2012 and security attacks are already well underway

January 8th, 2012 by Stephen Jones Leave a reply »

News of an AntiSec hack of law enforcement associations on both coastsof the USA  earlier this week showed that while it might be a new year, we can pretty much expect lots of the same with respect to database security in 2012. AntiSec went after the email systems for New York State police chiefs and the website for the California Statewide Law Enforcement Association (CSLEA). The hacktivist group publicly dumped loads of stolen database information from both attacks on New Year’s Eve.

The same insecure configurations. The same cleartext storage of passwords and sensitive information in unprotected databases. The same abysmal access control and password management practices. And, of course, the same embarrassing attacks until organizations change the way they approach the basics of database security.

Care2, a website that promotes a variety of political causes and encourages users to take action to support them, reported a hack at the end of the year.

Meanwhile another SQL injection campaign is literally going viral, with maybe 1 million URLs  infected – The attackers compromise sites via SQL injection, and it appears to have hit sites worldwide, with the most infections in The Netherlands “NL” domain, with 123,000, and includes some .com and .org sites

Cisco has seen around 650 unique domains hit since lilupophilupop attack first showed up at the end of November.

Mass SQL injection attacks are nothing new. A  recent one, Lizamoon, hit some 500,000 URLs with redirects that push rogue AV software, but was quickly shut down in November 2011


Leave a Reply

You must be logged in to post a comment.