Research Team Outline SQL Injection Attack Which Gathered 1.2 Billion Usernames/Passwords



The research team at Edinburgh Napier have outlined the recent  SQL Injection Attack which gathered 1.2 billion Usernames/Passwords here.


The Heartbleed vulnerability focused on a human coding error within the OpenSSL encryption library, and which showed that it is humans who often cause security vulnerabilitiy, and which can often be traced to poor software development methods. The Adobe hack exposed 150 million passwords, and implemented poor security practices, where users could select obviously weak passwords and which could be easily cracked. Along with this, for some reasons, Adobe avoided adding salt to the hashed password, which made it extremely simple to reverse the hashed version of the actual user password.

Hackers now have a whole range of tools in their toolbox, where they can command a whole lot of proxy agents - known as a bot and controlled remotely as a botnet agent - who can do the vulnerability probing and data stealing on their behalf. Anyone listen to the network will not be able to find the original source of the probing, as it is done by one of the compromised agents. The creation of the botnet agent is often fairly simple for the hackers, as it normally involves sending a phishing email - such as with the link to an HRMC on-line Web link - and which compromises the system through an unpatched system. Common compromises include Adobe Reader, Adobe Flash and in Oracle Java, and where a backdoor agent is downloaded onto the compromised host, and then listens for events, such as logging into bank systems. They can also be used to send requests to remote sites, such as for the probing for usernames and passwords, and for DDoS (Distributed Denial of Service).

One of the easiest to steal data from an intruder, and often result in a success is to use either XSS (Cross-site scripting) or SQL Injection. With XSS, the intruder forces some script into the page to make it act incorrectly, and with SQL the page sends through an SQL command to the database, and which can reveal its content. If the developer does not check their code, or if they do not undertake a penetration test, the Web site can be a risk.

Forgot Heartbleed, this is worse!

On 5 August 2014, Hold Security, a Milwaukee-based company, released details of their investigation of a Russia-based criminal gang where the hackers stole 1.2 billion username/password combinations, along with more than 500 million email addresses. It thus puts both the Adobe hack (150 million usernames and passwords released) and Heartbleed into the shade.

This revelation was unveiled in a Black Hat computer-security conference in Las Vegas, (2-7 August 2014), and which, ironically, the same conference that two researchers from Carnegie Mellon University (Alexander Volynkin and Michael McCord) where to present their work on the exploitation of the Tor (The Onion Network) infrastructure, but where their researh presentation was pulled for reasons which are currently unknown.

There are thought to be 12 hackers involved in the password stealing attack, and who have been purchasing information on the online black market since 2011. The Russian hackers in the last exploit used malware infected hosts (typically infected through a phishing email to unpatched systems), to gather over 4.5 billion records. These hosts probed remote Web sites for SQL vulnerabilities, and, when discovered, they execute SQL injections to gain usernames and passwords. Overall they managed to compromise over 400,000 Web and FTP sites. A major problem with this is that users often use the same password for many different sites, so a compromise of one of their accounts, could cause a compromise on other accounts, for some time in the future.

[Read More]

Associated people

William Buchanan
Director of CDCS
+44 131 455 2759
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.