SQL flaws remain an Achilles heel for IT security groups

Computerworld - Indictments filed against five persons charged in a massive international hacking scheme indicate that SQL injection vulnerabilities continue to be a huge security Achilles heel for large IT operations.

The residents of Russia and Ukraine were indicted Thursday in connection with the theft of more than 160 million credit card numbers and other financial data from a virtual Who's Who of big business, including NASDAQ, JCP, Carrefour, Discover Bank, Hannaford, Heartland and Dow Jones.

The indictments allege that the victims lost some $300 million over a seven-year period between 2005 and 2012.

In a statement, Paul Fishman, U.S. Attorney for the District of New Jersey described the attacks as "cutting edge" and called the work a threat to the U.S. economy and national security.

The indictment also suggest that the hackers, in most cases, did not employ particularly sophisticated methods to gain initial entry into the corporate networks. The papers show that in most cases, the breach was made via SQL injection flaws -- a threat that has been thoroughly documented and understood for well over than a decade.

The NASDAQ network, for instance, was initially attacked via a SQL injection vulnerability on an online password reminder page. The flaw let hackers access the network without authorization to get a foothold that eventually let them gain full administrative control.

Similarly, initial unauthorized access to corporate networks at Heartland, JC Penney, Wet Seal, Visa Jordan and Diners Singapore came as a result of SQL coding errors. In each instance, the attackers rapidly escalated their privileges on the network to install malware and backdoors for stealing credit card and other data.

Via SQL injection attacks, hackers take advantage of poorly coded Web application software to install malicious code in a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate data entered by a user -- such as when ordering something online or when resetting a password.

An attacker can take advantage of input validation errors to send malformed SQL queries to the underlying database letting them break into it, plant malicious code and/or access other systems on the network.

SQL injection flaws are relatively simple to fix, once found. The challenge for IT personnel is knowing where to look for them. There are hundreds of places in large Web applications where users can input data, each of which can provide a SQL injection opportunity.

Hackers have taken advantage of SQL injection flaws for years because they can be exploited with relative ease. In recent years, SQL injection attacks have consistently ranked as one of the most popular methods for hackers to break into networks.

Small and midsize businesses are moving to the cloud to host their communications capabilities. Learn how enterprise-quality phone benefits, online management, conferencing, auto attendant, and ease of use are built into a system that is half the cost of a PBX.

Read now.

View the original article here

Church, advocacy groups sue NSA over surveillance

IDG News Service - Nineteen organizations, including a church and gun ownership and marijuana legalization groups, have filed a lawsuit against the U.S. National Security Agency for a surveillance program that targets U.S. residents' phone records.

The groups accuse the NSA, the U.S. Department of Justice and the Federal Bureau of Investigation of violating their members' First Amendment rights of association by illegally collecting their telephone call records.

Plaintiffs in the lawsuit filed Tuesday, in U.S. District Court for the Northern District of California, include the First Unitarian Church of Los Angeles, the California Association of Federal Firearms Licensees, Free Press, the Free Software Foundation, Greenpeace, the National Association for the Reform of Marijuana Laws' California Chapter, Public Knowledge, and TechFreedom.

The groups object to the NSA's bulk collection of telephone records, disclosed by former NSA contractor Edward Snowden in early June. The collection of all Verizon phone records, including records of calls made, the location of the phone, the time of the call and the duration of the call, violates the U.S. Constitution's First Amendment by giving "the government a dramatically detailed picture into our associational ties," said Cindy Cohn, legal director for the Electronic Frontier Foundation, representing the plaintiffs.

"When the government gets access to the phone records of political and activist organizations and their members, it knows who is talking to whom, when and for how long and how often," Cohn said during a press conference. "This so-called metadata, especially when collected in bulk and aggregated, allows the government to learn and track the associations of these organizations and their members."

Courts have recognized that government access to membership lists creates a "chilling effect" on people participating in those groups, Cohn added. "People are simply less likely to associate with organizations when they know the government is watching," she said. "This is especially true for associations advocating for potentially controversial changes in law or policy."

The collection program also violates the Constitution's Fourth Amendment, giving U.S. resident protection against unreasonable searches and seizures, and the Fifth Amendment, giving residents the right of due process, the lawsuit alleged.

The phone records collection program is "vast," and include records for AT&T and Sprint Nextel, EFF's lawyers alleged in the complaint.

The plaintiffs asked the court to shut down the telephone records program and order the agencies destroy records they have collected.

A spokesman for the U.S. Office of Director of National Intelligence didn't immediately return an email seeking comment on the lawsuit.

The Unitarian Church in Los Angeles joined the lawsuit because it has a long history in social justice issues, said the Rev. Rick Hoyt, a pastor there. The church opposed efforts in the 1950s to blacklist writers and actors with alleged ties to communism, he noted.

"The principles of our faith often require our church to take bold stands on controversial issues," he said. The church doesn't want its members tracked because of the church's positions on those issues, he added.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Reprinted with permission from IDG.net. Story copyright 2012 International Data Group. All rights reserved.

View the original article here