index.asp?npag=1%20&strsql=select+%2A+from+obscuredsearchterm++where+category+like+%00%00 obscuredcategoryname%00%00+++order+by+data%5Fgara+DESC%0C+id+%0B. The text in blue is an SQL query. The URL has been designed to work in productioni.e., it is able to actively query the database and return data as an HTML page. Page 2: No-Defense Department
Sunbelt, of Clearwater, Fla., alerted security researchers from the country in question. They in turn assured Sunbelt that they would notify the defense agency.