Barbados Stock Exchange (BSE) hacked
Barbados Stock
Exchange (BSE) hacked
In December
2014 the website for the Barbados Stock Exchange (BSE) has been targeted and
defaced by a member of the hacker group known as the 3xp1r3 Cyber Army which is
based in Bangladesh. This is written on http://loopnewsbarbados.com/2014/12/27/bse-website-hacked/
. The Barbados Stock Exchange or BSE is Barbados' main stock
exchange, the headquarter is in the capital-city Bridgetown. Since July 4, 2001
the BSE has operated under a fully electronic trading utilizing the Order
routing method. The electronic system succeeds the manual system, which
comprised an open auction outcry method of trading.
By hacking
the BSE website the organization local network was not compromised, but there
was surely an operational impact on the electronic trading service, which has
damage the reputation of BSE website. This because beside bringing the website
down, the hacker rEd X has claimed responsibility in the take down notice of
their website which now replaces the website and greets visitors to the domain
along with music. rEd X, a member of the Bangladeshi hacker collective known as
the 3xp1r3 Cyber Army has defaced over 600 Indian websites. The famous
Bangladesh Hackers group, 3xp1r3 cyber army has defaced more than 1000 websites,
as a form of protest against the Innocence of Muslims.
Where about of
the hacker and Attack method
The hacker of
bringing down the BSE website is known, but still it's very difficult to crack
down on cyber criminals because the Internet makes it easier for people to do
things anonymously and from any location on the globe. Many computers used in
cyber-attacks have actually been hacked and are being controlled by someone far
away. Crime laws are different in every country too, which can make things
really complicated when a criminal launches an attack in another country.
To carry out
website defacements hackers often use one of the oldest and most common
cyber-attack methods called the SQL injection technique. This proven
cyber-attack method used by hackers enables them to gain unauthorized
administrative access to a website or in some cases the host network. Website defacers will often post negative
messages or content to the website administrator, business, government or
organization.
In addition
to the fact that website defacements can cause significant public embarrassment
to an organization when their website is defaced, they can also be a gateway
for greater unauthorized access and compromise of a system/network, or lead to
data losses depending on the business function of the website. For example, a website that is defaced that
has online payment processing capabilities may loss significant customer
confident causing them to be reluctant to use the online capabilities due to
security concerns, as a result a loss of online revenue could occur.
.
We think that for hacking this website one of the two hack methods was used:
1. SQL injection Method
2. Directory Traversal Attack
.
We think that for hacking this website one of the two hack methods was used:
1. SQL injection Method
2. Directory Traversal Attack
1. What is SQL
Injection?
SQL Injection
is the hacking technique which attempts to pass SQL commands (statements)
through a web application for execution by the backend database. If not
sanitized properly, web applications may result in SQL Injection attacks that
allow hackers to view information from the database and/or even wipe it out.
SQL Injection is the type of attack that takes advantage of improper coding of
your web applications that allows hacker to inject SQL commands into say a
login form to allow them to gain access to the data held within your database.
In essence, SQL Injection arises because the fields available for user input
allow SQL statements to pass through and query the database directly.
Through SQL
Injection, the hacker may input specifically crafted SQL commands with the
intent of bypassing the login form barrier and seeing what lies behind it. This
is only possible if the inputs are not properly sanitized (i.e., made
invulnerable) and sent directly with the SQL query to the database. SQL
Injection vulnerabilities provide the means for a hacker to communicate
directly to the database. SQL commands include SELECT, INSERT, DELETE and DROP.
DROP is as ominous as it sounds and in fact will eliminate the table with a
particular name.
Looking into the page source code of the Barbados Stock Exchange website we recognized that this website is being managed with the Drupal CMS. Before the time that this website was hacked (December 2014), Drupal had released a major warning to all its users to consider their websites compromised unless their sites were updated immediately with a security patch released on 15 October 2014.
Drupal that is designed specifically to help prevent SQL injection attacks on websites was itself vulnerable for SQL injection. By exploiting the flaw in a vulnerable version of the Drupal CMS, hackers could steal personal information from the website or in some cases could install a backdoor on compromised systems to allow them remote access. In short, it can lead to a complete website compromise.
Updating to version 7.32 or applying the patch fixes the vulnerability of Drupal, but it does not fix an already compromised website. If the website owner found out that the website site is already patched but didn't do it, he can take that as a symptom that the site is already compromised. Because some hackers have applied the patch as a way to guarantee they are the only attacker in control of the site." That’s why Drupal is warning all their users to carefully inspect their systems, even if they have applied the patch, because already compromised websites are exposed to serious risks.
In case, if an attacker have added any backdoor to a system upon which a vulnerable Drupal 7 is installed, then, according to the Drupal security team, website owners are recommended to take these sites offline, delete all their files and databases, restore them from backups made before October 15 and then patch the sites before bringing them back online.
Although users had been asked to immediately update their websites to Drupal 7.32 within seven hours of the announcement of the vulnerability, it seems that this major warning never did reached Barbados Stock Exchange. After 1 month of the announcement still this website was hacked through the SQL injection method
Looking into the page source code of the Barbados Stock Exchange website we recognized that this website is being managed with the Drupal CMS. Before the time that this website was hacked (December 2014), Drupal had released a major warning to all its users to consider their websites compromised unless their sites were updated immediately with a security patch released on 15 October 2014.
