The Rise of Everyday Hackers 126
An anonymous reader writes "Research suggests there will be a rise in everyday hackers. A simple Google search for 'SQL injection hack' provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities. The ready availability of this information makes it possible for less technically skilled hackers to take advantage of this common flaw. Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks. The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing."
Hacker = Script Kiddie? (Score:5, Informative)
Really /. of all the places I'd not expect this particular stupidity.
Re:Hacker = Script Kiddie? (Score:5, Funny)
Technically I am more of the old school definition of Hacker. And these criminals are actually crackers, and deserve to be punched in the face.
Oh all high and mighty Hacker, who broke into a website, made by some guy on a tight deadline, or is probably their first programming job. By using a SQL injection attack. How 7337 are they. By copying and pasting you have shown yourself to be some real computer wiz.
Sorry. I have no respect for these people. They just make the world a tougher place to live. Imagine how fast computers will be without layers of security to prevent people in breaking into their systems. But there are so many people who idealize these jerks think they are something special.
Re:Hacker = Script Kiddie? (Score:4, Funny)
"But there are so many people who idealize these jerks think they are something special."
Oh, yeah, script kiddies. All the girls want to have them and the guys want to be them.
Re: (Score:2)
You just didn't want to slow down your own supply of bitcoin! :-)
Re: (Score:1)
Re: (Score:1)
The professionals just know that their code does not have any SQL injections and it will be impossible to have an SQL injection anywhere in their code due to sane use of the DB, code review, etc. monitoring of fellow programmers. ;)
Re: (Score:2)
...due to sane use of the DB, code review...
How primitive. Just enforce it with the language, in the type system, or with AOP (which is virtually the same thing from a certain point of view).
Re:Hacker = Script Kiddie? (Score:4, Insightful)
That's like saying... imagine a world where i leave my front door open... hope i don't get robbed!
Also, every time somebody argues the definition of hacker, cracker, and script-kiddie you folks are lowering the bar. By definition, neither of these 3 should care less what they're called by the media (real pros define themselves with hats? :P ). In fact, the more obscurity the better.
Re: (Score:1)
Imagine how fast I could enter and leave my home/car/office if I didn't lock the door!
Re: (Score:2)
Ridiculous analogy because people aren't leaving their networks open. Some of these exploits take a sophisticated understanding of protocols to figure out even if the exploit itself is a simple piece of code or series of interactions.
And, this is my problem with the glorifying of hackers we get on Slashdot. Those of us with jobs in the industry have to waste our time dealing with these monkeys, while a certain subset here thinks it's the admin's fault that you found an exploit by trawling torrent sites al
Re: (Score:2)
I was mainly responding to...
Imagine how fast computers will be without layers of security to prevent people in breaking into their systems
And btw it is beyond a reasonable doubt the admin's fault somebody is browsing torrent sites off the company network at night.
1. why is VPN access not audited? (why does nobody see somebody getting in at night for non-work reasons)
2. why are the torrent sites not blocked? Even a simple blacklist can accomplish 99% of this.
Leave security to human nature and tendencies and in my analogy you might as well not bother with the front door... or frame for that matter.
Re: (Score:3)
Those "sophisticated attacks" are the tiny minority. I spend my time auditing the security of systems, and the systems where I have to dig deep and bring out the big guns are few and far between, usually found in healthcare or finance (i.e. places where they bother to hire more expensive and knowledgeable people because that's cheaper than the stiff penalties which may include shutting your act down).
Most systems already break down under an automated attack. Which sadly also means that in security auditing,
Re: (Score:2)
Maybe I misinterpreted the point of TFA, but I took it as meaning there's something in between, where someone isn't what would have been called a "hacker" in the 1980s, but they might not necessarily be blindly running scripts without understanding them, either. That is, SQL injection attacks on websites are so well known, and well explained, that mainstream people are capable of "getting" it. What ESR calls a "larval stage" hacker might indeed write a script (without merely pasting) that automatically at
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Idealizing the attacker? No. But likewise, not absolving the idiot who built the insecure webpage in the first place. A "tight schedule" is NO excuse for the crap that doubles today as security layer. Most of the things I find in webpages these days can easily be avoided without additional programming effort, all it takes is KNOWING something about SQL instead of copying/pasting the crap off the net.
