What’s Hard about Stealing Sensitive Data? Nothing.
What’s hard about hacking into embassies and government computers? Nothing, says a 17 year-old hacker.
The Presidential election in the U.S. was punctuated by reports of hacks of the campaign of Democratic candidate Hillary Clinton and her supporters, as well as of Democratic Party organizations. Reports and analysis pinned the blame on a group called “Fancy Bear,” a proxy for the government of Russia and, allegedly, a stealthy and sophisticated operator.
While those reports talked up the digital skullduggery, the fact is that you don’t have to be either stealthy or sophisticated to break into sensitive government and diplomatic systems. Just ask Kapustkiy.
I’m referring, of course, to the self-described 17 year old hacker who has been breaking into computers and networks operated by diplomatic missions and government agencies around the world, making off with sensitive information in the process.
Kapustkiy’s name has been in the headlines recently for attacks on seven diplomatic missions of the Indian government. Working with a partner, he leaked the personal details of hundreds of Indians, including students studying abroad in countries like Switzerland, Italy, and South Africa. Data stolen from those embassies was dumped online.
Never shy about the work that he (she?) does, Kapustkiy (@kapustkiy) has been nice enough to grant interviews to a number of security web sites, including this email interview with Pierluigi Paganini at the site Security Affairs. Asked by Paganini what was the biggest challenge in the work that he did, he answered: “nothing.”
“At this moment, nothing special in my opinion. Because all the websites that I was managed to breach were just simple a ‘SQLi.’”
By ‘SQLi,’ he’s referring to SQL injection: an exploit of a common security vulnerability found in web-based applications that allows an attacker to submit malicious commands to a back end SQL server, gaining administrative access to the underlying server or siphoning sensitive information out of a back end database.
SQL injection is no arcane problem. Injection vulnerabilities including SQL injection are the number one issue on the OWASP Top 10 list of application security risks and have been for years. SQL injection is so dangerous because the attacks are simple to construct and powerful. A basic knowledge of the SQL language and access to a web application are about all that’s needed to launch such an attack. They’re so simple that a child can use them.
Which is apparently the case with Kapustkiy, who told Security Affairs that he has been hacking since the age of 13, after getting inspired by the hacktivist group LulzSec. SQL injection was his weapon of choice then, as it is today, he says.
“When I was 13 years old I started the basic things like SQL and LFI. At that moment I’m doing some research to find some websites that were vulnerable and I found a big University in England who had an SQLi flaw. I breached its database and the website was offline for around 3 days,” he said.
Despite clearly engaging in illegal activity, Kapustkiy fancies himself as a gray hat hacker who is helping expose insecurity in websites so that their owners can repair them. He has focused on diplomatic missions and embassies not for political purposes, but just because they are low hanging fruit.
“The main thing is that it is very dangerous to have a bad security especially when you are managing the kind of data accessed by internal staff of an ‘Embassy,’” he wrote. “A lot of personal information is avaible (sp) on their websites, this data could be used for further attacks by nation-state actors.”
While the specter of “Fancy Bear” and government backed hacking crews are (rightfully) worrisome, the Kapustkiy interview should underscore that such cases are outliers. A much bigger and more stubborn problem is insecure and inadequately secured IT assets that are directly exposed to the Internet. Better hygiene and basic security blocking and tackling like applying patches and properly securing web applications from improper requests and unauthorized access are among the best and shortest paths to preventing data breaches. Keep the curious 17 year olds like Kapustikiy out, and you’re well on the way to besting Fancy Bear and the rest of the advanced persistent threat menagerie.