Defacing Scotland Yard.

Publicated on : 1204010949
I read an article that talked about a hack attempt on the website from the metropolitan police [1], better known as Scotland Yard. Apparently it got defaced [2], the attackers placed a silly picture of a greenish cuddly monster and a message mocking Scotland Yard's anti-terrorism unit. The Register talks about an insecure Windows server. The truth is far more numbing than you would expect, I go for SQL injection because this way it would be very easy to modify their CMS. And this probably happened, since it was not a complete index defacement. You gotta hand it to them, they spend millions on security and fail to secure their own website. As always, most money is being spent on the wrong things in security; the firewall syndrome.



SQL Injection:

www.metpolicecareers.co.uk/default.asp?action=article&ID=1'<sql injection string>



Returned error message that gives us plenty of slack:

 

Microsoft OLE DB Provider for SQL Server error '80040e14'
 


 

Line 1: Incorrect syntax near ' AND articlespub.releasetoweb = 1 AND
 

convert(datetime,convert(varchar,getdate())) BETWEEN articlespub.startdate AND articlespub'.
 


 

/envivocms/envivodisplayAPIfunctions.asp, line 1308 
 

[1] http://www.theregister.co.uk/2008/02/25/met_police_defacement/

[2] screenshot on security.nl