| |
Comodo Brazil Breach Reminds Admins To Guard Against SQL Injection
By Taylor Gillespie
Expert Author
Article Date: 2011-05-27
Back in March 2011, the Italian reseller of trusted, authorized, security certicates, Comodo was compromised through a simple SQL injection attack. The relevation that such a visable figure in online security could be breached with a simple SQL injection attack prompted SQL injection attempts at other Comodo resellers around the world. The latest to fall victim was Comodo Brazil. Both of these attacks involved a security auditting tool, sqlmap, Python script; and similar SQL injection points can be found by searching Google for script filetypes and generic paramaters names. A simple attack on a significant authority figure should give database administrators more to consider when securing their servers.
These attacks were allegedly performed by an Iranian, who disclaims any political motivation; only to test the security of "trusted" authorities. In the process of the breach, the attacker also issued signed certificates to major sites such as Google, Yahoo, and Mozilla. Apparently, several Comodo resellers were hit this year, and while they are a high profile target, small to mid-sized sites have just as much to worry about. Searching the Internet for script filetypes and common paramaters that are ids in SQL tables, makes any site vulnerable to attempted attacks, not only the well-known ones.
A serious security breach that reveals private data can ruin the reputation of any company, so SQL injection attacks, even though they are fairly ancient attack vectors; should always be in the forefront of systems admininstrators and developers alike. Consider the use of a SQL injection scanner that can audit public facing interfaces for relational databases. Automated testing of sites helps to assure that it is well protected. By using SQL injection auditing tools for the purpose of identifying and patching holes, you subvert attackers using the same tools they use to test your defenses and invade your systems.
About the Author:
Taylor is a Staff Writer for WebProNews
|
|
