Tuesday, February 17, 2015

Barbados Stock Exchange (BSE) hacked


Barbados Stock Exchange (BSE) hacked
In December 2014 the website for the Barbados Stock Exchange (BSE) has been targeted and defaced by a member of the hacker group known as the 3xp1r3 Cyber Army which is based in Bangladesh. This is written on http://loopnewsbarbados.com/2014/12/27/bse-website-hacked/ . The Barbados Stock Exchange or BSE is Barbados' main stock exchange, the headquarter is in the capital-city Bridgetown. Since July 4, 2001 the BSE has operated under a fully electronic trading utilizing the Order routing method. The electronic system succeeds the manual system, which comprised an open auction outcry method of trading.

By hacking the BSE website the organization local network was not compromised, but there was surely an operational impact on the electronic trading service, which has damage the reputation of BSE website. This because beside bringing the website down, the hacker rEd X has claimed responsibility in the take down notice of their website which now replaces the website and greets visitors to the domain along with music. rEd X, a member of the Bangladeshi hacker collective known as the 3xp1r3 Cyber Army has defaced over 600 Indian websites. The famous Bangladesh Hackers group, 3xp1r3 cyber army has defaced more than 1000 websites, as a form of protest against the Innocence of Muslims.

Where about of the hacker and Attack method
The hacker of bringing down the BSE website is known, but still it's very difficult to crack down on cyber criminals because the Internet makes it easier for people to do things anonymously and from any location on the globe. Many computers used in cyber-attacks have actually been hacked and are being controlled by someone far away. Crime laws are different in every country too, which can make things really complicated when a criminal launches an attack in another country.

To carry out website defacements hackers often use one of the oldest and most common cyber-attack methods called the SQL injection technique. This proven cyber-attack method used by hackers enables them to gain unauthorized administrative access to a website or in some cases the host network.  Website defacers will often post negative messages or content to the website administrator, business, government or organization.

In addition to the fact that website defacements can cause significant public embarrassment to an organization when their website is defaced, they can also be a gateway for greater unauthorized access and compromise of a system/network, or lead to data losses depending on the business function of the website.  For example, a website that is defaced that has online payment processing capabilities may loss significant customer confident causing them to be reluctant to use the online capabilities due to security concerns, as a result a loss of online revenue could occur.
.
We think that for hacking this website one of the two hack methods was used:
1. SQL injection Method
2. Directory Traversal Attack

1. What is SQL Injection?
SQL Injection is the hacking technique which attempts to pass SQL commands (statements) through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out. SQL Injection is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.

Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitized (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database. SQL commands include SELECT, INSERT, DELETE and DROP. DROP is as ominous as it sounds and in fact will eliminate the table with a particular name.

Looking into the page source code of the Barbados Stock Exchange website we recognized that this website is being managed with the Drupal CMS. Before the time that this website was hacked (December 2014), Drupal had released a major warning to all its users to consider their websites compromised unless their sites were updated immediately with a security patch released on 15 October 2014.

Drupal that is designed specifically to help prevent SQL injection attacks on websites was itself vulnerable for SQL injection. By exploiting the flaw in a vulnerable version of the Drupal CMS, hackers could steal personal information from the website or in some cases could install a backdoor on compromised systems to allow them remote access. In short, it can lead to a complete website compromise.

Updating to version 7.32 or applying the patch fixes the vulnerability of Drupal, but it does not fix an already compromised website. If the website owner found out that the website site is already patched but didn't do it, he can take that as a symptom that the site is already compromised. Because some hackers have applied the patch as a way to guarantee they are the only attacker in control of the site." That’s why Drupal is warning all their users to carefully inspect their systems, even if they have applied the patch, because already compromised websites are exposed to serious risks.

In case, if an attacker have added any backdoor to a system upon which a vulnerable Drupal 7 is installed, then, according to the Drupal security team, website owners are recommended to take these sites offline, delete all their files and databases, restore them from backups made before October 15 and then patch the sites before bringing them back online.

Although users had been asked to immediately update their websites to Drupal 7.32 within seven hours of the announcement of the vulnerability, it seems that this major warning never did reached Barbados Stock Exchange. After 1 month of the announcement still this website was hacked through the SQL injection method

The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity.

2. Directory Traversal Attack
The Directory Traversal Attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

 Most web sites restrict user access to a specific portion of the file-system, typically called the "web document root" or "CGI root" directory. These directories contain the files intended for user access and the executable necessary to drive web application functionality. To access files or execute commands anywhere on the file-system, Directory Traversal attacks will utilize the ability of special-characters sequences.

The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security as opposed to exploiting a bug in the code. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.

With a website vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even more dangerous, allowing the attacker to execute powerful commands on the web server which can lead to a full compromise of the system.

Root directory
An Access Control List is used in the authorization process. It is a list which the web server’s administrator uses to indicate which users or groups are able to access, modify or execute particular files on the server, as well as other access rights.



The root directory is a specific directory on the server file system in which the users are confined. Users are not able to access anything above this root.

For example:
The default root directory of IIS on Windows is C:\Inetpub\wwwroot and with this setup, a user does not have access to C:\Windows, but has access to C:\Inetpub\wwwroot\news and any other directories and files under the root directory.
The root directory prevents users from accessing sensitive files on the server such as cmd.exe on Windows platforms and the passwd file on Linux/UNIX platforms.

This vulnerability can exist either in the web server software itself or in the web application code. Depending on how the website access is set up, the attacker will execute commands by impersonating himself as the user which is associated with “the website”. Therefore it all depends on what the website user has been given access to in the system. In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system.

How to prevent website hacking
Since a website needs to be public, security mechanisms will allow public web traffic to communicate with web application/s (generally over port 80/443). The web application has open access to the database in order to return (update) the requested (changed) information. Firewalls and similar intrusion detection mechanisms provide little or no defense against full-scale SQL Injection web attacks. In SQL Injection, the hacker uses SQL queries and creativity to get to the database of sensitive corporate data through the web application.


Chief technical officer of the Caribbean Cyber Security Centre, Deon Olton. (FP)

The Caribbean Cyber Security Center (CCSC) believes that the best way for Caribbean  businesses, organizations and government to prevent website defacements is to have their  websites tested for website application and hosting platform vulnerabilities and threats a hacker can exploit, and fix all identified issues by severity as soon as possible.  Ironically in most cases the fixes for website security weaknesses or vulnerabilities identified are free but you can’t fix what you don’t know, hence the importance of getting your website tested at least “twice” a year. A small investment in having your website tested and identified issues fixed has been proven worldwide to be significantly less than the reputational damage, and loss in customer confidence that can occur as the result of a defaced website. For guidance on how to get your website tested by regional IT\Cyber security resources, it is possible to contact the Caribbean Cyber Security Center for guidance.