Recently several Indian Embassy websites were hacked by Kapustkiy and Kasimierz, two Pentesters from Netherland, using the most basic security flaw of Sequence Query Language (SQL) Injection.
By the way, if you are wondering that these websites must be having good security systems in place, then you are wrong. These websites have been hacked before.
It doesnt end there.
But lets being seriously, why in the world does an ''embassy'' has such alot vulnerabilities....— Kapustkiy (@Kapustkiy) November 6, 2016
Yes, they are making fun of India and the worst part is that they are right.
Pentesters are White/Grey hat hackers that expose the loopholes in your security systems. Most of the times they get hired by companies to test their systems. Other times they expose the vulnerabilities of systems without being actually hired, because they are just that dumb to keep their doors open and they need to be told to close them.
These guys exposed the vulnerabilities in the security of the Indian Embassy websites and when they were not taken seriously, they went ahead and posted the database of the websites online, open to the world. The data consisted of important information which was not even encrypted using basic hashing technologies.
Security is like a door to your home. If someone enters your home, they can not only steal your hard earned money but they can also air your private files as well as your dirty laundry to the rest of the world. In this context, SQL Injection would be a thief knocking on your door, pretending to be in need and asking for some water. You open the door to let them in and you are no longer the owner of the house.
SQL Injection is a database code that the hacker maliciously injects into your database, to gain access to it, via input fields in a website. The code can be inserted to input fields or the URL of the website.
It is designed to appear to be a part of the real code and once the computer allows the code to run, it gives unlimited access to the hacker to run any code in the database. That means he has a free hand at doing anything in the database where all of your precious data is stored. He can copy, move, add or even delete the entire database.
It is a matter of shame for the developer community of India to be facing such a situation. Being an Indian and a web-developer, there is nothing more humiliating for me than this. It takes a six-year-old to hack a website using SQL Inject, it is that easy. On the other hand, it takes a few lines of codes to avoid such an attack.
Even then, two teenagers were able to hack and release the database of Indian Embassies. It was a good thing that they were grey hat hackers and did not even release the entire database, otherwise no one knows what would have happened if it would have gotten in the wrong hands.
No Security Measures Despite Repeated Hacks
With the increase in the number of cyber attacks all across the globe, it is high time that India picks up the pace in the battle against online security, otherwise, there will come a day when the economy of India will take a direct hit from a cyber attack.
The negligence due to lack of knowledge needs to end before more serious damage is done to our country. We need to provide proper training for our developers. We need to educate our children as well as our parents about what are the rules of security on the web. And this needs to happen now.
Ignorance may be bliss, but it comes with a cost.
To avoid such hacks, it doesn't take an expert pentester to write the code of the websites. Even a regular developer can avoid such attacks if they plan the way the code is being written. It is all in the way you do things. The SQL Parameters must be passed in a certain way to avoid big hackers.
Parse the text of input boxes and strip slashes to avoid small time hackers. At the least, encrypt the passwords that you are storing in your database using the freely available MD5 hashing technique. This means that even if someone is able to gain access to the SQL database, they will not be able to read the passwords without further decryption.
It is time to invest in cyber security and more over a proper legal system that is equipped to handle such situations. Cyber security is still counted in the end of the priority list. Even after so many advancements, our education system still lacks in proper training of cyber security.
No importance is given to computer classes in schools. HTML and CSS training is given to a student in the eighth grade when kids much younger than that are hacking full blown gaming consoles in the US.
There is still massive shortage of security training centres and proper trainers. Anyone can watch videos on youtube to show stunts to their friends but it takes proper training to close all security issues. It is time to stop being a joke and be in the news for good.
(The writer is a web developer, with 10 years experience in software development of all shapes and sizes. He works at a leading design studio as the lead project developer. This is a personal blog and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same)