25 March 2017

SQL injection is one of the oldest, most used and best understood attack vectors. The solution (input sanitizing) is also well understood, but still lots of systems vulnerable to SQL injection are operated on the internet. And the cybercriminal Rasputin is obviously a genius in detecting such systems.

In his post “Rasputin Hacker Uses SQLi to Hack 60 Universities and Government Agencies“, David Bisson provides some insight into the problem and why organizations are struggling with the solution:

“The evidence suggests economics play a role in causation for this troubling trend. The problem and solution are well understood, but solutions may require expensive projects to improve or replace vulnerable systems. These projects are often postponed until time and/or budget is available, until it’s too late to prevent SQLi victimization.”

As always, it’s a lack of budget and resources. But especially in the case of university web sites I find this really difficult to understand.

Computer science students can work on this issues in seminars and projects after the basic database and web programming courses. Even the project management can be done by students. Only few expensive professionals are required to coordinate the activities with the universities IT department.

If one starts with the web pages where user input is requested, the major problems can be solved in short or medium term. In addition, students will get very valuable insights into real cyber security issues and how to solve them.

Have a good weekend.