South Carolina Meets SQL Injection
South Carolina in the news quite a bit last week.
What caused the breach? No one stated explicitly but as some may suspect, it was probably a SQL injection attack. What are the indications?
First, according to official statements attacker took off with identity related information and not, for example, details of tax reports (which may be far more interesting) or bank account numbers (same here).
Second, look at the following statement:
On Oct. 16, Mandiant confirmed that in early September, unknown hackers "probed" agency systems, and sometime in the middle of the month, they were able to access the data that was stolen. On Oct. 16, the vulnerability that permitted the intrusion was closed.
Assuming that the timeline described in SC Magazine article is correct, it took Mandiant less than a day to figure out the attack and the dates, which indicates that they immediately went for the web server native logs and looked for SQL injection patterns.
Third, we can rule out "insecure object reference" as a culprit since credit card information was stolen partly in encrypted format and partly unencrypted. This indicates that the information was not taken from an HTML display but from the database.
Sadly, there is some misinformation taking place. Notice this statement by one reporter, “In August 2011, a group of hackers used Google to steal 43,000 Social Security numbers from faculty, staff and students of Yale University, due to an unprotected FTP server.” The attackers didn’t use Google to steal information. Rather, the attackers used Google to find out that the server was holding sensitive information.
Authors & Topics: