Yahoo! jobs site open to attack

David Heath
Tuesday, 17 November 2009 05:04

Your IT - Home IT

Microsoft Office 365

Related Articles

• Like a Shooting Star, Bing is bung!

This time, according to Amichai Shulman, Imperva's chief technology officer, the attack is focussed on a SQL injection, specifically a Blind SQLi problem.  "This is a flaw that could mean that the personal information of large numbers of people are compromised," said Shulman.

"Data like this can be extremely useful as far as identity thieves are concerned. This is exactly the sort of data that is traded on so-called carder forums," he added.

According to Shulman, "it's a very difficult situation for the law enforcement authorities, as while every identity theft data can be harvested on the Internet from site hacks caused by SQL injection hacks, the forums will act as an auction/exchange for that data, he explained.  Shulman is saying that some hackers are selling the fish – that is the stolen data itself, while others provide the fishing poles – the exploits that can be used to extract the information."

Yahoo! Has already been advised of the problem and a fix has been implemented; however this is symptomatic of the entire cut-and-thrust of the Internet.  As someone involved in the protection of important people once noted, the assassin only has to be lucky once, the guards need to be lucky all the time.  So it is with web sites – every website needs to be protected from every possible attack all the time.  The 'hackers' need only find one vulnerability on one site to be successful.

"This is why it's important to warn about potential SQL injection-hacked problems like this. If the potential problem is allowed to continue for any length of time, then the risk of a hacker attack rises as a result," Shulman said.

"SQL injection is a major thorn in the side for the Web site hosting community. It can be tackled with careful research and high levels of security. Unfortunately, some site operators overlook this simple fact at high risk," he added.