Imagine the view from above

Cleaning Up after Hackers: The Association for Information Systems

The specific purposes of Association for Information Systems (AIS) are to:

To these ends, AIS intends to conduct meetings, to publish books, journals, and other materials; to cooperate with other organizations interested in the advancement and practice of information systems, to stimulate research; to promote high professional standards, and in general, to promote the growth of information systems, and to improve the profession's quality throughout the world.

Challenge:

ACI’s parent company, Meeting Expectations, as a provider of technology management services to AIS, inherited a production application server that had 54 databases and a myriad of web-based applications that had been developed by students and volunteers. As such, many of the applications were vulnerable to SQL Injection and Cross Site scripting attacks. AIS’ eLibrary had been hacked, rendering the database entries for more than 10,000 PDF papers unusable. The eLibrary is a key member benefit, so its recovery was critical. Furthermore, Cross Site scripting (XSS) attacks had inserted malicious JavaScript onto more than 15,000 web pages, so any visitors to the site were at risk of infection.

Solution:

The first action was to temporarily shut down the site to prevent infecting innocent visitors, identify and repair the source of the security issue and to re-certify the site was safe with major search engines.

Since it would be impossible to determine whether the server operating system had been compromised with root kits or other access points, we built a separate, firewalled server and migrated all databases, applications and web sites to the new server and got to work locking down the applications.

We utilized a number of scanning tools to identify the most egregious exploits, as well as reading the source code on a vast number of pages written by others. There was no documentation to support the application, so we were left on our own to find hackers’ entry points.

Results:

We found that rights had not been appropriately set on a number of databases and forms were not validating against allowing SQL code to be inserted. Once those were identified, privileges were individually set on each database to ensure only those authorized to make changes would be able to. We also modified the classic ASP code to suppress login strings and validate against the utilization of SQL code in the submission of forms.

To prevent cross site scripting, the ACI team identified and cleaned the offending JavaScript from each of the 15,000 web pages using global find and replace software. We also identified more than 40 pages that were vulnerable to XSS, and re-coded to prevent the utilization of parent paths, which would isolate any XSS vulnerability we may have missed.

After numerous iterations of commercial security scans, application of Windows and SQL Server security patches, auditing server account rights, and re-writing many lines of code, we re-released each application back to the public based on priority, starting with the eLibrary.