SoylentNews is people
SoylentNews
One of the hackers suspected of being behind the TalkTalk breach, which led to the personal details of at least 150,000 people being stolen, used a vulnerability discovered two years before he was even born.
That method of attack was SQL injection (SQLi), where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It's been used to steal the personal details of World Health Organization employees, grab data from the Wall Street Journal, and hit the sites of US federal agencies.
"It's the most easy way to hack," the pseudonymous hacker w0rm, who was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a "few hours."
But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of corporations and governments alike, SQLi is relatively easy to defend against.
(Score: 5, Insightful) by stormreaver on Saturday November 28 2015, @01:11AM
Shema from Yahoo! echoed this, and said that “Sometimes small apps with a narrow feature set just need to be written quickly,” meaning that the developers might bypass some of the mitigations for each attacks, despite them being relatively straight forward to implement.
This is another case where such developers need to be fired and replaced with someone competent. The small projects are, by far, the easiest to secure against SQL Injection. There are far fewer queries than in larger projects. Seconded by prepared statements being one's reflexive query implementation, and these projects become SQLi-proof automatically.
(Score: 0) by Anonymous Coward on Saturday November 28 2015, @06:17AM
I strongly agree. Maybe Yahoo are hiring too many cowboys?
In my experience with my small projects there's a lot less code full of exploitable SQL injection vulnerabilities. Especially since those projects are new and I'm involved. How many old _small_ projects are there anyway where you can't easily rip out the old crap? There are DB libs that make it easier to do the right thing. And if they don't, I write my own. What's so hard about import mydblib and then suddenly be able to _easily_ do prepared statements and bind parameters?
In contrast so far when I had to take over large code bases, there have been plenty of vulnerabilities (SQL escaping, HTML escaping). And due to resource and time constraints I had to fix exploitable stuff in less optimal ways - e.g only allowing whitelisted characters. There's no time to rewrite hundreds of lines of code to use prepared queries and bind parameters. While it is easy to use prepared statements and bind params with the right libs, that usually only works for stuff written in a certain way, when it's not written in that way, it's often easier just to strip all characters except the safe ones from the inputs. Sure you lose support for "international" characters, but do you want the SQL injection vulnerabilities removed ASAP or do you want to wait till everything is done more properly?