Wednesday, June 12, 2013

Navy messaging system vulnerable to SQL injection, command injection, etc?

One of the people I follow on Twitter posted this breaking story that the Navy is migrating to a new system that, get this, allows commanders to send and receive operational messages that contain characters OTHER THAN ALL CAPS.  When the new system goes live, the Navy will be able to send messages in characters other than caps.

Believe it or not, the Navy has "folks that have been around for a long time and are used to uppercase and they just prefer that it stay there because of the standardized look of it."  Yep. That's all sorts of ignorant.  However, the Navy realizes that the move to mixed case words and special characters "is imminent."  The Navy acknowledged that the move is necessary because mixed case content "makes the readability better for the folks that are actually monitoring in a chat room or reading messages off a portal site."

Now there's the rub.  I'd like to believe that the Navy will properly sanitize data for their core message handling system.  I sincerely hope that the core of the system will be secure('ish).  The story changes dramatically however when it comes to personnel monitoring operational messages in chat rooms or portal sites.  I'm willing to bet that many of these portals are super-old and predate concerns about input validation.  However, because the system never before delivered mixed case content (including special characters) there was never any possibility of command or SQL injection.

If you work for the Navy, bring this up to your IT department.  Don't trust that they have the stick on this one (they probably don't).  If you live near a Navy base and ships start launching cruise missiles at WalMart two years from now (or some other such catastrophe), don't say I didn't warn you.

Seriously though, if you work for the Navy and have no idea how to evaluate your applications for secure handling of data, you can contact me for help at malwarejake <at> g-m-a-i-l dot c-o-m.

1 comment:

  1. I am using Kaspersky security for many years now, and I'd recommend this product to everybody.

    ReplyDelete

Note: Only a member of this blog may post a comment.