Re: (Score:1)
Cracker as a perjorative term to describe Black Hats is just not going to catch on as a term used by professional media. It's been a derogetory term refering rural white US Southerners for over 150 years and became a wide spread racial epithet towards white people in general over 50 years ago.
Re: (Score:2)
Oh all high and mighty Hacker, who broke into a website, made by some guy on a tight deadline, or is probably their first programming job.
Neither of which is an excuse for leaving an SQL open to be injected. I'm shocked that in this day and age 1/3 of the applications have this vulnerability.
Re: (Score:2)
Re: (Score:1)
The art of hacking is mostly lost today, the word is used cheaply. Its really an insult to anyone who is a real hack whether on the good side or the bad
Agreed. he misuse of the term hacker is akin to the misuse of the term hero these days. Real hackers don't even break into other computer systems. Real hackers see an interesting piece of software in action and think to themselves "How does that work?"...then they implement the functionality themselves to learn hoe it works. This is the approach I took years ago when Lotus 1-2-3 style menus were popular and I was had just finished reading a book about the C language. I implemented a complete screen manageme
Re: (Score:2)
Bah. The old time hackers bypassed security and broke into computer systems all the time. You know the story of the Fortran version of Zork? One DEC hacker broke the security on the source directory, then brute-force decrypted the source code, and another DEC hacker translated the source into Fortran.
Re: (Score:1)
Actually no - they are too busy tinkering with something to post videos on YouTube - and not giving themselves ridiculous name like viRuS or bLaCkD34Th
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, considering how programming gets easier, it's just logical that hacking programming gets easier too. When you have people who don't know what they're doing and just following rote and rule creating programs, you can have people who don't know what they're doing exploiting their weaknesses.
It's the logical conclusion when you forgo basic knowledge and basic computing skills. That's what happens when cargo cult programming and copying/pasting from code snippets and samples becomes the norm. Of course, s
Re: (Score:1, Interesting)
No it isn't. The word is Hacker. Cracker is someone who removes DRM protection from games and other software.
Re: (Score:2)
Re: (Score:2)
The jargon file is more how they were used. Language changes, especially in tech circles.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Dumb:
Adjective
(of a person) Unable to speak, most typically because of congenital deafness. (Irony - look it up)
Verb
Simplify or reduce the intellectual content of something so as to make it accessible to a larger number of people.
Fuck:
Verb
vulgar. Have sexual intercourse with (someone).
Noun
vulgar. An act of sexual intercourse.
Exclamation
vulgar. Used alone or as a noun the fuck or a verb in various phrases to express anger, ann
Re: (Score:2, Interesting)
No, a cracker is a thin, crisp wafer often eaten with cheese or other savory toppings.
Re:The word is cracker, not hacker (Score:5, Funny)
No, "cracker" is a synonym for "honky", although it's arguably correctly spelled "cracka".
Re: (Score:2)
No.
A cracker is a cowboy in Florida with a whip that he 'cracks' to encourage his cattle to move on demand.
A honkey is a racial slur for white people.
You probably also think Redneck is a racial slur. Neither Cracker or Redneck are racial slurs, they define a working class of people, race/color is irrelevant.
If you're going to be a bigot, at least get your fucking racism and prejudice right.
Re: (Score:2)
For the record, I'm using slurs that could be and have been said targeting me. It's like Chris Rock saying the n-word.
Re: (Score:2)
It makes no difference. According to the fanatic who replied to you, you are a racist because you believe that "cracker" is a racial slur.
It makes no difference to him or her that "cracker" is currently used as a racial slur. He/she pretends that "cracker" still retains its original meaning (assuming that "Cracker" really did orginate as Floridan term for a cowboy). Even if you were wrong about "cracker" being a racial slur, I can't see how that would make you a bigot anyway. But that's the thing, man
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
A hacker is someone who modifies the function / flow of code / hardware - to re-purpose something into something else for their own benefit.
To create code that will modify the stack of a program; to alter the hex of a binary is really the domain of a hacker.
To crack something is to really use code to solve a problem - crack a code; perform brute forcing.
