The beat goes on......
Well, here we go again. Last month the security vendor, Kaspersky, had its site hacked by SQL injection, possibly exposing email addresses and up to 25,000 product activation codes. Last week we learned of the Dalai Lama's network being hacked by sources possibly in China using "social phishing" techniques on unsuspecting monks.
The widespread incidence of network infiltration by unauthorized individuals (hackers/crackers) poses an increasingly serious threat to data integrity and security. Although the NY Times article concentrated on "social phishing" via emails as a means to dupe unsuspecting email recipients and browser re-direction among other vulnerabilities, the defense or solution is relatively easily remedied through the use of updated anti spyware, anti phishing, and anti-virus software provided by companies such as Symantec and others. However, according to the IBM X-Force Threat Report released in June of 2008:
http://www-935.ibm.com/services/us/iss/xforce/trendreports, the greatest threat to web application security is now SQL injection. Exploitation of websites vulnerable to SQL injection has increased from an average of a few thousand per day, when they first took hold early in 2008, to several hundred thousand per day at the end of 2008, bypassing cross-site scripting as the leading web application vulnerability. IBM's recommended solution is the installation of web server patches to help prevent such attacks. Unfortunately, 74% of web applications reported had no patch available by the end of 2008, according to IBM. The IBM report also did not mention the additional need to properly "sanitize" all input data in web applications, nor did it mention any technologies available that can reduce or eliminate the need to host password fields in applications.
With the use of web proxies today, the IP address, identity, or location of a hacker is easily camouflaged. An anonymous SQL injection attack of purportedly "authenticated" user access represents a very serious security risk that has been virtually ignored by most IT Security professionals. As today's report indicated, there is a gaping hole in cyber security caused by the unauthorized use of passwords (including those obtained by rogue means). Hackers have a wide choice of freeware that can enable them to crack passwords, inject SQL strings into username and/or password fields, and generally cause havoc for application administrators trying to protect their web applications and databases.
To illuminate a possible solution to this huge problem, I suggest that the authors of the report cited in the Times (and readers interested) view a presentation given during the Oracle Web Expo two weeks ago.
http://tiny.cc/TriadOracleWM (Windows Media) http://tiny.cc/TriadOracleRM (Real Media)
Clearly, many of the vulnerabilities associated with SQL injection at the "front door" can be avoided if the user must be biometrically (unequivocally) identified and authenticated where no password field exists as a gateway.