Infoworld reports a surge in SQL Injection attacks. SecureWorks, a firm that monitors databases of 1300 financial institutions, says they are seeing close to 8000 attacks/day on these databases, up from 100 to 200 attacks/day earlier this year. The attacks apparently originate in Russia, China, Brazil, Hungary, and Korea (surprise!). 8000 attacks/day clearly suggest rampant scanning. That's not surprising, as the simplest forms of SQL Injection can be detected using a scanner. But we disgree with the Secure works press release that recommends the solution for these attacks:
A Network Intrusion Prevention System and Host Intrusion Prevention System can offer many of these protections, especially if they are being monitored by a 24x7x365 security team that can stay on top of the newest types of SQL Injection attacks, as there are new variances being released all the time.
It's trivial to evade Network and Host IDS/IPS/AppFirewalls. And a SQL Injection scanner can cut through those defenses. The 24x7x365 team will not even notice the attack if it's not a blip in the IDS radar. The right way to block SQL Injection is to use pre-compiled SQL queries. It's not difficult. And it works. What's most intriguing comes later down in the Infoworld article when it discusses an attack on Card Systems International.
The hacker used a SQL injection attack to install a program that transferred credit-card data from a database every four days to a remote computer.
Install a program using SQL Injection? Any ideas how they could have done that? Or were these two separate attacks?