There is an overlap when one breaks lic
Re: (Score:2)
I never really got that fight. Hacker, cracker, ... do I need a label?
War hero, murderer, same shit. I know it's easier and faster to just read the label instead of looking at the whole story and make up your mind accordingly... oh look what I'm saying, people supposed to make up their own mind. Do they still do that? I think it went out of fashion. Today we prefer to just read the label on a person. It's easier.
But I guess I finally get the PC craze. If it is so important what label is attached to us, and
Not hacker; not cracker, JACKER (Score:1)
I'm in the old-school camp where "hacker"s are clever and not necessarily malicious.
"cracker" has the much-noted redneck connotation.
"jacker", partially from hijacker, is preferable. I guess I'd be satisfied with "cracker-jacker", too.
Please ./ (Score:1)
remove this article
The rise of everyday... fuck, everything really. (Score:5, Insightful)
If this is what passes for research nowadays, I got some more data. Check out these Google queries and the results... (something, something, think of the children, something).
"make a bomb" 557,000,000 results
"rape sister" 99,000,000 results
"kill mother" 274,000,000 results (funny how "kill mother in law" turns up on Google's autocomplete thingy)
"cheat taxes" 59,700,000 results
Re:The rise of everyday... fuck, everything really (Score:5, Funny)
After setting off every TLA alert system to make a point on slashdot, user "rodrigoandrade" received a midnight visit and was never heard of again.
Re: (Score:2)
Re: (Score:2)
no, just censor it. Wait for it, it's coming.
Re: (Score:2)
Re: (Score:1)
half of those are blogs with no content and linkspam. another chunk is what im guessing are wordfiles for cracking passwords. another chunk will not have the search term anywhere on the page for some reason. even tho it showed it in the summary.
much better.
Re: (Score:2)
With news indicating "how easy is to find how to make a bomb online" or even running an article explaining it [guardian.co.uk], and on the other hand, geeks making references to little Bobby tables, what do you expect, but people going around and confirm by themselves?
Re: (Score:2)
Re:The rise of everyday... fuck, everything really (Score:4, Insightful)
Attitudes towards potentially dangerous material are often contradictory. For example, in an episode of Mythbusters the team required thermite for an experiment. They made this themselves, in a procedure not shown. The ingredients bottles were blurred out to hide the labels. Jamie sarcastically warned viewers never to mix 'blur' and 'blur.' So clearly, someone at the studio considered this information to be too dangerous to reveal to the audience - either because it could be used to create a weapon, or because of the risk someone would experiment with it and then sue the studio after they burned their hand off. And yet, this material that so scared the studio is widely known. Not only can it be looked up with ease on the internet, but it's the textbook example of a redox reaction - quite literally the textbook example. When I studied chemistry in a perfectly ordinary public school it was the example in the textbooks, including not just the ingredients but instruction in how to calculate the correct ratio and, thanks to a practical demonstration given by the teacher, instruction in the importance of particle size, correct safe preperation method and means of ignition. Does that mean the school chemistry text is a terrorism handbook?
You probably could use thermite for terrorism too. If it's used to weld rails, it can be used to sever them too. Sever a rail, derail a train. Could kill hundreds of people if you time it right.
Re: (Score:1)
"Who's There?"
"The FBI"
Congratulations - I hope you don't plan on leaving the country any time soon.
Re: (Score:2)
"I gave at the office"
Re: (Score:1)
Rape Sister is so the name of my next band.
Everyday? (Score:2)
Re: (Score:1)
Re: (Score:1)
What I am concerned about is even though SQL injections are a common attack, which doesn't take a lot of skill to take advantage of, it can result in one unexpected consequence.
It wouldn't be hard for a LEO to make honeypots. Then when some junior level people run the scripts, their info is saved aside, and then at a later date after a DA has plenty of time to make a firm case, mass arrests, Operation Sun Devil style are made, and multiple times.
Yes, attempting to break into something is a crime, but what
Re: (Score:3)
"result in is another generation of children [1] too afraid to test limits,"
That may be the intended result.
