Hacking using SQL{3}


by Abubaker D
Hacking is becoming more and more popular nowadays. One of the biggest identity thefts in U.S. history was made by 3 men using SQL. They basically hacked into a business payment system called Heartland. And they ended up stealing $4 million. You might wonder how they did it? Well, they used a technique called SQL injection. And according to PCMag security expert Neil Rubenking, “One form of SQL injection involves embedding other SQL commands/queries in the value passed as (in this case) username. Another type involves passing a text string (of SQL commands) in place of a numeric value.” An SQL hack is highly rewarding but at the same time your chances of getting caught are higher; because it targets businesses and organizations. A way to protect ourselves from SQL injections is to not accept any SQL statements directly. Either use parameterized statements (basically, meaning the user can do nothing but plug in values into predefined queries) or processing each query string to make it safe.”

I thought this was a helpful article because it relates to our topic of study which is SQL server. I find hacking to be a really interesting field, and I will be majoring in computer forensics. I bet a lot of other students find it interesting as well. So I thought, I will get them going with a hacking subject related to SQL servers.

I didn’t know myself that hacking can actually be done using SQL statements. I was excited when I read it, and I thought thank god I’m taking this class. I will make big money out of hacking! Just joking! I will actually work to protect businesses and organizations from hacking.

I was reading some reviews about the article, and some of the people were saying that this is a really basic hack that is so simple. And some of them were arguing that the technique to prevent SQL inject isn’t completely correct.  And here’s one of the comments “Preventing SQL injection using encryption? PC Mag, please check your facts. SQL injection is prevented by consistent usage of prepared statements.” I would like to discuss this further with the professor.

Reference: Chloe Albanesius, Erik Rhey (2010).  Inside The Biggest Online Theft Case. Retrieved from http://www.pcmag.com/article2/0,2817,2363293,00.asp