SQL injection

Defending Against SQL Hackers {1}

by Andrew S
The article talked about preventing SQL injection attacks.  Basically, an SQL injection attack targets interactive web applications that deal with database services.  As a result, an attacker may provide malicious or inaccurate information in place of what the user inputs.  Thus, an attacker could obtain and modify sensitive information.  The solution that the author comes up with is to use runtime validation in a procedure to call and check the SQL statements that the user inputs.  There is an algorithm that the author uses that verifies that the user inputs are consistent and that there are no discrepancies in their inputs.  In order to reduce the runtime analysis of the program, the program only scans portions of the queries instead of the entire query to improve efficiency and reduce execution time.  SQL injection is a common technique employed by hackers for attacking databases and the author makes solid points on how to prevent these attacks. read more...

ASP.net & SQL Injection Exploits… Again? {Comments Off on ASP.net & SQL Injection Exploits… Again?}

by Evin C
According to an article presented late last year, hackers of the world are attempting to use a technique referred to as “SQL Injection” on Microsoft’s ASP.Net platform. The troubling thing is, they have been wildly successful. The author states, “About 180,000 pages have been affected so far, security researchers say ‘attackers have planted malicious JavaScript on ASP.Net sites that causes the browser to load an iframe with one of two remote sites: www3.strongdefenseiz.in and www2.safetosecurity.rrnu.’” Using this technique they have been able to exploit this iframe and attempt to plant malware on visiting PC’s via “a number of browser drive-by exploits”. Having seen a trend in the exploitation of SQL Injection, Microsoft has released information to programmers on how to protect again such attacks since at least 2005 and the attacks continue to occur. read more...

Sony Gets Hacked {3}

by Abubaker D
So my article is about the hack that hit the Sony Europe server. You all know the name Sony, and one of their servers that is stationed in Europe got a rain of hacks. The hacker was able to get users information such as passwords, email, phone numbers and so on. The hacker’s name was Idahc, he is a Lebanese guy. Idahc said that the hack was really easy. And what’s even more interesting is that he used simple SQL statements to hack into Sony’s server. The author then goes on talking about how bad Sony’s security is and that their database administrator should be ashamed of their selves unless they don’t want to spend more money on security. The hacker also claimed that he got hands on even more juicy information from another server, such as credit cards. Sony gave its users free games and a trial for some offer that they had to make up for the compromise. read more...

SQL Injection Prevention {3}

by Jorge R
The author of my article talks about the growing rates of SQL injection over the past years. There have been many new security advances such as Injection Detection System (IDS). The author also explains that there is no real definition for SQL injection; instead it’s a combination of forms and characteristics that form SQL injection. Microsoft describes it,”…from two aspects as follows: a. Attacks in the form of script injection; b. SQL scrip can be affected by malicious user input”. It is also the act of visiting a page and with direct retrieval obtained from the database. Hackers are able to infiltrate the database, by manipulating the database and then inserting an SQL sentence into applications. The attack can happen on all the different database software SQL language systems. It is easy to learn and implement into systems with little computer knowledge. The most common attack includes the “1=1” statement, this logical statement results in “true”. It is most commonly used to retrieve the usernames and passwords of all the users on the website. It is true that users may mistakenly type those keywords by mistake, that is when IDS steps in by tracking their movements for suspicions. When that same user starts typing other commands, the server is alerted and tracks the users IP with a time stamp of when the infiltrations happened. The main goal of programmers to stop SQL injections is to improve the programming. There are very limited tools to try and stop SQL injection. read more...

SQL Flaw Enables Attack {4}

by Kevin Q
In the article that I read, James Cohen goes over a massive web attack dubbed the “LizaMoon.” The attack was made possible due to an SQL Flaw in which malicious code was injected into the SQL databases that ran many websites. This would then direct users browsers to a new site where a fake antivirus with malicious intent was installed on their machine with no consent. People would then be told they have a virus and prompted to input their credit card information in order to “fix” the problem. Many websites were hit by this attack but it first happened on lizamoon.com, hence the attack was named “LizaMoon.” Numerous sites were effected by this attack, and many people were tricked into surrendering their credit card info. It then goes on to how fake antivirus programs have been a problem to users in the recent years. read more...

