Dozens of College Servers Breached by SQL Injection

by Eric C
Not only is the design and performance of databases an important aspect in the way databases work, but also the security of a database. There are many types of attacks that can be done to a database and the most common is a SQL injection. In a news article from CNET, hackers were able to collect thousands of personal data of students from college databases worldwide through the use of SQL injections. More than fifty universities were affected, and some of the top name colleges include Harvard, Princeton, and Stanford. To make matters worse, some 140,000 records were posted online for all to download. The information includes usernames and passwords, addresses, phone numbers, and some payroll information regarding both students and faculty. The mastermind behind this data dump is apparently by a group called GhostShell, whose intent was not to reveal personal data, but was to “focus on higher education.” However, the group not only found personal data, but also discovered that malware were already injected in the first place, showing the security risks many of these database servers have.

With the introduction of moving the business rules and its data to the SQL server, it is very important to also focus on the security of the sever. Security implementations must be done at a very early stage and testing should be done as well to verity the security measures put in place. The use of SQL injections include the many commands that we are learning in chapter five. Common commands such as SELECT, FROM, WHERE can be used in for something called a blind SQL injection, where the hackers try different statements to see if they can find vulnerabilities.

It seems that many SQL databases are very prone to SQL injections, even from huge companies such as Sony. Sony’s PlayStation Network was hacked last year through SQL injections as well and thousands of personal information was breached, including credit card information. Since this is the case, there must be a solid way to prevent SQL servers from attack by hackers. Apparently it is easy enough for hackers to steal personal information from various severs worldwide, therefore tight security is a must for database administrators and designers.

Source:

Musil, S. (2012, October 3). Hackers post data from dozens of breached college servers. Retrieved November 11, 2012, from http://www. http://news.cnet.com/8301-1009_3-57525684-83/hackers-post-data-from-dozens-of-breached-college-servers/

2 thoughts on “Dozens of College Servers Breached by SQL Injection

  • November 13, 2012 at 1:40 pm
    Permalink

    I had personally been a victim of SQL injection when Sony Playstation Network got hacked. When hackers hacked the network, many of their customers’ personally information have been breached. Fortunately, they did not use any of my information, but it was still a scary experience. Nice article, Eric.

  • November 18, 2012 at 7:52 pm
    Permalink

    I find it amazing that there are so many schools that were breached by this SQL injection attack. However, I think the more concerning part of the article was that many of the systems were already breached by malware before this group even got there. It reminds me of one of my CIS teachers at my Junior College talking about when he first got to the campus and found most of the computers were either infected with malware or compromised by people just trying to hack into the schools servers / desktops. Even when I was at the school someone in China was trying to hack into the servers we were using for web projects. It seems to me that it would make sense to take a more proactive approach to housing and maintaining these systems that have such critical data on them.

Comments are closed.