Forgot your password?
typodupeerror
Security

The Rise of Everyday Hackers 126

Posted by samzenpus
from the hacker-mom dept.
An anonymous reader writes "Research suggests there will be a rise in everyday hackers. A simple Google search for 'SQL injection hack' provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities. The ready availability of this information makes it possible for less technically skilled hackers to take advantage of this common flaw. Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks. The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing."
This discussion has been archived. No new comments can be posted.

The Rise of Everyday Hackers

Comments Filter:
  • by Anonymous Coward on Monday April 08, 2013 @12:09PM (#43392187)

    Really /. of all the places I'd not expect this particular stupidity.

    • by jellomizer (103300) on Monday April 08, 2013 @12:31PM (#43392453)

      Technically I am more of the old school definition of Hacker. And these criminals are actually crackers, and deserve to be punched in the face.

      Oh all high and mighty Hacker, who broke into a website, made by some guy on a tight deadline, or is probably their first programming job. By using a SQL injection attack. How 7337 are they. By copying and pasting you have shown yourself to be some real computer wiz.

      Sorry. I have no respect for these people. They just make the world a tougher place to live. Imagine how fast computers will be without layers of security to prevent people in breaking into their systems. But there are so many people who idealize these jerks think they are something special.

      • by morgauxo (974071) on Monday April 08, 2013 @12:52PM (#43392687)

        "But there are so many people who idealize these jerks think they are something special."

        Oh, yeah, script kiddies. All the girls want to have them and the guys want to be them.

      • Exactly. Us professionals run sqlmap --level 5 --risk 5 -u http://example.com/foo.php [example.com] instead.
        • by Anonymous Coward

          The professionals just know that their code does not have any SQL injections and it will be impossible to have an SQL injection anywhere in their code due to sane use of the DB, code review, etc. monitoring of fellow programmers. ;)

          • ...due to sane use of the DB, code review...

            How primitive. Just enforce it with the language, in the type system, or with AOP (which is virtually the same thing from a certain point of view).

      • by Synerg1y (2169962) on Monday April 08, 2013 @01:29PM (#43393103)

        That's like saying... imagine a world where i leave my front door open... hope i don't get robbed!

        Also, every time somebody argues the definition of hacker, cracker, and script-kiddie you folks are lowering the bar. By definition, neither of these 3 should care less what they're called by the media (real pros define themselves with hats? :P ). In fact, the more obscurity the better.

        • by Anonymous Coward

          Imagine how fast I could enter and leave my home/car/office if I didn't lock the door!

        • Ridiculous analogy because people aren't leaving their networks open. Some of these exploits take a sophisticated understanding of protocols to figure out even if the exploit itself is a simple piece of code or series of interactions.

          And, this is my problem with the glorifying of hackers we get on Slashdot. Those of us with jobs in the industry have to waste our time dealing with these monkeys, while a certain subset here thinks it's the admin's fault that you found an exploit by trawling torrent sites al

          • by Synerg1y (2169962)

            I was mainly responding to...

            Imagine how fast computers will be without layers of security to prevent people in breaking into their systems

            And btw it is beyond a reasonable doubt the admin's fault somebody is browsing torrent sites off the company network at night.

            1. why is VPN access not audited? (why does nobody see somebody getting in at night for non-work reasons)
            2. why are the torrent sites not blocked? Even a simple blacklist can accomplish 99% of this.

            Leave security to human nature and tendencies and in my analogy you might as well not bother with the front door... or frame for that matter.

          • Those "sophisticated attacks" are the tiny minority. I spend my time auditing the security of systems, and the systems where I have to dig deep and bring out the big guns are few and far between, usually found in healthcare or finance (i.e. places where they bother to hire more expensive and knowledgeable people because that's cheaper than the stiff penalties which may include shutting your act down).

            Most systems already break down under an automated attack. Which sadly also means that in security auditing,

      • by Anonymous Coward

        Maybe I misinterpreted the point of TFA, but I took it as meaning there's something in between, where someone isn't what would have been called a "hacker" in the 1980s, but they might not necessarily be blindly running scripts without understanding them, either. That is, SQL injection attacks on websites are so well known, and well explained, that mainstream people are capable of "getting" it. What ESR calls a "larval stage" hacker might indeed write a script (without merely pasting) that automatically at

        • I see high-level "batteries included" as the next step in programming evolution. There was a time not long ago where compilers and hell, even assemblers were state-of-the-art, highest level programming. But the basic thought processes a "programmer"/"hacker" has will never change.
      • "But there are so many people who idealize these jerks think they are something special." But I saw it in a film.. they look so cool.. people will think I'm smart and mysterious.
      • Idealizing the attacker? No. But likewise, not absolving the idiot who built the insecure webpage in the first place. A "tight schedule" is NO excuse for the crap that doubles today as security layer. Most of the things I find in webpages these days can easily be avoided without additional programming effort, all it takes is KNOWING something about SQL instead of copying/pasting the crap off the net.

