SQL Injection Attacks Against Banks on the Rise

forkb0mb.org

Calendar

Back May '13
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Quicksearch

Categories


All categories

Archives

Blog Administration

Open login screen

SQL Injection Attacks Against Banks on the Rise

Wednesday, July 19. 2006

SQL Injection Attacks Against Banks on the Rise

SecureWorks announced that it has seen a dramatic increase in the number of hacker attacks attempted against its banking, credit union and utility clients in the past three months using SQL Injection. "From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day," said SecureWorks CTO Jon Ramsey. "As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day," said Ramsey.

/*
The fact that SQL injections are on the rise is not surprising. The fact that money now drives a large percent of malicious activity would only further this argument. Banks and on-line commerce sites are always targets, especially since they are almost always database-driven, and there's money to be made from the data involved. What is surprising is the number. Staggering, in fact.
*/

"Depending on the sophistication of the attacker, the online criminal can potentially gain access to a bank or utility company's key customer databases containing social security numbers, account numbers, credit card numbers, email addresses, etc," continued Ramsey

/*
All of which are very valuable to identity thieves, hostile foreign governments, and spammers.
*/

"SQL Injection is successful only when the web application is not sufficiently secured," said Ramsey. "Unfortunately, the majority of websites and web applications are not secure. Thus, we are advising all organizations to use 'input validation' for any form to ensure that only the type of input that is expected is accepted."

/*
Of course. When will people learn to start scrubbing their user-supplied data? I'm not talking about client-side JavaScript form validation, either. This has to be done both at the client side and at the server side. How many applications are out there that include($form['function'].".php")?

Securing these applications is not difficult. You must take the same approach to application security that you do with firewalls. Allow only what is specifically wanted, and deny everything else. mod_security makes this a piece of cake.

InfoWorld is carrying a more detailed version of this story as well.
*/
Posted by TJE in Exploits, SQL Injection, Vulnerabilities at 17:50 | Comments (0) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA