II. Risk of Code Injection in Universities

by JUCC ISTF

/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */


Websites and web applications are often used by universities for public access and provide required services to their end-users, including staff and students, round-the-clock (e.g., student information portal). Traditional firewalls and anti-virus tools usually offer little protection against code injection attacks which may lead to direct access to valuable backend data such as student personal records, examination results or research data.

With the ease and popularity of programming, some web application can be developed by in-house IT support staff instead of a full-scale IT development team with professional developers. As such, potential risks may sometimes be overlooked due to the following reasons:

- Lack of focus on software security testing and quality assurance
- Lack of coding guideline and hardening baseline for the internal development activities
- Lack of security training on program development for internal IT staff

As a result, these applications are more susceptible to injection attack and expose to the risks and vulnerabilities of data loss and server interruption. Examples of these risks are:

  1. Confidentiality

    Universities' information systems usually store and process sensitive data such as research data, personal information, examination results and passwords. A successful SQL injection attempt may allow retrieval of confidential data from the information system's database (i.e. by SELECT statement). For an instance, a hacker may be able to read the examination results of all students by using SQL injection through the web portal. More importantly, data leakage or data theft may happen unnoticeably

  2. Integrity

    Hackers are able to make changes or even delete information in the database by using code injection commands and thus impact the integrity of the databases. For example, a hacker may be able to modify or delete the examination results by injecting "Update / Delete" statement.

Historical Incident

NASA sites hacked via SQL injection

On 7 December 2009, two NASA sites were hacked by SQL injection which yielded the credentials of some 25 administrator accounts. The hacker also gained access to a web portal used for managing and editing those websites. Some researchers said an attacker could have tried to use that web server as an entry point into other systems NASA might control or edit the content of the sites and use them for drive-by downloads.

See the article: http://www.scmagazineus.com/nasa-sites-hacked-via-sql-injection/article/159181/

Reference:


http://www.beyondsecurity.com/about-sql-injection.html

  1. Availability

    As discussed in previous page, hackers are able to modify the information within the database. If the configuration of the user privileged right is improper, the hackers can even access and modify the authorisation privileges table and then perform further attacks such as execution of administrative operations within the database and shutdown of DBMS to cause information or services unavailable when required.

    In addition, if the hackers have found that a website is vulnerable to Cross-Site Scripting ("XSS") attack, hackers can execute scripts in a browser to compromise the website and place their defacement images on that page showing that the website is hacked, which will affect the service availability and may lead to reputation damage of organisation. More seriously, the hackers may redirect the page into a malicious page.

    By OS command injection, the attackers may execute administrative OS commands to shutdown the operating system which could cause service interruption to universities.

All in all, different types of code injection attacks can affect websites and operating system seriously from data leakage, data theft or service interruption. The resulting effect of these consequences would cause a loss of reputation of the universities or even bring legal proceedings if there is a loss of sensitive data or breach of contractual obligation.

Historical Incident

Sites hosted at Go Daddy hit by mass injection attack again

On 21 September 2010, a number of websites hosted at Go Daddy, the world's largest domain name registrar, have had malicious code injected into the pages. All infected sites had base 64-encoded JavaScript added to all of their PHP files. The rogue scripting decodes an element, which loads content from a third-party domain.

The external code redirects visitors to a scareware (i.e. rogue antivirus software) distribution website, which mimics an antivirus scan and displays fake warnings about infections on their computers. The goal of the scam is to trick users to buy licenses for a useless application which claims to be able to clean malware and obtain their credit card information.

See the article: http://enclavesecurity.com/blogs/blog/2010/09/21/sites-hosted-at-go-daddy-hit-by-mass-injection-attack-again/

Reference:

http://www.ibm.com/developerworks/tivoli/library/s-csscript/
http://www.acunetix.com/websitesecurity/xss.htm
http://cwe.mitre.org/data/definitions/78.html


[Previous section][Next section]