First published in a slightly modified form ‘Indian Embassy Hacks: We’re a Joke of Global Hackers Community’ in www.quint.com, on 8 November.
Recently several Indian Embassy websites were hacked by Kapustkiy & Kasimierz L 2 Pentesters from Netherland, using the most basic security hack of SQL Injection.
And it doesn’t end there:
Yes, they are making fun of India and the worst part is that they are right.
Pentesters are White / Grey hat hackers that expose the loopholes in your security systems. When they are hired by an organisation to test their systems they are called White Hat Hackers. At other times they expose the vulnerabilities of systems without being actually hired, and are called Grey Hat Hackers. The hackers out of Netherland exposed the vulnerabilities in the security of the Indian Embassy websites and when they were not taken seriously, they went ahead and posted the database of the websites online, open to the entire world. The database consisted of important information like names, contact details, addresses of Indian Diplomats along with their username and passwords which was not even encrypted using basic hashing technologies.
What is Web Security and SQLi
Security is like a door to your home. If someone enters your home, they can not only steal your hard earned money but they can also air your private files as well as your dirty laundry to the rest of the world. In this analogy, an SQL Injection is the thief knocking on your door, pretending to be in need and asking for some water. You open the door to let them in and you are no longer the owner of the house.
SQL Injection is database code that the hacker maliciously injects into your database, to gain access to it, via input fields in a website. The code can be inserted into input fields or the URL of the website. It is designed to appear to be a part of the real code and once the computer allows the code to run, it gives unlimited access to the hacker to run any code in the database. That means he has a free hand to doing anything to the database where all of your precious data is stored. He can copy, move, add or even delete the entire database.
How difficult is it to hack a website using SQLi?
Not at all. It is very easy and only a matter of hit and trial to hack a website using SQLi. On the other hand, it is equally easy to prevent such an attack on your website.
Preventing such hacks doesn’t take an expert pentester to develop the website. Even a regular developer can avoid such attacks if they write the code correctly. It is all in the details.. The SQL Parameters must be passed in a certain way to avoid big hackers. Parse the text of input boxes and strip slashes to prevent small time hackers. At the least, encrypt the passwords that you are storing in your database using the freely available MD5 hashing technique. This means that even if someone is able to gain access to the SQL database, they will not be able to read the passwords without further decryption.
With the increase in the number of cyber attacks all across the globe, it is high time that India picks up the pace in the battle against online security, otherwise, there will come a day when the economy will take a direct hit from a cyber attack. Recently there was a massive security breach in the Hitachi owned ATM Machines which lead to a leak of debit card information of National Banks of India. A bigger hack like this can bring the economy to a complete standstill.
The negligence due to lack of knowledge needs to end before more serious damage is done to our country. We need to provide proper training for our developers. We need to educate our children as well as our parents about what are the rules of security on the web. And this needs to happen now.
Ignorance may be bliss, but it comes with a cost.
It is time to invest in cyber security and more over to a proper legal system that is equipped to handle such situations. Cyber Security is still low priority. Even after so many advancements, our education system still lacks in proper training of cyber security. No importance is given to computer classes in schools. HTML and CSS training is given to 12 year olds when 6 yr olds are hacking full blown gaming consoles in the US. There is still massive shortage of security training centres and proper trainers. Anyone can watch videos on youtube to show stunts to their friends but it takes proper training to close all security issues. It is time to stop being a joke and be in the news for good.