YOUR IT - Technology for you

No. 1 Story

Telstra adds one million mobile services, but Sensis plummets

Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.

read more

Yahoo! jobs site open to attack

Your IT - Home IT

A SQL injection vulnerability left the Yahoo! jobs site open to attack for an unknown length of time.

Fresh from the Guardian Newspaper jobs site attack, Yahoo! also finds itself open to the amorous embrace of our Naughty Lads of the Internet.

This time, according to Amichai Shulman, Imperva's chief technology officer, the attack is focussed on a SQL injection, specifically a Blind SQLi problem.  "This is a flaw that could mean that the personal information of large numbers of people are compromised," said Shulman.

"Data like this can be extremely useful as far as identity thieves are concerned. This is exactly the sort of data that is traded on so-called carder forums," he added.

According to Shulman, "it's a very difficult situation for the law enforcement authorities, as while every identity theft data can be harvested on the Internet from site hacks caused by SQL injection hacks, the forums will act as an auction/exchange for that data, he explained.  Shulman is saying that some hackers are selling the fish – that is the stolen data itself, while others provide the fishing poles – the exploits that can be used to extract the information."

Yahoo! Has already been advised of the problem and a fix has been implemented; however this is symptomatic of the entire cut-and-thrust of the Internet.  As someone involved in the protection of important people once noted, the assassin only has to be lucky once, the guards need to be lucky all the time.  So it is with web sites – every website needs to be protected from every possible attack all the time.  The 'hackers' need only find one vulnerability on one site to be successful.

"This is why it's important to warn about potential SQL injection-hacked problems like this. If the potential problem is allowed to continue for any length of time, then the risk of a hacker attack rises as a result," Shulman said.

"SQL injection is a major thorn in the side for the Web site hosting community. It can be tackled with careful research and high levels of security. Unfortunately, some site operators overlook this simple fact at high risk," he added.

Loading comments ...

- sponsored feature -

The Death of Traditional BI: What’s Next?

How to Make Business Discovery Work for Your Business IP PABX BUYING GUIDE

Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more