NASA sites hacked via SQL injection

Share this article:
Two NASA sites recently were hacked by an individual wanting to demonstrate that the sites are susceptible to SQL injection.

The websites for NASA's Instrument Systems and Technology Division and Software Engineering Division were  accessed by a researcher, who posted to his blog screen shots taken during the hack.

The researcher, using the alias "c0de.breaker," used SQL injection to hijack the sites, Gunter Ollmann, VP of research at security firm Damballa, who recently wrote about the hack, told SCMagazineUS.com on Monday.

SQL injection is an attack process where a hacker adds additional SQL code commands to a page request and the web server then tries to execute those commands within the backend database, Ollman said. Vulnerable web applications process the extra SQL commands, which then cause the web application to leak additional information, such as user credentials, which can be used to log into the targeted application.

The NASA hack yielded the credentials of some 25 administrator accounts, Ollman said. The researcher also gained access to a web portal used for managing and editing those websites.

“The researcher had the ability to add and change any content or administrators for the website,” Ollmann said.

A NASA spokesperson did not respond to an SCMagazineUS.com request for comment, but a NASA security analyst who contacted Ollman said the issues have been addressed and the sites are no longer vulnerable.

Cybercriminals constantly are looking for sites that are susceptible to SQL injection, which is a recurring problem as new content is developed and sites are updated, Ollman said.

“SQL injection is a common technique that's well understood and provides a bountiful target because you are literally going after databases, which is frequently where large stores of information exist,“ Amit Yoran, chairman and CEO of networking security monitoring firm NetWitness, told SCMagazineUS.com on Monday.

In this particular case, the researcher found the vulnerabilities, made NASA aware of them, then published findings after the websites had been fixed, Ollman said. An attacker, however, could have tried to use that web server as an entry point into other systems NASA might control or edit the content of the sites and use them for drive-by downloads.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.