      • by Anonymous Coward

        Cracker as a perjorative term to describe Black Hats is just not going to catch on as a term used by professional media. It's been a derogetory term refering rural white US Southerners for over 150 years and became a wide spread racial epithet towards white people in general over 50 years ago.

      • by chrismcb (983081)

        Oh all high and mighty Hacker, who broke into a website, made by some guy on a tight deadline, or is probably their first programming job.

        Neither of which is an excuse for leaving an SQL open to be injected. I'm shocked that in this day and age 1/3 of the applications have this vulnerability.

      • Depends on the colour of your hat :) but script kiddies are lower than phone freaks any way you look at it.
    • Huh? How is this 'stupid', exactly? This is a very informative article. Or are you of the "see no evil" persuasion?
      • by ci13urn (1653273)
        It's also stupid because its common sense that Googling something will bring you a how-to. It's also stupid because I read this same article at least twice a month. SQL injection has, and probably for a long time coming, will be the most commonly exploited vulnerability on the web.
    • Well, considering how programming gets easier, it's just logical that hacking programming gets easier too. When you have people who don't know what they're doing and just following rote and rule creating programs, you can have people who don't know what they're doing exploiting their weaknesses.

      It's the logical conclusion when you forgo basic knowledge and basic computing skills. That's what happens when cargo cult programming and copying/pasting from code snippets and samples becomes the norm. Of course, s

  • by Anonymous Coward

    remove this article

  • by rodrigoandrade (713371) on Monday April 08, 2013 @12:16PM (#43392265)

    If this is what passes for research nowadays, I got some more data. Check out these Google queries and the results... (something, something, think of the children, something).

    "make a bomb" 557,000,000 results
    "rape sister" 99,000,000 results
    "kill mother" 274,000,000 results (funny how "kill mother in law" turns up on Google's autocomplete thingy)
    "cheat taxes" 59,700,000 results

    • by geminidomino (614729) on Monday April 08, 2013 @12:22PM (#43392327) Journal

      After setting off every TLA alert system to make a point on slashdot, user "rodrigoandrade" received a midnight visit and was never heard of again.

    • by mjr167 (2477430)
      I think the solution is to ban Google! Google is clearly facilitating terrorists!
    • by Anonymous Coward

      half of those are blogs with no content and linkspam. another chunk is what im guessing are wordfiles for cracking passwords. another chunk will not have the search term anywhere on the page for some reason. even tho it showed it in the summary.

      much better.

    • by Idbar (1034346)
      And my take on that is the news and Internet itself.

      With news indicating "how easy is to find how to make a bomb online" or even running an article explaining it [guardian.co.uk], and on the other hand, geeks making references to little Bobby tables, what do you expect, but people going around and confirm by themselves?
      • by Idbar (1034346)
        Then again, as you said, there's plenty of documentation online. Now, how is being used? Despite of just satisfying curiosity, is how Google or Wikipedia searches make no sense as metric or indication of anything.
    • by SuricouRaven (1897204) on Monday April 08, 2013 @02:09PM (#43393565)

      Attitudes towards potentially dangerous material are often contradictory. For example, in an episode of Mythbusters the team required thermite for an experiment. They made this themselves, in a procedure not shown. The ingredients bottles were blurred out to hide the labels. Jamie sarcastically warned viewers never to mix 'blur' and 'blur.' So clearly, someone at the studio considered this information to be too dangerous to reveal to the audience - either because it could be used to create a weapon, or because of the risk someone would experiment with it and then sue the studio after they burned their hand off. And yet, this material that so scared the studio is widely known. Not only can it be looked up with ease on the internet, but it's the textbook example of a redox reaction - quite literally the textbook example. When I studied chemistry in a perfectly ordinary public school it was the example in the textbooks, including not just the ingredients but instruction in how to calculate the correct ratio and, thanks to a practical demonstration given by the teacher, instruction in the importance of particle size, correct safe preperation method and means of ignition. Does that mean the school chemistry text is a terrorism handbook?

      You probably could use thermite for terrorism too. If it's used to weld rails, it can be used to sever them too. Sever a rail, derail a train. Could kill hundreds of people if you time it right.

    • *Knock knock*

      "Who's There?"

      "The FBI"



      Congratulations - I hope you don't plan on leaving the country any time soon. :)
    • by TripleE78 (883800)

      Rape Sister is so the name of my next band.

  • I guess I'm wondering what the definition of "everyday hacker" is. Just less technically sophisticated?
    • by TWiTfan (2887093)
      It's a script kiddie.
      • by Anonymous Coward

        What I am concerned about is even though SQL injections are a common attack, which doesn't take a lot of skill to take advantage of, it can result in one unexpected consequence.

        It wouldn't be hard for a LEO to make honeypots. Then when some junior level people run the scripts, their info is saved aside, and then at a later date after a DA has plenty of time to make a firm case, mass arrests, Operation Sun Devil style are made, and multiple times.

        Yes, attempting to break into something is a crime, but what

        • "result in is another generation of children [1] too afraid to test limits,"

          That may be the intended result.

          In the early days of the internet, there was a very casual attitude to hackers. It was fully expected that most aspiring technical types would go through a 'phase' of aggressive exploration and pranking, and so long as they didn't do any serious damage it was regarded as a standard part of the learning process and something they would eventually mature out of once they no longer felt they had to prove

  • by ci13urn (1653273) on Monday April 08, 2013 @12:18PM (#43392281)
    My research suggests there will be a rise of everyday cooks. A simple Google search for "How to Cook" returns over 1 Billion links and videos describing how to cook! This is original news...
  • by Synerg1y (2169962) on Monday April 08, 2013 @12:22PM (#43392319)

    As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks. The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing.

    No!

    Email Spear phishing is the leading cause of security breaches, you can patch software all you want, but patching an idiotic user? Good luck on that!

    And 70% sounds a little low, on an intense enough audit (there's many levels), it would look more like 95%.

    • by c0lo (1497653)

      but patching an idiotic user? Good luck on that!

      Well, patching them is not the major problem... it's the necessary reboot after the patch: most of them never come back after that.

  • Wow, a recent google search revealed a search for sql injection netted over 7 million hits and even shows how to do this. This has been well known for at least the last 6 years, next you'll be telling me to beware of Belarc because it will post my serial keys in some hidden page.
  • Leaping to faulty conclusions from spotty data is basically my day job, but it seems these people take it to a new level.

    30% of breaches will be from SQL injections, because that's the percent they found to be vulnerable?

    A certain type of attack will increase because they googled some shit?

    What the actual fuck is this?
  • This is what passes as news on slashdot now? Let's see what's that brady bunch phrase?? oh yeah..... jumped the shark.
  • This reminds me of JK Rowling's "A Casual Vacancy" since this kind of casual hack figures into the plot.

  • "'Little Bobby Tables', we call him..."
  • by David_Hart (1184661) on Monday April 08, 2013 @01:02PM (#43392801)

    I think that most comments are missing the fact that this is an article on a security web site which will be used to sell CEOs on the latest in security platforms. It's pure marketing, which means that it doesn't have to be logical or adhere to real world facts.

    I agree that it should have never made it to Slashdot. However, it is interesting to read silly articles like this from time to time to remind ourselves where management gets their ideas about security.

  • by biodata (1981610) on Monday April 08, 2013 @01:29PM (#43393097)
    Insecure software is insecure
  • by Loosifur (954968) on Monday April 08, 2013 @01:33PM (#43393165)

    "A simple Google search for 'SQL injection hack' provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities."

    Which means that people could be searching to learn what that means because they read or heard it somewhere, or because they want to prevent SQL injection hacks on their site. There are two alternative explanations that don't involve cracking, and I'm sure you can come up with more.

    "Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks."

    The quoted statistic does not prove the subsequent claim. This violates basic principles of logic, and anyone who's taken a statistics course (as all reporters should) would see the problem here. Just because 1/3 of web apps are vulnerable to a given attack does not mean that 1/3 of web apps will subsequently fall victim to said attack. The less horrible way to phrase this would be to say that there's a 1 in 3 probability that future attacks will involve SQL injection, and even that's not born out by the statistic.

    Here's an analogy (non-automotive): 15% of college basketball players are talented enough to be drafted into the NBA, let's say. This does not mean that 15% of college basketball players WILL be drafted into the NBA, nor does it mean, and this is the kicker, that 85% of new NBA players will be talented players coming from somewhere other than college teams. Or, 1/4 of all homes being vulnerable to electrical fires does not mean that 1/4 of all home fires will be electrical.

    • What? Causation != Correlation?

      I find it embarrassing that there are so many SQL injection links out there. Why? It means that those pages aren't filled with kitty pictures!

      After all, it seems that about half of social media posts involve kitties, and if we could just post kitties instead of SQL injection attack links, the world would be so much nicer!

    • and we should really stop talking about this, since it obviously makes the world even more insecure: I just googled for "SQL injection" and lo and behold,

      About 6,790,000 results (0.16 seconds)

      I guess this post makes it +1, I'm really anxious now.

  • Is there a database of SQL injection hacks?
  • Since when have script kiddies been elevated to everyday hackers?
  • Using Google to search for "SQL injection hack" WITH QUOTES results in 138,000 hits. If you search for SQL injection hack without quotes (meaning Google will count pages that have those words anywhere on the page), then you get the 1.74m hits reported.
  • That's the only way to be truly secure. Pay attention to every aspect of your setup.
  • XKCD [xkcd.com]
  • I think that everyone on /. more or less has a good understanding of the terms, it is the media that simplifies the environment to write shorter headlines.
    To clarify:
    Hackers are those that delight in taking something apart and putting it back together again, either in its original form or with some modification to improve the thing in their point of view. Hackers was at one stage those who enjoyed pranks between universities, so there is an implied cheekiness in the execution of this experimental inter
  • Does it surprise anyone TFA is covered in ads for various security "solutions"? Script kiddies have been around forever, this article is just crap content intended to male the site go 'viral'. Why would /. Post this crap?

The degree of technical confidence is inversely proportional to the level of management.

Working...