Welcome!

Cloud Security Authors: Elizabeth White, Zakia Bouachraoui, Liz McMillan, Pat Romanski, Yeshim Deniz

Related Topics: @CloudExpo, Cloud Security, Government Cloud

@CloudExpo: Blog Feed Post

An Analysis of a NASA Dbase Hack-and-Dump

Recently, some news of a NASA hack-and-dump passed my twitter deck

[Editor's note: this analysis predates any official announcements by NASA]

Recently, some news of a NASA hack-and-dump passed my twitter deck.  I decided after watching a few of my friends re-tweet the news that it might be worth checking out.  At least I’d see if I could perform some password analysis on any dumped credentials, or even test out the new Crucialpoint Cloudera Hadoop password cracker on any leftover hashes.  What follows is a step-by-step methodology of how I put together the pieces on the hack, and what I think likely happened based on my experience as a web application hacker/programmer.

This is just another in a long string of NASA security breaches

First, I followed a re-tweet from someone I follow to this user account on twitter: https://twitter.com/#!/d4op.  The user is a prolific poster about security vulnerabilities and has a long list of tweets linking to pastebin.com drops with account credentials.  The NASA link is but one of many.  I follow the link in the tweet to this pastebin paste: http://pastebin.com/W2K3pTyX, and from there, to a mediafire download: http://www.mediafire.com/?962aq85rgchjs7d.

I unpacked the RAR file to find a .sql dump script, a file typically used to restore the database and it’s contents in the event of data loss.  Literally it’s a backup of the SQL data.  A few quick searches shows that, true to it’s name, it contains data from the Solar and Heliospheric observatory (SOHO) database according to tidbits of data inside of the dump, the filename, and a few other markers.

Within the dump I was unable to find any credentials, mostly it contains instrument data tables, articles, and other data of scientific and academic interest.  It does not appear as though there is any actionable data (from a security standpoint) contained within the dump.  This may mean that either the attacker did not push the attack for more, or that they were confined to accessing a single database from within a vulnerable database application.  In any event, it is clear that this database dump is publicly-accessible information from the SOHO website resources.

If it’s a SQL dump, it’s likely to be a SQL injection (one of the most commonly-exploited vulnerabilities).  Some of the other disclosures mentioned in the twitter account also appeared to be SQL-injection related, so these factors started me searching for user interactions with the NASA database — specifically search functions.  Search functions are great targets for XSS and SQL injections.  Lo and behold, one such search function exists, and it looks to have been written a great deal of time ago: http://seal.nascom.nasa.gov/cgi-bin/bib_ui_seal

I did not attack/test the website in question to confirm the vulnerability of any SQL database application (that’d be illegal without permission), but I’d say there’s a pretty high likelihood that the SQL dump was caused by either an incorrect setup on the database itself or a SQL injection from that page due to the outdated programming methodologies it is apparently using (CGI) and the primitive layout structure of the view (tabular layout, popular in late 1990′s and early 2000′s).

For more information about SQL vulnerabilities or other kinds of web application vulnerabilities, I recommend starting here: https://www.owasp.org/index.php/SQL_injection OWASP is a great resource for developers, managers, and security personnel to get together, compare notes, and build secure websites.

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com

IoT & Smart Cities Stories
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. The IoT Global Network is a platform where you can connect with industry experts and network across the IoT community to build the successful IoT business of the future.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear these words all day every day... lofty goals but how do we make it real? Add to that, that simply put, people don't like change. But what if we could implement and utilize these enterprise tools in a fast and "Non-Disruptive" way, enabling us to glean insights about our business, identify and reduce exposure, risk and liability, and secure business continuity?
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...