Scam of the day – March 20, 2017 – Hacker uses SQL attack to steal data from colleges and government agencies

According to security company Recorded Future, a notorious Russian hacker known as Rasputin used a SQL injection attack to hack into the data of sixty-three targets that included prominent colleges in the United States and the UK as well as state and federal government agencies.    The various targets were chosen because of their storage of personal information that could be sold on the Dark Web where cybercriminals buy and sell such data to be exploited for purposes of identity theft.

Among the colleges suffering a data breach were Purdue University and Cornell University.  Among the government agencies hacked was the Department of Housing and Urban Development (HUD).  Among the city government computers hacked were Pittsburgh, Pennsylvania and Springfield, Massachusetts.

Structure Query Language (SQL) is a computer language widely used in data bases.  In a SQL injection, a web app vulnerability is exploited in order to give the hacker access to all of the stored data.  A SQL injection can result in not only data being stolen, but also change or delete data as well.  The entrance point for a SQL injection is generally in login forms, sign up forms or other forms where visitors to a website can input information.

TIPS

SQL injection attacks are quite common, but they can be defended against through proper security practices including constantly updating servers, applications and services with the latest security updates.  As for consumers, the best we can do is limit, as much as possible, the information we provide various websites with which we do business recognizing that we are only as safe as the places with which we do business with the weakest security.

Leave a Reply

Your email address will not be published. Required fields are marked *