“When you go to a webpage, and you make a request, that parses part of the data in the request back to a server,” Hunt said. “For example, you read a news article, and the news article, in the address bar it has, “id=1”, and that gives you news article number 1, and then you get another one with ID 2.”
But, “with a SQLi attack, an attacker changes that ID in the address bar to something that forces the database to do something it’s not meant to do,” Hunt said, such as returning a piece of private data.
Source: The History of SQL Injection, the Hack That Will Never Go Away | Motherboard
Another commonly used piece of software is sqlmap. “It crawls the pages on the website, similar to how a search engine crawler might, looks for input forms on the website, and submits the forms with inputs that might cause a MySQL syntax error,” Al-Bassam added.
The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that’s designed specifically to help prevent SQL injection attacks.
via ‘Every Drupal 7 Site Was Compromised’ Unless Patched By Oct. 15 | Threatpost | The first stop for security news.
As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either. The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.
via Schneier on Security: Over a Billion Passwords Stolen?.
From: Krebs on Security in an article entitled Q&A on the Reported Theft of 1.2B Email Accounts
These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.
Overall Krebs trusts some researcher who claims to have seen this data first hand. According to Krebs:
I’ve known Hold Security’s Founder Alex Holden for nearly seven years.
Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real.
The PHP portion included a field for “members” to enter their “secret code” to enter the “private zone,” he explains. “So it’s a good idea to try a SQL injection attack” there, he says of the lure.
“My script had [a] few checks for some patterns, and when a SQL injection attempt was detected, the script [threw the] Java applet, ‘GUI for member zona. Welcome,'” he says. The Java applet then installed a backdoor on the attacker’s Windows machine, he says.
via Honeypot Stings Attackers With Counterattacks – Dark Reading.
In his research paper (PDF) on the experiment, Sintsov explains it this way: “Obviously, reverse penetration has a number of moral, ethical and legal issues