SQL injection

Occupy SQL: We are the 97% {5}

by Brian T
Most everyone at this point is familiar with groups like Anonymous and the league of imitators that try and prove their worth by exploiting websites and penetrating systems. While these actions have garnered respect and impressed feelings from some online communities, a study cited by Barclay’s lead payment security officer Neira Jones concludes that approximately 97% of data compromising cyber assaults globally are the result of SQL injections. The piece mentions that although the attack method has been in practice for over a decade, it’s actual usage is simply not acknowledged by website/database programmers – meaning that basic steps to prevent such injections are never implemented. read more...

Hackers use SQL Injection to ‘inject’ $4 million into their bank accounts {3}

by Evin C
SQL has many uses, and apparently some of them aren’t so legal. This article reports on one of the biggest cases of online identity thefts in U.S. history. Three men were sent to prison for 17 to 25 years for hacking into Heartland Payment Systems, a business used to process sales by credit card companies and certain vendors. This was not the only business to be hit and the result was 130 million credit-card numbers being stolen and a profit of up to $4 million for the hackers themselves. The article reported that the hackers “used a method called SQL injection to carry out the deeds.” read more...

The Effects of SQL Injection in Today’s Economy {Comments Off on The Effects of SQL Injection in Today’s Economy}

by Jongwoo Y
Due to recent public outcries, hackers have been using SQL injection in order to hack into company databases. Sony, a leading electronics company based in Japan has been targeted many times due to an unpopular approach that the company had been taking in  their use of the judicial system against some of their own customers. By the use of SQL injection, these hackers from groups such as LulzSec and Anonymous have been able to steal the information of over 77 million users of the PlayStation Network , a popular gaming community created by Sony for online gaming on their video game consoles (Finkle & Baker, 2011). This caused Sony to take tremendous losses in both their customer base and revenues from their PlayStation Network due to the fact that Sony was forced to close their online service for over a month. Information that was stolen from Sony’s PSN Database include customer names, credit card information, addresses, and birth dates (Finkle & Baker, 2011). However, the attacks are not over yet as Sony has experienced multiple attacks on their other services as well, including their music store websites based in Japan and in Europe as well (Rashid, 2011). read more...

SQL Injection Technique {3}

by Dean H

This article presents some of the most common methods of hacking a website. I have condensed this article review to SQL injection only.

SQL Injection(Previously mentioned during the lecture): Enter SQL code into web forms, login fields, address fields, or anywhere that enables the users to interact with the database. The concept is that users input are normally checked by the system by matching the table/row data, and to either grant or denied access. Here is an example read more...

Another Website Hacked {1}

by Joey L
LG’s Australian website was hacked and defaced recently.  The hacker team, calling itself “Intra” defaced LG’s homepage with a message:

“It seems as though your website has been hacked. How did we get past your security? ……. What security? ;).”

The breach has been archived by Zone-H.com, which is a database of defaced websites.  Most of the time, website defacements are limited to simple vandalism, but it is difficult to tell how deep the hackers have hacked into the database.  In LG’s case, the attacker had compromised the web server hosting LG’s site; the website home page has been replaced completely.  This is consider a deeper hack since hackers are accessing the web server itself rather than a common SQL injection, which exploits a hole in the web application. Usually whenever a website has been hacked via SQL injection or Stored Cross Site Scripting, you would still see the malicious code embedded in the HTML code.  LG has suspended the site until the incident has been fully investigated. read more...

3 cc’s of SQL Injections Can Kill You {Comments Off on 3 cc’s of SQL Injections Can Kill You}

by James C

According to Joseph Menn, the threat of weaknesses in cybersecurity has become a threat that is constantly growing. Despite growing concerns, large companies are still not allocating enough funding to meet the demands that are being experienced. Despite talks of battling cybercrime companies have expressed an underlying sediment of hopelessness in fighting what has been conceived as an uphill battle. The attacks that are being performed are not from seasoned attackers but rather younger criminals that use scanning tools to probe and exploit the vulnerabilities of a company’s system. The second most used technique used by these attackers, and one that cost Sony $170 million, was a SQL injection attack. This type of attack is preventable at a minimal cost, and requires as little skill to perform as a denial-of-service-attacks. read more...