SQL flaws remain an Achilles heel for IT security groups
Another example: Five charged today with using SQL injection attacks to breach corporate networks to steal some $300 million from U.S. businesses
Computerworld - Indictments filed against five persons charged in a massive international hacking scheme indicate that SQL injection vulnerabilities continue to be a huge security Achilles heel for large IT operations.
The residents of Russia and Ukraine were indicted Thursday in connection with the theft of more than 160 million credit card numbers and other financial data from a virtual Who's Who of big business, including NASDAQ, JCP, Carrefour, Discover Bank, Hannaford, Heartland and Dow Jones.
The indictments allege that the victims lost some $300 million over a seven-year period between 2005 and 2012.
In a statement, Paul Fishman, U.S. Attorney for the District of New Jersey described the attacks as "cutting edge" and called the work a threat to the U.S. economy and national security.
The indictment also suggest that the hackers, in most cases, did not employ particularly sophisticated methods to gain initial entry into the corporate networks. The papers show that in most cases, the breach was made via SQL injection flaws -- a threat that has been thoroughly documented and understood for well over than a decade.
The NASDAQ network, for instance, was initially attacked via a SQL injection vulnerability on an online password reminder page. The flaw let hackers access the network without authorization to get a foothold that eventually let them gain full administrative control.
Similarly, initial unauthorized access to corporate networks at Heartland, JC Penney, Wet Seal, Visa Jordan and Diners Singapore came as a result of SQL coding errors. In each instance, the attackers rapidly escalated their privileges on the network to install malware and backdoors for stealing credit card and other data.
Via SQL injection attacks, hackers take advantage of poorly coded Web application software to install malicious code in a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate data entered by a user -- such as when ordering something online or when resetting a password.
An attacker can take advantage of input validation errors to send malformed SQL queries to the underlying database letting them break into it, plant malicious code and/or access other systems on the network.
SQL injection flaws are relatively simple to fix, once found. The challenge for IT personnel is knowing where to look for them. There are hundreds of places in large Web applications where users can input data, each of which can provide a SQL injection opportunity.
Hackers have taken advantage of SQL injection flaws for years because they can be exploited with relative ease. In recent years, SQL injection attacks have consistently ranked as one of the most popular methods for hackers to break into networks.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!