 |
|
Oracle SQL Injection Attacks
Oracle Tips by Burleson Consulting |
Update
- For a complete treatment of the topic of Oracle security on
the web, see these books and resources:
Oracle Forensics, by Paul M. Wright, Rampant TechPress
Oracle Privacy Security Auditing, By Arup Nanda, and
Donald K. Burleson, Rampant TechPress
Oracle has made huge
efforts to plug vulnerabilities against SQL injection attacks,
but many web databases remain vulnerable to SQL injection
hacking.
Now we
are seeming a rash of online how-to guides for using SQL
Injection techniques to penetrate private databases.
This scary
must-see video that shows a real-world SQL injection
attack and it's frightening how fast they can break into a
allegedly secure database. It's even more frightening that
someone would publish step-by-step instructions where the
criminals can see them.
This
video shows a SQL Injection attack in Linux, "based on a
true story", giving criminals complete directions to aid them in
their acts.
Great. Now any script kiddie can get step-by-step
instructions for hacking into a database.
Should this be illegal?
The US has
felony laws prohibiting aiding and abetting criminal
activities, but it is not clear whether these laws extend to
aiding cyber criminals, computer fraud, and computer forgery.
Do
hacker how-to guides constitute aiding and abetting a
criminal?
SQL injection
techniques remain a major threat to many web-based systems and
it is not always the database vendors fault. Improve page
design can also precipitate these types on SQL injection hacking
attacks.
