SQL Injections Resulted In Rise In Data Breaches During 2009
7Safe a security consulting company in Britain along with the University of Bedfordshire has brought out a paper titled "UK Security Breach Investigations Report 2010." This paper analyzes the latest data breaches to understand how computer security fares across the UK.
Specifically, the research emphasizes that in 40% of the total incidences of computer attacks, SQL injection was used to compromise data. Another 20% used SQL injection in combination with malicious software.
The study further finds that many computers (60%) have a common problem of SQL injection flaw resulting in data compromise. An SQL injection attack is one that involves the insertion of malicious code into strings of data, which are in course of time transmitted to an SQL server to be parsed and executed. This lets hackers seize people's private information that may be used to commit identity theft.
Furthermore, the report notes that the attacks occurred from outside sources in 80% of the instances. In addition, they exploited vulnerabilities inflicting Web interfaces, within 86% of the total incidences when most of the attacked organizations operated within an environment of common hosting.
Indeed, the "Global Security Report for 2010" of Trustwave presents similar observations pertaining to SQL injection attacks executed to gain illegal access to credit or debit card information. Interestingly, the company indicates in its report that with the help of their analysis they found that a third-party managed the hijacked PC within 81% of the total incidences, while in the case of 13% of all incidences, the user himself managed the compromised computer.
Finally, Verizon in its "2009 Anatomy of a Data Breach Report" finds that SQL injections and malware were the prime reasons for data breaches during 2009. Also, they were accountable for the greatest volume of exposed data during the same year. Clearly, this combined attack tactics has astonishingly proved successful against organizations that are legally mandated to maintain their infrastructures properly secured.
To end, there have been developments in SQL injections both in terms of sophistication and purpose, thus requiring organizations to always keep their websites patched so that they don't become victims of these malevolent assaults.
Related article: SoCal Computer Hack Traces to Watsonville
» SPAMfighter News - 16-02-2010