Anatomy of a hack: It only takes a few minutes

Posted by AccountingWEB PM | on Thu, 19/05/2005 - 06:30  15980  6 comments

InternetThousands of companies have left their core data vulnerable to unauthorised access through badly designed websites.

Continued...

» Register now

The full article is available to registered AccountingWEB members only. To read the rest of this article you’ll need to login or register.

Registration is FREE and allows you to view all content, ask questions, comment and much more.

Tags
Technology
Business
More like this
Comments

Sensitive Data

base813 | Thu, 19/05/2005 - 17:37 | Permalink

I have recently been learning about what is known as "google hacking" - where sensitive information is very much available to anyone who is able to use Googles search engine in a more detailed way. I am so so surprised at the amount of information and access there is out there from organisations that pay someone to set up their networks.

Some examples I have found with a simple Google search:

Databases with user names and passwords for networks
Excel spreadsheets with financial information
Banking details
Admin passwords for networks

Please note that the idea of Google hacking is finding problems and alerting the people whos information is out there accessable to the masses. It just shows what people have accessable with only a search engine!

I am not a "techie" but know enough to find information I should not be able to - If I can do this then who knows what people with the knowledge to use the information can do.

It is very worrying.........

HMRC Website

jvallender | Fri, 20/05/2005 - 11:52 | Permalink

I would like to second the ealier comment about testing the HMRC, i would be very interested to see how it handles.

Acceptance of the "problem" is a real problem

Anonymous | Thu, 19/05/2005 - 16:43 | Permalink

There are always a few checks I perform on a website before entering any details, quite often these will fail, these days I just move on and the website has lost my custom.

A couple of years ago I tried reporting these type of problems to various websites, but it was like bashing your head against a brickwall, and a completely thankless task. There is still one retail site that acknowledged a problem over 2 years ago, but yet the problem is still there leaking customer data to anyone who knows how to get it.

Another site that I had given my credit card number to, took a month to pass on my concerns to the technical department, all that time there were large holes allowing access to their database.

The problem remains as an outsider that to convince a site there is a problem is very difficult without breeching the Computer Misuse Act. So these days I just "walk" away and leave the website ( and maybe your details) exposed.

Security 101 - one of the most basic hacks

dogsbreath | Thu, 19/05/2005 - 11:01 | Permalink

SQL injection is one of the most basic hacks to try on a website, well, after playing with the URL.

Any software developer who doesn't 'sanitise' any input needs a slap. The basic principle is that anything and everything that comes to your web application from the internet should be treated as dubious. In fact, it should be assumed that it's coming from a hacker.

It's almost trivial to create sanitisation functions. For instance, if it's a surname, then why allow characters other than A-Z, space, hyphen and apostrophe. Also there's no such name as "drop table", "' OR TRUE OR '", or "*".

One of the funniest stories I've heard was a hacker who had a go at a university alumni website. He used SQL injection to log on as an administrator and was amazed to see passwords in plain text (i.e. not encrypted). He noticed one of the users had a hotmail email address, tried the password and got in! There was an email from this person's girlfriend talking about them meeting up, so the hacker replied "I told you once, you're dumped!".

SQL injection has been known about for years, yet the same mistakes are depressingly made time and again.

The other hack is to force the website to throw an error by passing it invalid arguments to the querystring. The error message is often extremely interesting and gives you the information to get in for more fun and mahem.

The best one is where there's an access database involved which is stored in the website. You can often download the entire database! Just imagine if that contained credit card details.

Accountants: pay peanuts and you get monkeys. Use a novice to create your web applications and pay the price. Your choice.

Happy hacking!

Acceptance of the "problem"

sctwynham | Thu, 19/05/2005 - 11:33 | Permalink

Glenn,

What is more worrying is that I am increasingly meeting with suppliers who simply refuse to accept that there is any kind of problem with their work.

Even when faced with a list of bank account numbers downloaded from their application, and a picture of me as the new backdrop on their server, it seems you have to show developers step-by-step the methods used before the little light bulb turns on above their head, usually closely followed by their jaws hitting the table when they realise just what a malicious user *could* do with their application...

As you point out, these tricks aren't new. I used to use similar tricks back in my Unix days over 15 years ago. When it comes to processing user input: trust no-one, suspect everyone, believe nothing, then build the rest of the system on the basis that they've already broken in anyway.

I'll be covering these points in future articles.

Stewart Twynham
stewart@bawden-quinn.co.uk

Hmm......

Anonymous | Thu, 19/05/2005 - 10:46 | Permalink

This is a bit worrying.

How vulnerable is the HMRC website as far as identity theft goes? I wonder if Stewart Twynham can carry out a few tests for us.

Related links
5% discount on Sage Instant Accounts