UPDATED 06:31 EST / JULY 18 2012

NEWS

SQL Injection Attacks Are Still the Favorite Tool of Hackers

Undoubtedly, SQL injection is the favorite tool of hackers, and this is quite evident from some recent incidents. Before discussing those incidents in details, let’s dig deeper on the ‘Why’ part. SQL injection is mostly used to attack database, a resting place that is hardly monitored. Most businesses do not pay attention to database security, access these once a year, and keep crucial information in plain notepad files. This makes the task of hackers easier, hence making the SQL injection their favorite tool. After all, they don’t have to put too much efforts to extract information.

Coming back to the incidents related to SQL injection, the most recent was the Yahoo Voice breach that exposed over 400K passwords. According to a TrustedSec report, the hackers used an SQL Injection attack to extract the sensitive information from the database. They posted the data in the hacker site D33D Company, made login credentials viewable by the public. And the worst part is that the posted data revealed that the passwords were unencrypted, something not expected from a big company like Yahoo. Even hackers called the incident as a ‘wake-up’ call for Yahoo.

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the hackers said in a comment at the bottom of the data. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

Yahoo is not the alone victim of the data breach caused due to SQL injection. Another prominent example is of LinkedIn, the professional networking site that suffered a lawsuit from one of its premium members, who claimed that the company failed to safeguard its users’ digitally stored personally identifiable information including email addresses, passwords, and login credentials. The lawsuit filed by Katie Szpyrka, a premium LinkedIn user, pointed out that the hacker used SQL injection attacks to gain access to databases.

Not only had the companies in the Silicon Valley, but some of the governmental departments also fallen prey of hackers. These include NASA, the U.S. Air Force, the French Ministry of Defense, the European Space Agency, the Bahrain Ministry of Defense, the Thai Royal Navy, and Harvard University’s School of Public Health. Last but not the least, how can we forget the serial hacker attacks on the Sony network that took place last year.

The one thing worth noticing in all these incidents is the clear warning given by the hackers, raising questions on the security level of the databases. Hackers owned Sony and PlayStation network by a very simple SQL injection, and the same happened with NASA and U.S. government departments. Yahoo incident is just another alarm for organizations to think and seriously do something to protect themselves and their customers from the privacy breach. Maybe, it’s time to rethink about the security measures they are using. Maybe? Certainly!!


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU