1 of 11Image
10 online attacks we could have easily prevented
Real zero-day attacks against which we're all helpless are actually quite rare. The use of best practices and defense-in-depth can almost always block, or at least warn of attempts to exploit systems. Even Stuxnet, perhaps the most sophisticated exploit ever, which used four zero-day vulnerabilities, could have been blocked if the Iranian authorities had used best security practices.
This is the main lesson of a webinar by security expert Troy Hunt for the IT educational site PluralSight, for which Hunt creates courseware. Many of the victims are large, well-funded corporations (and their customers), but those corporations didn't go to the trouble of following the OWASP Top Ten most critical web application security flaws, the leading guide for these things.
Some of these attacks are famous, such as the hack of the Sony Playstation network. Some caused real damage, including the bankruptcy of one company that was hacked, while some led to less dire consequences, such as spam campaigns.
Hunt has many other Pluralsight courses focused on best practices such as these, and the course catalog extends into many other computing topics, from IT issues to programming and computing architecture.
(Image ZDNet/CBS Interactive Inc.)
Bell Canada gets SQL-injected
In February of this year a hacker group called Nullcrew stole and leaked thousands of customer usernames and passwords from Bell Canada.
The attackers released a lot of detail about how they did it. The technique was SQL injection, which is where attackers insert SQL commands to a remote site's database through poor web site programming. SQL injection can be a devastating form of attack and alarmingly common. OWASP (the Open Web Application Security Project) rates injection attacks, such as SQL injection, as the most prevalent of theirTop 10 web site attacks.
The really irksome part of this particular attack is that SQL injection is one of the few attacks that we absolutely know how to prevent, through a technique called parameterized queries. Alas, Bell Canada was using very old technology on their site.
The image on this page is a screen grab of HackBar, a penetration-testing tool with specific capabilities for SQL injection.
(Image courtesy Hunt/PluralSight)