Today almost all organizations outsource some of their IT projects to third party partners. Due to the ever changing landscape in information technology, it is virtually impossible for an organization to have internal knowledge in all domains of technology. The web presence is maybe one of the most domain where projects are outsourced to “web agencies”. Today, organizations must have an on-line presence and look attractive to customers, investors and more. You know all what we put under the term “Web 2.0”. Hélas, still today lot of web agencies don’t have a clue about security or do not give the right priority to security.
The recent attack against the Arcelor Mittal website is a very good example! They were compromised by Anonymous Belgium and some data were posted on pastebin.com. My goal is not to debate about the Anonymous Belgium’s actions (which remains illegal in Belgium as in most countries). Hacktivism has pro and cons. But when data are posted, it’s always interesting to have a look at them to learn more about the attack. In this case, the website Achille’s hell was a Perl script:
http://www.arcelormittal.com/distributionsolutions/prg/selfware.pl?id_sitemap=1 http://www.arcelormittal.com/fce/prg/selfware.pl?id_sitemap=1 http://www.arcelormittal.com/automotive/prg/selfware.pl?id_siremap=1 http://www.arcelormittal.com/distributionsolutions/prg/selfware.pl?id_sitemap=1
First, is the script common or is it part of a well-known CMS? Google gave me the answer. The query “inurl:selfware.pl” returned only 2960 hits! Most of them referring to Arcelor Mittal websites but also other domains of activity:
Of course, the same script makes other websites vulnerable to the same SQL injection. No need to fire your sqlmap, just by adding a single-quote (‘) to parameter, you get this error:
SELECT id_sitemap, s_type FROM sitemap WHERE base = 14' AND active = 'Y' ORDER BY s_order LIMIT 0,1 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND active = 'Y' ORDER BY s_order LIMIT 0,1' at line 1 at libs/selfware.pm line 591.
By checking the primary name servers and whois registration data, it’s easy to discover that all the sites mentioned above were developed by a unique web agency located in Belgium. I won’t give the name here (such companies are sometimes more reactive on the legal aspects instead of fixing their crappy code). And my goal is not destroy their image, they are big enough to do it by themselves!
Let’s put the technical stuffs aside now. What are the conclusions of this story? If you outsource some (web) development tasks to an external partner, don’t forget that YOUR name will in front of the stage! The data breach had a big impact for Arcelor Mittal. Their name was present in all media (social and classic). It’s up to you to take the appropriate measures to avoid this situation. Everything can be outsourced but not your responsibility. The written code is used by your customers or team-members and process your data! How to address this issue?
Scenario 1: You delegate the full development life-cycle to your partner. In this case, you must implement controls to verify the compliance with the original requirements during the complete development cycle.
Scenario 2: You delegate the development part to your partner but you perform the compliance controls (code review, penetration testing). This can be done internally or by a third-party partner.
In both cases, a close relation must be established with the partners. Finally don’t put all the eggs in the same bag: Some people are good developers, others are skilled system administrators. Is it a good idea to host your websites on an external server maintained by your web agency? Do they apply patches? Do they monitor the servers? Do they keep an eye on the logs? Like cloud services, the primary goal is often costs reduction. But it must be properly implemented otherwise, the costs could be… worse! Like a simple SQL injection in crappy code…