No. 1 Story

ACCC clears Optus to scrap HFC network and use NBN instead

The ACCC has cleared, provisionally, the proposed deal between Optus and NBN Co under which Optus is to be paid around $800m to shut down its HFC network and transfer customers onto the NBN. read more

Related Articles

Adoption of cloud computing has reached a tipping point  - but don’t expect legacy...
Read More
In yet another blow to the Facebook IPO this week, following the withdrawal of...
Read More
Recruitment technology and social media have played a significant role in growing business in...
Read More
Want a free trip to E3 Expo? Microsoft's looking for an 'Xbox Insider.' Microsoft Australia...
Read More
Online DVD rental and Internet movie distributer, Quickflix (ASX: QFX) has announced a partnership...
Read More

More From

Popular Threads

Yahoo! jobs site open to attack

David Heath
Tuesday, 17 November 2009 04:04

Your IT - Home IT

View Comments
A SQL injection vulnerability left the Yahoo! jobs site open to attack for an unknown length of time.

Fresh from the Guardian Newspaper jobs site attack, Yahoo! also finds itself open to the amorous embrace of our Naughty Lads of the Internet.

This time, according to Amichai Shulman, Imperva's chief technology officer, the attack is focussed on a SQL injection, specifically a Blind SQLi problem.  "This is a flaw that could mean that the personal information of large numbers of people are compromised," said Shulman.

"Data like this can be extremely useful as far as identity thieves are concerned. This is exactly the sort of data that is traded on so-called carder forums," he added.

According to Shulman, "it's a very difficult situation for the law enforcement authorities, as while every identity theft data can be harvested on the Internet from site hacks caused by SQL injection hacks, the forums will act as an auction/exchange for that data, he explained.  Shulman is saying that some hackers are selling the fish – that is the stolen data itself, while others provide the fishing poles – the exploits that can be used to extract the information."

Yahoo! Has already been advised of the problem and a fix has been implemented; however this is symptomatic of the entire cut-and-thrust of the Internet.  As someone involved in the protection of important people once noted, the assassin only has to be lucky once, the guards need to be lucky all the time.  So it is with web sites – every website needs to be protected from every possible attack all the time.  The 'hackers' need only find one vulnerability on one site to be successful.

"This is why it's important to warn about potential SQL injection-hacked problems like this. If the potential problem is allowed to continue for any length of time, then the risk of a hacker attack rises as a result," Shulman said.

"SQL injection is a major thorn in the side for the Web site hosting community. It can be tackled with careful research and high levels of security. Unfortunately, some site operators overlook this simple fact at high risk," he added.

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases