Comodo SQL-Injected Again and Again{Comments Off on Comodo SQL-Injected Again and Again}


by Joe C
Summary:

A SQL injection exposed a lot of personal log in information and customer data for a reseller company called Comodo. The breach in security allowed the attackers to access employee log-in credentials. This Brazil-based partner reseller is the forth Comodo partner to be attacked this year. The resulting information gained by the hackers were posted to Pastebin, a text sharing site. To complete an SQL injection attack, SQL statements are inserted into entry fields such as comment or log in fields on a form. When the website tries to process this text, certain code can end the original intent of the entry and execute different functions, in this case, trying to return log in credentials to the attacker. The president (also CEO) of Comodo claimed that the systems were never compromised and hackers had no access to their databases. What they did get from the customer information were names, addresses, emails, and phone numbers. Some private files were also leaked which included user IDs and passwords. A Comodo reseller in Italy was also attacked back in March. Many organizations are currently trying to figure out solutions to certification.

Reflection:

I have read about SQL-Injection attacks for a while now. They can be really basic scripts in which newbie “hackers” start off doing by just copy and pasting the code, trying it out on various sites. A lot of basic sites people run use CMS’s such as WordPress, which automatically has some protection against these sort of attacks. However, if people choose to build their own site from scratch and have not implemented security protection yet, their sites may be very vulnerable to SQL-Injection attacks. In this case for this article, it seems that these businesses/partners are pretty well developed and should have decent sites up. However, with more advanced hackers they can still find other ways around or certain small vulnerabilities in which they will focus on cracking open.

This article relates to our current studies in the topic of SQL statements. It talks about accessing databases, tables and personal information, which are the attribute fields on each table. All of these statements are very similar to the statements we are writing for project 3 in which we access, update, and execute various other commands. In the case of SQL-Injections where they want the website to return personal data, it would be something similar to our statements of “SELECT TOP 100 ******” in which it would return a table full of attribute fields and the results they contain.

Citation:

Rashid, F. (2011, Nove 27). Sql injection attack exposes comodo partner customer data. Retrieved from http://www.eweek.com/c/a/Security/SQL-Injection-Attack-Expooses-Comodo-Partner-Customer-Data-530220/

 

1. How much time did you spend on writing the blog post, including reading the article, thinking, writing and formatting? please write it down at the end of your blog post (in minutes). For example, “This blog post took me 30 minutes.”

This blog took me about 45 minutes.
2. How many others’ blog posts did you read (including the ones you scanned through quickly to decide whether you want to comment on) this week? please also write it down at the end of your blog post. For example, “I read 10 blog posts by my classmates this week.”

I read about 5 blog posts a week.
3. How much time did you spend on writing each of your comments, including reading others’ blog post, thinking, and writing? please write it down at the end of each of your comments (in minutes). For example, “This comment took me 10 minutes.”

It takes me 5-10 minutes per comment.