Hacktivists Using SQL Injections to Target Government Data

2
110

Over the last year, hacktivists driven by ideological differences have targeted government data around the world at a persistent rate. The lines are blurred with most of these attacks as there are multiple motives behind them. However, one common theme to these attacks is the simplicity in which they are carried out. Hacktivists use an attack method known as an SQL injection to extract information from SQL databases that are vulnerable and exposed online.

OWASP lists SQL injection as the number one web vulnerability. SQL is an attack targeting web applications taking advantage of poor application coding where the inputs are not sanitized, therefore exposing application vulnerabilities. SQL injection is the most famous type of injection attack, which can also include LDAP or XML injections. The idea behind an SQL injection is to modify an application SQL query in order to access or modify unauthorized data or run malicious programs. Most web applications rely on databases where the application data is stored and being accessed by SQL queries, and modification of these queries can result in taking control of the application. For example, an attacker would be able to access the application’s backend database with administrator access, run remote commands on the server, drop or create objects in the database, and more.

For instance, the sql query below, aiming at authenticating users, is common in web applications:

myQuery= ”SELECT * FROM userstable WHERE username = ‘userinput1′ and password =’userinput2’;”

Replacing userinput1 by: ‘OR 1=1’); — would result in granting the attacker access to the database without knowing the real username and password as the assertion “1=1” is always true and the rest of the query is being ignored by the comment character.

Replacing the userinput1 by ‘ OR 1=1″); drop table users;– would additionally drop the application users table.

[You might also like: In the Crosshairs: Six Cyber Security Threats Gunning For Your Online Business]

Recent Government hacks:

COMELEC – The database of the Philippine Commission on Election was breached via and SQL injection that resulted in exposing 55 million voters.

Country Liberal Party – An 18-year-old launched and SQL injection attack against the Country Liberal Party in Australia that resulted in 117 member’s personal information being exposed

UN Climate Change Summit – Members of Anonymous allegedly used an SQL injection to target the UN Climate Change Summit website. This attack resulted in the hackers gaining access leaking data containing usernames, passwords, email, titles and more.

European Space Agency – Anonymous targeted the European Space Agency with a reported blind SQL vulnerability that granted them access to the ESA’s database and resulted in leaked information of over 8000 names, emails and passwords.

Hacktivists are the digital activists of our era, and are not going away any time soon. They can now take a stand on social and political issues on a global scale—without digital boundaries. Arguably, the most dangerous aspect of hacktivism is the intent. While many fight for political and social change, others will use these operations for personal and financial gain. Importantly, hacktivist groups are not as “leaderless” as they might have everyone believe. Motivation of a group’s leaders can be difficult to discern. Leaders could be propagandists, or foreign powers attempting to subvert a group into carrying out an attack for them. However, what all operations share is the exploitation of a “gang” mentality to build momentum and scale—tapping into the social fad and feeding some people’s desire to feel important. Given the amount of media attention data leaks attract, they serve as motivation for attackers to leak more data. Protests are now taken to the digital world via attacks that include denial of service and SQL injections.

Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.

Download Now

2 COMMENTS

  1. So here is the idea. Database servers take the incoming SQL query and run it through a parser resulting in a parse tree. Then they turn the tree into a plan and execute the plan.

    The essence of injection is that the parser produces a tree different from the one intended by the programmer.

    So the fix is to be able to detect unusual parse trees. Walk the tree after parsing and produce a string in canonical form minus the data values. Compute a SHA hash of the string. Keep a table of known hashes for the application/database user. Warn or abort if the server sees an unknown hash.

    Obviously, there is a startup problem. So the programmer would have to run the application in a testing mode, extract the hashes after exhaustive testing, and the load the server with the hashes on application startup. Then turn on abort-on-new-hash and no more SQL injection would be possible.

  2. I loved to play this game more because i have seen lots of new features have been seen when you can update this game then you can seen you can update this game without getting any cost.

LEAVE A REPLY

Please enter your comment!
Please enter your name here