18 May 2010

Liberia: New Democrat's Website Hacked

Cowardly mischief makers, possibly with the backing of some higher-ups over the weekend hacked into the web-site of the New Democrat disfiguring it with a photograph and a message scrawled on it which read: “can you feel it, your rage feeds our power”.

This paper was alerted to the hacking when series of telephone calls, some from Germany, England, the United States and Allafrica.com started coming in making inquiries. This is the second time  the New Democrat website has been hacked.

The Management of the paper is now working on finding a solution and is also hiring professional IT experts to determined the source behind the hacking. All this is happening when this paper has been slapped with a libel suit and ordered to pay US$900,000.

Early this year, according to report, attempts were made to hack into the personal computer of former TRC Chairman Cllr. Jerome Verdier, and there are now unconfirmed reports that similar attempts are now aimed at the General Auditing Commission.

If you operate a website, or  have your personal computer, you might wonder how they hack your website. There are many ways but here is an overview of basic common techniques. We hear the same terms bandied about whenever a popular site gets hacked. You know… SQL Injection, cross site scripting, that kind of thing. But what do these things mean? Is hacking really as inaccessible as many of us imagine; a nefarious, impossibly technical twilight world forever beyond our ken or knowledge? Not really.

When you consider that you can go to Google right now and enter a search string which will return you thousands of usernames and passwords to websites, you realize that this dark science is really no mystery at all. You’ll react similarly when you see just how simple a concept SQL Injection is, and how it can be automated with simple tools. Here are the basics of how sites and web content management systems are most often hacked, and what you can do to reduce the risk of it happening to you.

SQL Injection

SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.

When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you’ve entered against the relevant table in the database. If your input matches table/row data, you’re granted access (in the case of a login screen). If not, you’re knocked back out.

The Simple SQL Injection Hack

In its simplest form, this is how the SQL Injection works. It’s impossible to explain this without reverting to code for just a moment.  Suppose we enter the following string in a Username field:
‘ OR 1=1 double-dash-txt.png

The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:
SELECT * FROM users WHERE username = ‘USRTEXT ‘
AND password = ‘PASSTEXT’

…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form. So entering `OR 1=1 — as your username, could result in the following actually being run: SELECT * FROM users WHERE username = ‘‘ OR 1=1 — ‘AND password = ‘’ Two things you need to know about this:[‘] closes the [username] text field.

‘double-dash-txt.png’ is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes: SELECT * FROM users WHERE username = ‘’ OR 1=1

1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreck havoc and cause mischief.

Copyright © 2010 New Democrat. All rights reserved. Distributed by AllAfrica Global Media (allAfrica.com). To contact the copyright holder directly for corrections — or for permission to republish or make other authorized use of this material, click here.

AllAfrica publishes around 2,000 reports a day from more than 130 news organizations and over 200 other institutions and individuals, representing a diversity of positions on every topic. We publish news and views ranging from vigorous opponents of governments to government publications and spokespersons. Publishers named above each report are responsible for their own content, which AllAfrica does not have the legal right to edit or correct.

Articles and commentaries that identify allAfrica.com as the publisher are produced or commissioned by AllAfrica. To address comments or complaints, please Contact us.