Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

SQL injection attacks against databases rise sharply

Info-theft attempts up nearly 40-fold since beginning of year

July 19, 2006 12:00 PM ET

IDG News Service - Hackers are striking databases in record numbers, trying to pilfer a rich trove of personal and financial data, a security vendor said today.

SecureWorks Inc., based in Atlanta, is detecting up to 8,000 attacks per day on databases owned by its clients, up from an average 100 to 200 attacks per day in the first three months of this year.

The statistics come from data on its 1,300 clients, including financial institutions and utilities, most of which are located in the U.S. SecureWorks provides managed security services, including intrusion detection technology along with virus and spam filtering for e-mail.

Hackers, which SecureWorks has detected working from computers in Russia, China, Brazil, Hungary and Korea, are using a method known as a SQL (sequence query language) injection attack, said Jon Ramsey, Secureworks' chief technology officer.

Hackers start by using Google Inc.'s search engine to find Web pages with forms that have active content, meaning they transmit information to a database, Ramsey said.

Many Web applications do not validate the information in the forms, allowing an attacker to inject malicious SQL commands that are executed by the database. The attacker can then use automated tools to collect information from certain tables and columns in the database.

The next step is to compromise the database server by injecting more code, potentially causing a database server to download other programs from the Internet that give a hacker wider control, Ramsey said.

SQL injection attacks are very targeted and aren't likely to generate wide attention such as when a computer virus or worm widely propagates itself. An attack can take place on a Web page with a simple form, such as a mortgage payment calculator, he said.

"We're not in the age of the worm anymore," Ramsey said. "We're in the age of zero-day, specifically crafted exploits targeting an institution."

Enterprises are taking a closer look at how their databases are secured after a series of well-documented data breaches.

Visa International Inc. and MasterCard International Inc. are rewriting security rules for merchants that accept credit card payments to better guard against attacks such as SQL injection.

One high-profile SQL injection attack was aimed at CardSystems Solutions Inc., a company that processed payment data for credit-card companies. The hacker used a SQL injection attack to install a program that transferred credit-card data from a database every four days to a remote computer.

As a result, banks reported millions of dollars in fraudulent purchases using counterfeit cards. The hacker is believed to have had access to 40 million credit-card numbers.


Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.

Jump to comments

personal and financial data

Additional Resources

EFD vs. HDD - What You Need to Know
WHITE PAPER
Enterprise flash drives provide a new Tier 0 storage layer capable of delivering high I/O performance at a very low latency. Proper use of EFDs in an Oracle environment can deliver increased performance compared to fibre channel drives. Read the recommendations for identification of the best DB components for EFDs.
Gartner Research Report: Magic Quadrant for Application Delivery Controllers, 2009
WHITE PAPER
The market for products to improve the delivery of application software over networks remains dynamic and innovative. Vendors focused on solving enterprises' most-pressing application problems have become the top players.
Eight Criteria for Server Load Balancing
WHITE PAPER
Server load balancers are a simple yet highly effective means to scale an application environment while ensuring its availability. Today's solutions should also address application performance and security. Read about the top eight criteria you should consider when choosing a server load balancer and how Citrix NetScaler meets those requirements.

White Papers & Webcasts

e-Book: The Shortcut Guide to Business Security Measures Using SSL
This 45-page e-Book gives you the tools you need to detect security vulnerabilities, build an information security strategy, and plan your investment in...  

10 things you really wished you had known about PDF Security, but they didn't tell you!
Access this resource, compliments of LockLizard, for a limited time only!  

Information Leakage - the enemy is within
Access this white paper, courtesy of LockLizard, for a limited time only!  

The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.

Adobe Acrobat PDF Security - a brief history of development
Access this resource, compliments of LockLizard, for a limited time only!  

Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!

Manager Experience Demo
Go beyond self-service solutions to perform more effectively. Watch Now.


IT Jobs