Specialized hacks against banks and utilities on the rise

Jul 25, 2006 4:14 PM

An IT services provider has pointed out a dramatic increase in the number of hacker attacks attempted against banks, credit unions and utilities in the past three months using SQL Injection, a type of Web application attack.
"From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day," says Jon Ramsey, chief technical officer for SecureWorks, a managed IT security services provider. "As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day," he adds.
"The majority of the attacks are coming from overseas," Ramsey says. "And although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack." A "targeted attack" is a type of attack in which the hacker has targeted a particular organization, as opposed to a worm that spreads indiscriminately.
"Depending on the sophistication of the attacker, the online criminal can potentially gain access to a bank or utility company's key customer databases containing social security numbers, account numbers, credit card numbers, e-mail addresses, etc," Ramsey says.
SQL Injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to an organization's resources or to make changes to data. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server.
"What makes this vulnerability so pervasive is that SQL Injection attacks can prey on all types of Web applications -- even those as simple as a monthly loan payment calculator or a 'signup for our customer newsletter' form," Ramsey says.
Ramsey points out that the CardSystems security breach, where hackers stole 263,000 customer credit card numbers and exposed 40 million more, is a prime example of a SQL Injection attack. A more recent example of a SQL Injection attack occurred last December when Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during this attack.
"SQL Injection is successful only when the web application is not sufficiently secured," Ramsey says. "We are advising all organizations to use 'input validation' for any form to ensure that only the type of input that is expected is accepted."
Additionally, it is important to note that protecting against a SQL Injection attack also requires organizations to not only protect their Web applications but also the Web server on which the Web application is running, the database from which the Web application is retrieving information -- and the operating systems upon which the Web servers, applications and database reside.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue