Hacking using SQL

by Abubaker D
Hacking is becoming more and more popular nowadays. One of the biggest identity thefts in U.S. history was made by 3 men using SQL. They basically hacked into a business payment system called Heartland. And they ended up stealing $4 million. You might wonder how they did it? Well, they used a technique called SQL injection. And according to PCMag security expert Neil Rubenking, “One form of SQL injection involves embedding other SQL commands/queries in the value passed as (in this case) username. Another type involves passing a text string (of SQL commands) in place of a numeric value.” An SQL hack is highly rewarding but at the same time your chances of getting caught are higher; because it targets businesses and organizations. A way to protect ourselves from SQL injections is to not accept any SQL statements directly. Either use parameterized statements (basically, meaning the user can do nothing but plug in values into predefined queries) or processing each query string to make it safe.”

I thought this was a helpful article because it relates to our topic of study which is SQL server. I find hacking to be a really interesting field, and I will be majoring in computer forensics. I bet a lot of other students find it interesting as well. So I thought, I will get them going with a hacking subject related to SQL servers.

I didn’t know myself that hacking can actually be done using SQL statements. I was excited when I read it, and I thought thank god I’m taking this class. I will make big money out of hacking! Just joking! I will actually work to protect businesses and organizations from hacking.

I was reading some reviews about the article, and some of the people were saying that this is a really basic hack that is so simple. And some of them were arguing that the technique to prevent SQL inject isn’t completely correct.  And here’s one of the comments “Preventing SQL injection using encryption? PC Mag, please check your facts. SQL injection is prevented by consistent usage of prepared statements.” I would like to discuss this further with the professor.

Reference: Chloe Albanesius, Erik Rhey (2010).  Inside The Biggest Online Theft Case. Retrieved from http://www.pcmag.com/article2/0,2817,2363293,00.asp



3 thoughts on “Hacking using SQL”

  1. The fact that so much valuable/private information can be carelessly disregarded by some companies is disgusting. In today’s economy where businesses focus on online transactions, companies should be more aware of their security vulnerabilities; especially since it can cost both the company and it’s customers millions of dollars.

  2. This indeed sounds intriguing. I was already looking forward to learning about SQL and also have some interest in computer forensics. As you mentioned with the heist in the beginning, exploiting systems could prove to be very dangerous when utilizing SQL directly. That could easily allow someone to access a database without having to force their way through more traditional means. SQL injection will definitely be a mechanism that I shall be leisurely researching in the near future.

    Good article. Cheers.

  3. Computer hacking and identity theft is a pretty interesting topic, and it is also interesting knowing that our class is teaching us SQL, which was used in one of the biggest identity thefts in U.S. history. Extensive knowledge of SQL could help one steal 4 million dollars? This must be one powerful tool, hopefully everyone in the class will use SQL for ethical purposes only!

Comments are closed.