By now, the world knows that the Oklahoma Dept. of Corrections unknowingly exposed the personal information of several thousand people for several years. Some would argue that because they were registered offenders, no one should care. However, from a technical standpoint, the flaw was preventable.
“Only two things are infinite; the universe and human stupidity, and I\'m not sure about the former.” - Albert Einstein (IMG:J.Anderson)
Code is tricky - Oracle code is maddening. Do you ever wonder why DBAs (Database Administrators) often explain separately on their resumes that they are Oracle certified? That is because Oracle is rock solid, and one of the largest commercial database setups in the world. It takes training and some skill to use effectively. However, Oracle offers some impressive tools like Servlets, and web based administration.
With that said, when designing a public faced application that renders tables from a database, it’s wise to make sure you lock it down.
“One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL for Dummies could have easily accessed – and possibly, changed – any data within the DOC’s databases. It took me all of a minute to figure out how to download 10,597 records – SSNs and all – from their website,” Alex Papadimoulis from The Daily WTF blog wrote.
Alex broke the story about the Oklahoma DOC this week. In his blog, he showed exactly what he did to trigger this response from the database. He did what any other coder would do, what anyone with basic SQL knowledge would know. He entered a query, and viewed information.
Some say his actions were illegal, he deliberately modified the query string in the address bar, and used it to obtain more information that the original link intended. This is Class-A hacking, right? Wrong, because anyone with good or bad intent could have done the same thing. There are tools out there that offer this functionality, and take advantage of the same flaw.
Alex clicked on a print page link, generated from an Oracle Portal HTTP Server. (http://docapp8.doc.state.ok.us/) Specifically, http://docapp8.doc.state.ok.us/pls/, shows you that the entire site is running from Oracle Portal.
According to Oracle, Oracle Portal is, “the industry's most complete, pre-integrated out-of-the-box portal solution available. It enables companies to quickly build, administer, and deploy enterprise portals that are standards driven, scalable, secure, and dynamic.”
That could very well be true. The problem is that it is still a CMS, and like all CMS systems, you have to make sure it is configured properly and correctly. The Oklahoma DOC Sexual and Violent Offender Registry (SVOR) offered a print page that used an Oracle SQL query to display the records in an easy to print format. This is useful to someone wanting to print off this information, but also useful to anyone who needed fresh SSNs, names and addresses.
With a little tweaking in the address bar, Alex obtained a 7MB file with almost 11,000 records. He contacted the Oklahoma DOC, and after a few attempts to get it corrected, noticed the page was offline only to return. “Putting the "social_security_number" in, however, no longer displayed social security numbers. It took me all of ten seconds to figure out a way around their fix,” Alex stated. Indeed all he needed to do was capitalize the S in Social_security_number to obtain the same list.
“I emailed George again, this time explaining the problem much more clearly and advising in BOLD, RED, CAPS that the "roster page" should be taken down immediately. I also demonstrated the power of the ALL_TABLES table, the contents of an "interesting" table named MSD_MONTHLY_MEDICAL_ACTIVITY, and how even their information was available for all to see.”
In the end the page was removed, no one knows if the information was obtained for illegal use. Still, some don’t care if it was, because of the nature of the list itself. The problem was preventable with a few settings tweaks in the Oracle Portal configuration.
This is not the only issue demonstrating the questionable nature of IT in Oklahoma. In 2006, an IT administrator in the state exchanged a few interesting emails with CentOS.
http://www.centos.org/modules/news/article.php?storyid=127
However, the issue is much larger, something Oklahoma’s own government report notices.
“The Department of Corrections lacks an effective system for management, planning, and operation of its information technology (IT) resources…The department’s core offender management information system is unreliable and requires significant upgrade or replacement. Ongoing planning and work on the internal development of a replacement for this system has been unsuccessful, leaving the department in an extremely vulnerable position.” – DOC performance audit, 2007 (p231)
http://www.okhouse.gov/Documents/OKRVSDFinalReport080103.pdf
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!