SQL injection attacks against databases rise sharply
Info-theft attempts up nearly 40-fold since beginning of year
IDG News Service - Hackers are striking databases in record numbers, trying to pilfer a rich trove of personal and financial data, a security vendor said today.
SecureWorks Inc., based in Atlanta, is detecting up to 8,000 attacks per day on databases owned by its clients, up from an average 100 to 200 attacks per day in the first three months of this year.
The statistics come from data on its 1,300 clients, including financial institutions and utilities, most of which are located in the U.S. SecureWorks provides managed security services, including intrusion detection technology along with virus and spam filtering for e-mail.
Hackers, which SecureWorks has detected working from computers in Russia, China, Brazil, Hungary and Korea, are using a method known as a SQL (structured query language) injection attack, said Jon Ramsey, Secureworks' chief technology officer.
Hackers start by using Google Inc.'s search engine to find Web pages with forms that have active content, meaning they transmit information to a database, Ramsey said.
Many Web applications do not validate the information in the forms, allowing an attacker to inject malicious SQL commands that are executed by the database. The attacker can then use automated tools to collect information from certain tables and columns in the database.
The next step is to compromise the database server by injecting more code, potentially causing a database server to download other programs from the Internet that give a hacker wider control, Ramsey said.
SQL injection attacks are very targeted and aren't likely to generate wide attention such as when a computer virus or worm widely propagates itself. An attack can take place on a Web page with a simple form, such as a mortgage payment calculator, he said.
"We're not in the age of the worm anymore," Ramsey said. "We're in the age of zero-day, specifically crafted exploits targeting an institution."
Enterprises are taking a closer look at how their databases are secured after a series of well-documented data breaches.
Visa International Inc. and MasterCard International Inc. are rewriting security rules for merchants that accept credit card payments to better guard against attacks such as SQL injection.
One high-profile SQL injection attack was aimed at CardSystems Solutions Inc., a company that processed payment data for credit-card companies. The hacker used a SQL injection attack to install a program that transferred credit-card data from a database every four days to a remote computer.
As a result, banks reported millions of dollars in fraudulent purchases using counterfeit cards. The hacker is believed to have had access to 40 million credit-card numbers.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Legal White Papers | Webcasts