Security Experts Must Be More Vigilant In The Wake Of Widespread SQL Injection Attacks

Petaling Jaya, Selangor Malaysia (PressExposure) April 25, 2011 -- SQL infection attack is not new infection mechanism. Since the last couple of years there have been a colossal of SQL injection attacks against Microsoft based web sites. The infection only started with only a few ten thousand websites and now it has exploded to potentially over 1 million websites.

"Web applications are one of the most outward facing components a corporation could have, and one of the least protected," she says. "And SQL injection is the fastest-growing category of attacks affecting Web applications,"says Holly Stewart, IBM ISS threat response manager,

One of the most recent SQL injection attack is on a website of web application security provider, Barracuda Networks The attack has exposed sensitive data concerning the company's partners and employee login credentials, according to an anonymous post.

The data that was exposed was purported to be names, email addresses and phone numbers for Barracuda partners from organizations including Fitchburg State University in Massachusetts and the UK's Hartlepool College of Further Education The spilled contents also included what appeared to be the email addresses and hashed passwords of Barracuda employees authorized to log in to the company's content management system. SQL injections are the most common form of web-based attack and have been used as the starting point for an untold number of breaches.

Stewart also stated that SQL infections take advantage of security flaws in cool website features, such as online-delivered video, music, photos, documents and work files.

Recently, according to security researchers from Websense, a new mass injection attack has infected over 28,000 pages and even made its way to iTunes. A SQL injection techniques was used to insert a rogue script element. Users who land on one of the compromised pages get redirected through several domains and finally land on a scareware site. The attack is Dubbed LizaMoon, after the domain hosting the malicious code.

These sites mimic antivirus scans and tell visitors their computers are infected with malware in an attempt to convince them to download fake security programs. The programs display even more false warnings and ask users to pay for a license in order to clean their machines.

Patrik Runald, senior manager for security research at Websense said "The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer".

Hackers have also compromised the database of MySQL.com, as well as the French, German, Italian, Japenese and other localized versions of the website, by exploiting an SQL injection vulnerability. The incident proves just how common these vulnerabilities are.

The best ways to curb SQL injections are to tighten up security. Information security professionals need to continuously push their knowledge level to be able to defend their organization's information security architecture.

One of the best ways to increase the skills proficiencies among IT professionals is by participating in IT security conferences. Quality conferences provide information security professionals the opportunity to be exposed to the latest technologies, methodologies and solutions used to combat cybersecurity threats, and also understand best practices of various countermeasures. Hacker Halted is one such platform. It is a technical information security conference organized by EC-Council for information security professionals globally seeking to improve their knowledge on various aspects of information Security.

At this hacker conference, they will be able to hear and listen from some of the best subject matter experts, participate in discussions and will also have the opportunity to learn about the latest technologies and best solutions that are being showcased. Unlike some other IT security conference, Hacker Halted focuses on the global information security landscape as well as topics revolving around compliance and regulatory issues.

About ec council

EC-Council is the organizer of world renowned Hacker Halted IT security conference [http://www.hackerhalted.com/2011/Conference/tabid/330/Default.aspx] series. This year's hacker conference will be held in Miami, US. Hacker Halted is considered as one of the world's largest information security conference [http://www.hackerhalted.com/2011].

Press Release Source: http://PressExposure.com/PR/ec_council.html

Press Release Submitted On: April 25, 2011 at 11:09 am
This article has been viewed 9856 time(s).