Managed IT security services provider SecureWorks announced Tuesday that they have seen a significant rise in the number of attempted SQL injection hacks aimed at some of its financial and utility company clients over the last three months. “From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day,” said SecureWorks CTO Jon Ramsey. “As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day,” said Ramsey.
“The majority of the attacks are coming from overseas," said Ramsey. “And although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack.” This is a type of attack where the hacker has targeted a particular organization, versus a worm which spreads indiscriminately.
“The CardSystems security breach, where hackers stole 263,000 customer credit card numbers and exposed 40 million more, is a prime example of a SQL Injection attack,” said Ramsey. A more recent example of a SQL Injection attack occurred last December when Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during this attack.
News source: SecureWorks
“The majority of the attacks are coming from overseas," said Ramsey. “And although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack.” This is a type of attack where the hacker has targeted a particular organization, versus a worm which spreads indiscriminately.
“The CardSystems security breach, where hackers stole 263,000 customer credit card numbers and exposed 40 million more, is a prime example of a SQL Injection attack,” said Ramsey. A more recent example of a SQL Injection attack occurred last December when Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during this attack.
News source: SecureWorks“SQL Injection is successful only when the web application is not sufficiently secured,” said Ramsey. “Unfortunately, the majority of websites and web applications are not secure. Thus, we are advising all organizations to use ‘input validation’ for any form to ensure that only the type of input that is expected is accepted.”
Additionally, it is important to note that protecting against a SQL Injection attack also requires organizations to not only protect their web applications but also the web server on which the web application is running, the database from which the web application is retrieving information, and the operating systems upon which the web servers, applications and database reside.
“A SQL Injection attack is certainly not a new form of attack or the most sophisticated type of attack; however, as illustrated, it can be quite malicious so we are advising all organizations, with an Internet presence to take their web application security very seriously,” concluded Ramsey.
How are governmenet sites getting hacked, I thought they were suppose to be some of the most secured sites?
I wonder how credit card companies are handling this.
http://en.wikipedia.org/wiki/Sql_injection
http://www.unixwiz.net/techtips/sql-injection.html
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
In my opinion, there are only two reasons why injection attacks are even a concern: lack of knowledge and laziness. If I catch any of my guys sending a user entered value to the database w/o at least some validation and cleansing, they are gone.
Even a non-pro webpage can put a single protection again sql injection. I don't believed that a security webpage will forget to do it. IMHO security breach are in 99.9% internal affair.
Always assume user input is contains error or is malicious and always check it, ALWAYS!
although then i guess you are vulnerable to cut and paste attacks, but you can usually tell by the big blobs of pva around the sides
Do most hackers groups have webpages?
Does anyone know how I can read this website using some type of online language converter?
If you're creating your SQL statement manually, just remember to replace single apostrophe ( ' ) with two of them...
i.e. VBScripts function Replace(): strValue = Replace (strValue, "'", "''"
If the field is supposed to be numeric, then check that the value is infact numeric.
For MySQL, send in <backslash>'; DROP TABLE users; --
Replace() returns <backslash>''; DROP TABLE users; --
SQL becomes "... WHERE field='<backslash>''; DROP TABLE users --'"
or you could try a Unicode or other encoding...
Edit: backslashes were removed by the comment system
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.