Drupal that is designed specifically to help prevent SQL injection attacks on websites was itself vulnerable for SQL injection. By exploiting the flaw in a vulnerable version of the Drupal CMS, hackers could steal personal information from the website or in some cases could install a backdoor on compromised systems to allow them remote access. In short, it can lead to a complete website compromise.
Updating to version 7.32 or applying the patch fixes the vulnerability of Drupal, but it does not fix an already compromised website. If the website owner found out that the website site is already patched but didn't do it, he can take that as a symptom that the site is already compromised. Because some hackers have applied the patch as a way to guarantee they are the only attacker in control of the site." That’s why Drupal is warning all their users to carefully inspect their systems, even if they have applied the patch, because already compromised websites are exposed to serious risks.
In case, if an attacker have added any backdoor to a system upon which a vulnerable Drupal 7 is installed, then, according to the Drupal security team, website owners are recommended to take these sites offline, delete all their files and databases, restore them from backups made before October 15 and then patch the sites before bringing them back online.
Although users had been asked to immediately update their websites to Drupal 7.32 within seven hours of the announcement of the vulnerability, it seems that this major warning never did reached Barbados Stock Exchange. After 1 month of the announcement still this website was hacked through the SQL injection method
The
technologies vulnerable to this attack are dynamic script languages including
ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL
Injection hacking attack is a web browser, knowledge of SQL queries and
creative guess work to important table and field names. The sheer simplicity of
SQL Injection has fuelled its popularity.
2. Directory Traversal Attack
The Directory Traversal Attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.
Most web sites restrict user access to a specific portion of the file-system, typically called the "web document root" or "CGI root" directory. These directories contain the files intended for user access and the executable necessary to drive web application functionality. To access files or execute commands anywhere on the file-system, Directory Traversal attacks will utilize the ability of special-characters sequences.
The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security as opposed to exploiting a bug in the code. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.
With a website vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even more dangerous, allowing the attacker to execute powerful commands on the web server which can lead to a full compromise of the system.
Root directory
An Access Control List is used in the authorization process. It is a list which the web server’s administrator uses to indicate which users or groups are able to access, modify or execute particular files on the server, as well as other access rights.
The root directory is a specific directory on the server file system in which the users are confined. Users are not able to access anything above this root.
For example:
The default root directory of IIS on Windows is C:\Inetpub\wwwroot and with this setup, a user does not have access to C:\Windows, but has access to C:\Inetpub\wwwroot\news and any other directories and files under the root directory.
The root directory prevents users from accessing sensitive files on the server such as cmd.exe on Windows platforms and the passwd file on Linux/UNIX platforms.
This vulnerability can exist either in the web server software itself or in the web application code. Depending on how the website access is set up, the attacker will execute commands by impersonating himself as the user which is associated with “the website”. Therefore it all depends on what the website user has been given access to in the system. In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system.
2. Directory Traversal Attack
The Directory Traversal Attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.
Most web sites restrict user access to a specific portion of the file-system, typically called the "web document root" or "CGI root" directory. These directories contain the files intended for user access and the executable necessary to drive web application functionality. To access files or execute commands anywhere on the file-system, Directory Traversal attacks will utilize the ability of special-characters sequences.
The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security as opposed to exploiting a bug in the code. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.
With a website vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even more dangerous, allowing the attacker to execute powerful commands on the web server which can lead to a full compromise of the system.
Root directory
An Access Control List is used in the authorization process. It is a list which the web server’s administrator uses to indicate which users or groups are able to access, modify or execute particular files on the server, as well as other access rights.
The root directory is a specific directory on the server file system in which the users are confined. Users are not able to access anything above this root.
For example:
The default root directory of IIS on Windows is C:\Inetpub\wwwroot and with this setup, a user does not have access to C:\Windows, but has access to C:\Inetpub\wwwroot\news and any other directories and files under the root directory.
The root directory prevents users from accessing sensitive files on the server such as cmd.exe on Windows platforms and the passwd file on Linux/UNIX platforms.
This vulnerability can exist either in the web server software itself or in the web application code. Depending on how the website access is set up, the attacker will execute commands by impersonating himself as the user which is associated with “the website”. Therefore it all depends on what the website user has been given access to in the system. In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system.
How to prevent
website hacking
Since a
website needs to be public, security mechanisms will allow public web traffic
to communicate with web application/s (generally over port 80/443). The web
application has open access to the database in order to return (update) the
requested (changed) information. Firewalls and similar intrusion detection
mechanisms provide little or no defense against full-scale SQL Injection web
attacks. In SQL Injection, the hacker uses SQL queries and creativity to get to
the database of sensitive corporate data through the web application.
Chief
technical officer of the Caribbean Cyber Security Centre, Deon Olton. (FP)
The Caribbean
Cyber Security Center (CCSC) believes that the best way for Caribbean businesses, organizations and government to
prevent website defacements is to have their
websites tested for website application and hosting platform
vulnerabilities and threats a hacker can exploit, and fix all identified issues
by severity as soon as possible.
Ironically in most cases the fixes for website security weaknesses or
vulnerabilities identified are free but you can’t fix what you don’t know,
hence the importance of getting your website tested at least “twice” a year. A
small investment in having your website tested and identified issues fixed has
been proven worldwide to be significantly less than the reputational damage,
and loss in customer confidence that can occur as the result of a defaced
website. For guidance on how to get your website tested by regional IT\Cyber
security resources, it is possible to contact the Caribbean Cyber Security
Center for guidance.