SQL Injection, a problem that is avoidable {1}

by Willen L
In this article the author talks about SQL injection and how it’s been around for more than a decade and many companies do not know how to deal with it or not even implementing solutions to fix this widespread problem. SQL injection is a code injection technique that exploits vulnerability in websites software where arbitrary data is inserted in code that is executed by a database thus compromising the database. Hackers can use this information for Identity Fraud, which cost the US 4.7 billion every year. Knowing this, Microsoft has been giving tips for programmers on how to protect against SQL injection since 2005 but it hasn’t made much of a difference. The author states that this problem is going to rise with how fast technology moves and from the amount of people in the world in the future. It’s up to the individual companies IT managers to step in and access their systems to determine if they are vulnerable and to make security improvements to prevent attacks. The author states that if companies take the necessary precautions, they can prevent 87% of attacks. What the scary thing is that generally it takes about 6-8 months for the company to realize that their database has been breached… read more...

Anonymous and Apple {3}

by Penny P
Anyone can be a victim of a hack attack. Apple became victim to an attack by the hacker group known as Anonymous. The attack did not affect customer data, but instead targeted the server that Apple uses to process the data of their technical support follow ups. Results of the attack “revealed 27 internal Apple user names and passwords” (Murphy). Anonymous had posted this information to Pastebin, which is a website where users can store text. The method of the attack on Apple was not announced, but it was suspected that it was due to an SQL injection attack. The Department of Homeland Security had listed this type of attack as the “Web’s most dangerous security vulnerability” (Murphy). Another hacker group, Lulzsec, performed similar SQL injections to companies such as Sony Pictures and PBS. There have been rumors that former members of Lulzsec had joined the Anonymous group. read more...

SQL Injection Defence {4}

by Antonio M
I found this article to be very interesting. The author talked about what a SQL Injection
was and some steps to detect if a query has been subject to a SQL Injection attack and
showed how to defend against such attacks. A SQL Injection can be used to steal, view
or alter data in a database. A SQL Injection statement is always done by using any SQL
keywords and also through the use of a space, single quotes and double dashes. The method
that the author proposed in order to detect a SQL Injection Attack is to use tokanization.
Tokenization is used by detecting for any spaces, single quote or double dashes and all
strings before each symbol is considered a token. Once a token is made they will then be
put into an Array where each token is in a separate index of that Array.  So based on the
users input you will use tokenization to search for spaces, single quote and dashes.
Then you will make two Arrays, one array is how the users input should look like
with out an attempted SQL injection. The Second Array is how the users input will look like
if it has a SQL Injection Attack. Based on these two Arrays you perform a comparison to
see if the arrays have the same amount of index elements in them. If they do not have the
same amount of Index elements in them then the user has performed a SQL Injection Attack. read more...

Online Theft: Made Possible by SQL injection {1}

by Jongwoo Y
In March 2010, Albert Gonzalez and his two Russian co conspirators were sentenced 17 to 25 years in prison. Why? Because they had completed the largest online theft case in history in 2010. Albert and his buddies decided to use SQL injection to hack into the databases of Heartland Payment Systems, a business that credit card companies and vendors use to process sales transactions (Albanesius, 2010). At the time, this was the largest case dealing with identity theft, ever. Victims included 130 million people with their different credit cards, and Gonzalez was able to extract $4 million from the event. SQL injection deals with the SQL language and sending commands to a database and receiving information that should not be allowed to retrieve. The first case of SQL injection that was reported was in 2005, when hackes decided to steal the information from customers at Petco (Albanesius, 2010). SQL injection is a much more riskier form of theft than simple trojans that are sent to user computers. This is because when SQL injection is in use, the risk for getting caught and facing harsh punishment is a much bigger factor than when you send a trojan to one consumer computer. In the article, there are some great tips on how to avoid this type of database breach. 1) Do not accept SQL statements directly. 2) Either use parameterized statements or processing each query to make it safe (Albanesius, 2010). read more...

SQL Poison {2}

by Jasmine C
This article was about how a Microsoft web-based site was attacked with an SQL injection.  An advertising site in the U.K., by the name of Autoweb, was attacked with a SQL injection that left the site extremely vulnerable.  With a single line of code,  about half a million pages were affected, the sites content was overwritten and it was knocked offline. IT staff were able to originate the IP address to China and block them. The good thing for Autoweb was that they did a daily backup, so after they were able to block the IP address, they returned to their clean data.  Autoweb contained both, their web application and their database on the same server and this was a problem because to be able to protect the database, the web application also had to be protected and vice versa.  As a result of this attack, traffic and ranking has decreased but hopefully after some changes Autoweb can regain their status. read more...