[ISN] Royal Navy Attack Stresses SQL Injection Dangers

From: InfoSec News <alerts_at_private>
Date: Mon, 22 Nov 2010 01:34:58 -0600 (CST)

By Ericka Chickowski
Contributing Writer
Nov 19, 2010

The danger of SQL injection last week hit the limelight once again when 
the British Royal Navy's website was shut down temporarily in response 
to an attack that had Royal Navy brass wondering whether the hack 
resulted in unauthorized access to sensitive back-end database files.

Following investigation, the Royal Navy released a statement that "no 
malicious damage had been done" and that "access to this website did not 
give the hacker access to any classified information." But the attack 
was a splashy highlight to the dangers of SQL injections, which, 
according to the recently released Verizon Business 2010 Payment Card 
Industry Compliance Report, is the No. 2 most utilized threat action 
causing payment card breaches, just behind backdoors.

In a report released by Cisco this week, the firm said SQL injections 
made up 36.86 of all events recorded by Cisco Remote Operations 
Services. "SQL injection is not caused by a vulnerability per se, but 
rather is due to the website [or] database administrator's failure to 
parameterize or properly escape characters and strings in SQL queries," 
says Mary Landesman, market intelligence manager at Cisco. "This allows 
attackers to submit a query that is acted upon as if it were an actual 
command to take some particular action against the database, rather than 
the expected query to just return the data intended."

According to Jeromie Jackson, president of the San Diego OWASP chapter 
and a security trainer for developers, SQL injection attacks pose a big 
danger to back-end databases when combined with other simple attacks. 


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
Received on Sun Nov 21 2010 - 23:34:58 PST

This archive was generated by hypermail 2.2.0 : Sun Nov 21 2010 - 23:48:04 PST