Databases vulnerable to SQL injections
SQL injections by hackers, fraudsters and criminals have grown by hundreds of per cent in the past 12 months. According to data security solutions vendor Imperva, the number of attempts and the number of successes has risen dramatically, not least through the use of fully-automated SQL tools using Google to search for potential injection points and vulnerabilities.
"If the access point is connected to a database, the hacker has control of both the database and the data," Mark Kraynak, vice president, global marketing at Imperva told Data Strategy. Direct database SQL injections have seen a marked rise in early 2008 as hackers look to establish privileges, rather than exploit vulnerabilities.
Banner Ad
"Most people think about SQL injections in relation to Web applications, but that is not the only way a hacker might be able to take control," warns Kraynak. Legitimate SQL injections, such as store procedures that call on a database, can be hijacked and then used to extract identity or credit card data or to create fake accounts.
But Kraynak says the problem is not easy to deal with. "Ultimately, the root cause is allowing SQL injections in poorly-coded Web applications or store procedures. Fixing that code is very difficult and ultimately impossible," he says.
Organisations may not have access to the source code or may lack the programming resources to fix it. Even more of a problem is that the vulnerability exploited by hackers is the same process required by the business. "Companies have identified that they have got exposure to attack, but they can't turn it off because they are doing business online," he says.
| Bookmark with: |