Hacker can cause more damage to site by manipulating data

BHUBANESWAR: In the latest cyber security breach, the official website of Bhubaneswar Development Authority (BDA), www.bdabbsr.in, was hacked on Monday. Though the hacker did not deface or damage the site, he manipulated information exposing its vulnerability.
BDA vice-chairman D K Singh said, "We are examining where the problem lies. The website is working properly.Improving the security of our website is a continuous process." Hacking was possible because of a developing error. It is a very intelligent hacking in which the hacker can cause more damage to the site by manipulating or tampering data," a senior official of the National Informatics Centre (NIC) said.
The tender and notice, photo-gallery, gazette notification and advertisement sections of the website were tampered with a message "You have been hacked!" and "hacked by Erazer". Following the security breach, the information loaded by BDA could not be accessed.
Security experts, however, said such security breach can be avoided by carrying out cyber security auditing at regular intervals.
"I had pointed out to the BDA authorities about the vulnerability in their site and had offered them service. But they did not respond," said Amiya Mishra, a certified ethical hacker and information security analyst.
Despite being developed by professionals, many security lapses can be spotted in web products, web applications and e-learning portals. There are many ways with which a hacker can access a network, sources said.
"BDA website had a Basic SQL Injection problem which is commonly found in many websites and can be treated easily. Some of them being quite easy are too dangerous as they tend to give out unauthorized yet privileged access into the systems and also steal vital information," Mishra added.
"Among the most common are SQL injection, cross-site scripting, denial of service, cross site request forgery and cookie theft. To manipulate data on a website having Basic SQL Injection issue one can by pass the user authentication on the admin panel of the website and easily add, delete or modify any data stored in the database which is shown on the website," Mishra said.
Earlier due to a security attack on the official website of Orissa government website www.orissa.gov.in/ www.orissagov.nic.in last year the URL had to be changed. According to Indian Computer Energy Response team around 5,592 websites have been hacked in the first half of 2010 in the country.