RIAA Web site apparently hacked over the weekend

An old-style SQL injection hack is the suspected culprit in a malicious attack on the RIAA's Web site. During the weekend, its framework was still going, though its content had been erased.

For well over a decade, malicious users have known how to pass unchecked SQL queries through Web forms, in what is called a SQL injection attack. With unsecured databases, it's an almost ridiculously simple hack, not really displaying any real skill or prowess on the part of the malicious user. But last weekend, one hack was notable particularly for its target.

The Recording Industry Association of America's Web site was apparently wiped completely clean of its press releases and textual content over the weekend, as screenshots posted Sunday to the Technology Expert's blog indicate.

Injected in place of the RIAA's usual press announcements, the photo evidence shows, was a link to one of the more trafficked pirated content sites on the Web.

Links posted to the Web site Reddit.com apparently invited the user to perform what's euphemistically called a "slow query." The link read, "This link runs a slooow SQL query on the RIAA's server. Don't click it; that would be wrong." Among the hundreds of comments posted there in response to that link were several congratulatory messages, plus a few curious comments blaming the RIAA -- perhaps without much evidence -- for using open source database software that could be more easily hacked, if only to point out the irony of the Association wanting to bypass paying licensing fees.

But the history of SQL injection queries goes further back than even MySQL. In 1998, I participated in a commercial demonstration of a SQL injection query very similar to the one suspected of wiping clean the RIAA's text files, doing the very same thing to a dummy Web site using an Oracle database, set up for the purpose of being attacked. Oracle had been invited to witness a staged attack for itself, though had declined to do so. Since that time, certainly, Oracle and its competitors have established many security measures to prevent this kind of attack.

The concept of the SQL injection query is explained here. Essentially, it's a primordial form of the buffer overflow exploit that plagues Web browsers even today, through the use of malformed URLs. In this case, SQL queries are divided into explicit sections, where the SELECT instruction is used to retrieve records from tables and recordsets based on explicit criteria. That criteria is expressed in the WHERE clause of the instruction, and it is that clause which can often be intentionally malformed in such a way that an operable instruction (such as DROP TABLE) is embedded where the RDBMS would normally expect to find conditional expressions (such as date < "12/31/07").

Due to the MLK holiday on Monday, the RIAA's spokespeople were unavailable for comment. As of this morning, the RIAA's Web site appeared to be fully functional, though it's unclear whether its Webmasters have been able to thwart the culprit query permanently or are just continually restoring the site from backups.