data breach

SQL Injection Remains a Constant Threat {5}

by Brian B
The article that I picked this week is named “Black Hat is Over, But SQL Injection Attacks Presist” by Victor Cruz. The article starts off by talking about an attack that happened earlier this year to yahoo that resulted in a break and leak of 400,000 of usernames and passwords from Yahoo. It says that SQL attacks have also affected companies such as Sony and LinkedIn recently, so this is obviously still a large threat to companies. The author gives an example of SQL injection saying that “hackers visit a website and fill out a text field with a SQL statement such as 1+1=2, which the log-in field interprets as true, allowing it to pass as legitimate credentials (Cruz, 2012).” This causes the server to release confidential information accidently because it has been tricked into thinking that a valid user has logged into the system. The article goes on to state that “Privacy Rights Clearinghouse reported that 312 million data records have been lost since 2005 and 83% of hacking-related data breaches were executed via SQL injection attacks (Cruz, 2012).” The article goes on to talk about how they are developing more reliable software to look for SQL injections and decipher them from safe input. The tool in question is called “libinjection” and is able to sort through heaps of data by converting input into tokens and checking those resulting tokens for anything that maybe being sent to try and attack the server. The article finishes by saying that “SQL Injection attacks are automated and website owners may be blissfully unaware that their data could actively be at risk (Cruz, 2012).” read more...

More Database Protection {Comments Off on More Database Protection}

by Alexander V

Most people have probably heard of McAfee and their security solutions for personal computers. Now, they recently announced a database security solution that would protect databases with no loss in performance.  According to the article, McAfee’s database solution will be based on their Security Connected Initiative which means that data will be protected in all states and all centrally managed. A survey by Evaluserve showed that databases were the most difficult part of IT to protect. This can be seen from the recent outbreaks in data breaches. In addition to that, the article states that a large amount of data breaches involved a database, and the majority of those breaches required technical skills to execute. McAfee’s approach to database security includes: “automated discovery and assessment”,” protection”, and “manage and monitor.” “Automated discovery and assessment” uses McAfee Vulnerability Manager which scans the network for databases and checks if they are up to date and whether they have any vulnerabilities.  Their “protection” involves three layers of protection: a network firewall, application whitelisting and  host intrusion prevention, and protection of the data. Last of all is “manage and monitor,” customer’s use McAfee’s Database Activity Monitoring software so they can monitor their databases and be alerted of real-time data breaches. read more...