10 online attacks we could have easily prevented

10 online attacks we could have easily prevented

Summary: Ten attacks on corporations and individuals by hackers and governments, and all of them could have been prevented if people had followed best practices.

SHARE:
TOPICS: Security, E-Commerce
3

 |  Image 1 of 11

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Thumbnail 9
  • Thumbnail 10
  • Thumbnail 11
  • 10 online attacks we could have easily prevented

    Real zero-day attacks against which we're all helpless are actually quite rare. The use of best practices and defense-in-depth can almost always block, or at least warn of attempts to exploit systems. Even Stuxnet, perhaps the most sophisticated exploit ever, which used four zero-day vulnerabilities, could have been blocked if the Iranian authorities had used best security practices.

    This is the main lesson of a webinar by security expert Troy Hunt for the IT educational site PluralSight, for which Hunt creates courseware. Many of the victims are large, well-funded corporations (and their customers), but those corporations didn't go to the trouble of following the OWASP Top Ten most critical web application security flaws, the leading guide for these things.

    Some of these attacks are famous, such as the hack of the Sony Playstation network. Some caused real damage, including the bankruptcy of one company that was hacked, while some led to less dire consequences, such as spam campaigns.

    Hunt has many other Pluralsight courses focused on best practices such as these, and the course catalog extends into many other computing topics, from IT issues to programming and computing architecture.

    (Image ZDNet/CBS Interactive Inc.)

  • Bell Canada gets SQL-injected

    In February of this year a hacker group called Nullcrew stole and leaked thousands of customer usernames and passwords from Bell Canada.

    The attackers released a lot of detail about how they did it. The technique was SQL injection, which is where attackers insert SQL commands to a remote site's database through poor web site programming. SQL injection can be a devastating form of attack and alarmingly common. OWASP (the Open Web Application Security Project) rates injection attacks, such as SQL injection, as the most prevalent of theirTop 10 web site attacks.

    The really irksome part of this particular attack is that SQL injection is one of the few attacks that we absolutely know how to prevent, through a technique called parameterized queries. Alas, Bell Canada was using very old technology on their site.

    The image on this page is a screen grab of HackBar, a penetration-testing tool with specific capabilities for SQL injection.

    (Image courtesy Hunt/PluralSight)

Topics: Security, E-Commerce

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Passwords are the weak link

    10 years ago, still applicable; "passwords don't work"...

    http://cquirke.mvps.org/pwdssuck.htm

    ...at the basic concept level, i.e. relying on humans to compete with computers where computers are stronger.

    It all depends on whether you want things to work or "work"; passwords "work" in that vendors can absolve themselves of blame by blaming the users/victims.

    Knowing this, do we still want to glom everything together as "the cloud"? depends on who you mean by "we", I guess... US spooks, yes (easier to crack and own a handful of cloud providers than millions of loose devices), vendors, yes, but not so sure about us consumers.
    cquirke
  • Another Heartbleed Lesson.

    "It turns out that it's not a simple matter to exploit, and a great many sites have been patched."

    There are a lot people with their hand hovering above the panic button waiting for any kind of open-source issue to call "The worst Internet incident ever!"

    In hindsight, all those calls for bans and government intervention seem silly.
    anothercanuck
  • Lessons

    This is the main lesson of Some of these attacks are famous, such as the hack of the Sony Playstation network. Some caused real damage, including the bankruptcy of one company that was hacked, while some led to less dire consequences, such as spam campaigns.
    catherinej02