Information Security News: Police Web site back after hacker hits media database

[InfoSec News <alerts () infosecnews org>]

http://www.tucsoncitizen.com/daily/local/71839.php

By Renee Schafer Horton
Tucson Citizen
12.18.2007

The Tucson Police Department's Web site will be coming back online 
within the next 48 hours, Pat Johnson, TPD webmaster, said.

The Web site went down about two weeks ago after a man calling himself 
"Hmei7" hacked into it, Johnson said.

There was no danger to police data files during this time, Johnson 
explained, because Hmei7 hit only the media release database. Johnson 
said Hmei7 is from Indonesia and has hacked into hundreds of government 
Web sites internationally.

He said Hmei7 doesn't qualify as a professional hacker, because he 
doesn't seek to do permanent damage to a site, but rather cause a 
nuisance.

"I'd call him a professional prankster," Johnson said.

Using a technique called "SQL injection," which is pronounced "sequel 
injection," Hmei7 got into the TPD media release site and programmed a 
change into the search box.

"On our media site, we have a search box for the media releases," 
Johnson said. "SQL injection allows someone to type 'Mr. Jones' and a 
SQL statement and that changed all the titles of all the media releases 
to read, 'Hmei7 has touched your soul.' "

TPD was notified of the problem by someone trying to view the Web site, 
and TPD immediately shut the site down, Johnson said.

Hmei7 was able to insert the SQL injection code by getting past the city 
of Tucson firewall and the TPD firewalls, Johnson said.

Sgt. Mark Robinson said TPD information technology has been working the 
past two weeks to identify how Hmei7 gained access and to install 
security measures to prevent SQL injections from being used again.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/