« Los Alamos a Data Loss Leader | Main | Huge Costs for TJX Data Breach »

According to Errata Security, the United Nations website was recently hacked using a simple SQL injection bug. And while this vulnerability might seem surprising for a site as well known as the UN, numerous sites all over the internet have proven exceedingly vulnerable to an SQL injection attack.

The SQL injection is easy to pull off because, where most systems separate code and data, SQL combines them, so all a hacker has to do is combine some of his own code with the data he sends to a website to gain control of it. The code usually starts with a single quote (‘), which, with SQL, represents the separation between code and data, and SQL assumes that whatever follows the single quote is code it needs to run.

To uncover vulnerable websites, all a hacker has to do is type the single quote into a websites' URL or data field. A vulnerable website will then respond with an SQL error message. To speed up the search for vulnerable websites, hackers can quickly search for websites open to this hack.

So how do you prevent an SQL vulnerability? One way is to avoid using dynamically generated SOL in your code, which you do by using parameterized queries and stored procedures. The other way to avoid an SQL injection attack is by giving away as little information as possible when an error does occur.

Like the guy who puts on tennis shoes to avoid a bear attack -- not to outrun the bear, but to outrun the people’s he’s with, taking simple steps to secure the data on your website, and, with so many vulnerable websites still on the internet, hackers will still have plenty of other easy internet pickings to feed on.

Posted by pschooff in Better Protection |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2229