October 29, 2012

South Carolina Meets SQL Injection

South Carolina in the news quite a bit last week.

What caused the breach? No one stated explicitly but as some may suspect, it was probably a SQL injection attack.  What are the indications?

First, according to official statements attacker took off with identity related information and not, for example, details of tax reports (which may be far more interesting) or bank account numbers (same here).

Second, look at the following statement:

On Oct. 16, Mandiant confirmed that in early September, unknown hackers "probed" agency systems, and sometime in the middle of the month, they were able to access the data that was stolen. On Oct. 16, the vulnerability that permitted the intrusion was closed.

Assuming that the timeline described in SC Magazine article is correct, it took Mandiant less than a day to figure out the attack and the dates, which indicates that they immediately went for the web server native logs and looked for SQL injection patterns. 

Third, we can rule out "insecure object reference" as a culprit since credit card information was stolen partly in encrypted format and partly unencrypted.  This indicates that the information was not taken from an HTML display but from the database. 

Sadly, there is some misinformation taking place.  Notice this statement by one reporter, “In August 2011, a group of hackers used Google to steal 43,000 Social Security numbers from faculty, staff and students of Yale University, due to an unprotected FTP server.”  The attackers didn’t use Google to steal information.  Rather, the attackers used Google to find out that the server was holding sensitive information.

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.