Alex Rothacker

What the Sony PlayStation Network Attack Can Teach Us About Database Security

By Alex RothackerSony’s PlayStation Network was breached between April 17 and April 19 and was taken offline by Sony on April 20. At the time of this writing, the service is still not available and it might not be available until the end of May. Much speculation has ensued on what has actually happened and the information released by Sony does not always match up with what is published elsewhere in print or on the Internet. What is clear is that more than 70 million user records have been stolen.

Lessons Learned From the LizaMoon SQL Injection Attack

By Alex RothackerLast week, a large scale SQL Injection attack dubbed LizaMoon, referencing one of the domain names used in the attack, surfaced. This attack targets websites by injecting code that redirects visitors to a rogue anti-virus (AV) site. While on the AV site, visitors are presented with fake antivirus screens and popups, they are prompted to download fake software that will run a scan of the computer and ask the user to pay for a license to remove the alleged found infection.

The Oracle Quarterly Patch Update

By Alex RothackerJanuary 18th marks the 6th anniversary of the Oracle Critical Patch Update (CPU) in its current form as a quarterly patch. For those who remember, before the CPU, Oracle released patches as Security Alerts, the last being Security Alert 68 at the end of August 2004.

By Alex RothackerDenial of Service (DoS) attacks are a common method used to take down Websites, servers, or even sections of the Internet. These attacks typically come in two forms: Distributed DoS (DDos) and DoS attacks. DDoS create a flood of traffic to a Website, server, or section of the internet that overwhelms it to a degree that it cannot function and eventually shuts down.  Regular DoS exploits a vulnerability in a Web server, database server, etc. to crash the server.

By Alex RothackerSince 2008, higher education institutions have experienced a staggering 158 data breaches resulting in over 2.3 million reported records compromised. In 2009 alone there were 57 reported data breaches, and year to date through July of 2010, there have already been 32 breaches.   

By Alex RothackerIn our last column, we focused on privilege escalation attacks, and the impact that this category of  SQL injection attacks can have on the database – particularly where specific database vulnerabilities exist, and can be exploited through the manipulation of privileges. Let’s look more deeply at how organizations struggle with the issue of extensive privileges assigned directly to users – or indirectly through user groups. We’ll address what can happen when database users are over-credentialed, and what should be done to ensure you are aware of all activity that is occurring in your environment.

By Alex RothackerPrivilege escalation attacks consist of exploiting a bug or design flaw in a software application to gain access to resources which normally are protected from an application or user. The result is that the application allows actions with privileges beyond an acceptable level for the specific user.  

By Alex RothackerSQL injection is the most common penetration technique employed by hackers to steal valuable information from corporate databases. Yet, as widespread as this method of attack is, a seemingly infinite number of ‘sub-methods,’ or variations of SQL Injection attacks can be carried out against the database.  

Guest editorial by Alex Rothacker Most users are aware of the risks connected to the default, blank and weak username/password combinations associated with most applications. Yet it amazes the research community that many companies still don’t heed the following simple advice:1) Don’t use easily guessed passwords. 2) Change the default credentials that ship with your apps, and 3) Please do not just leave the passwords blank!