In the early days of the internet, there was a very casual attitude to hackers. It was fully expected that most aspiring technical types would go through a 'phase' of aggressive exploration and pranking, and so long as they didn't do any serious damage it was regarded as a standard part of the learning process and something they would eventually mature out of once they no longer felt they had to prove
Its called the internet (Score:5, Insightful)
what is this shit (Score:3)
As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks. The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing.
No!
Email Spear phishing is the leading cause of security breaches, you can patch software all you want, but patching an idiotic user? Good luck on that!
And 70% sounds a little low, on an intense enough audit (there's many levels), it would look more like 95%.
Re: (Score:2)
but patching an idiotic user? Good luck on that!
Well, patching them is not the major problem... it's the necessary reboot after the patch: most of them never come back after that.
A Bit Late (Score:2)
Who is Veracode and what are they trying to sell? (Score:3)
30% of breaches will be from SQL injections, because that's the percent they found to be vulnerable?
A certain type of attack will increase because they googled some shit?
What the actual fuck is this?
Amazing... (Score:1)
Re: (Score:1)
But "Little House on the Prairie" almost sounds like something the bronies would go for. So let's just keep quiet about it.
LOL ... (Score:2)
This reminds me of JK Rowling's "A Casual Vacancy" since this kind of casual hack figures into the plot.
Students (Score:2)
Pure FUD by a security web site... (Score:5, Insightful)
I think that most comments are missing the fact that this is an article on a security web site which will be used to sell CEOs on the latest in security platforms. It's pure marketing, which means that it doesn't have to be logical or adhere to real world facts.
I agree that it should have never made it to Slashdot. However, it is interesting to read silly articles like this from time to time to remind ourselves where management gets their ideas about security.
Report finds that (Score:3)
Lies, damn lies, and statistics (Score:4, Insightful)
"A simple Google search for 'SQL injection hack' provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities."
Which means that people could be searching to learn what that means because they read or heard it somewhere, or because they want to prevent SQL injection hacks on their site. There are two alternative explanations that don't involve cracking, and I'm sure you can come up with more.
"Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks."
The quoted statistic does not prove the subsequent claim. This violates basic principles of logic, and anyone who's taken a statistics course (as all reporters should) would see the problem here. Just because 1/3 of web apps are vulnerable to a given attack does not mean that 1/3 of web apps will subsequently fall victim to said attack. The less horrible way to phrase this would be to say that there's a 1 in 3 probability that future attacks will involve SQL injection, and even that's not born out by the statistic.
Here's an analogy (non-automotive): 15% of college basketball players are talented enough to be drafted into the NBA, let's say. This does not mean that 15% of college basketball players WILL be drafted into the NBA, nor does it mean, and this is the kicker, that 85% of new NBA players will be talented players coming from somewhere other than college teams. Or, 1/4 of all homes being vulnerable to electrical fires does not mean that 1/4 of all home fires will be electrical.
Re: (Score:2)
What? Causation != Correlation?
I find it embarrassing that there are so many SQL injection links out there. Why? It means that those pages aren't filled with kitty pictures!
After all, it seems that about half of social media posts involve kitties, and if we could just post kitties instead of SQL injection attack links, the world would be so much nicer!
Re: (Score:1)
About 6,790,000 results (0.16 seconds)
I guess this post makes it +1, I'm really anxious now.
Hmmmm (Score:1)
Re: (Score:2)
talk about recursive
Re: (Score:3)
There used to be...
What? (Score:1)
Re: (Score:2)
You don't follow the news on TV, do you?
Re: (Score:2)
It's actually simple, and it's amazing that so many people don't bothers to follow it: Every input must be sanitized. User input as well as data input from a source outside your system. A good example for the latter may be the original animated cursor exploit where MS was stupid enough to actually trust the file's claim how big its data area is going to be (and store it on the stack... don't ask, it boggles the mind). ANY Input you allow into your system may include some kind of attack. And the easiest way
Actually 138K hits, not 1.74m hits (Score:1)
The devil is in the details. (Score:2)
Obligatory XKCD (Score:2)
Lets Define these things then (Score:2)
To clarify:
Hackers are those that delight in taking something apart and putting it back together again, either in its original form or with some modification to improve the thing in their point of view. Hackers was at one stage those who enjoyed pranks between universities, so there is an implied cheekiness in the execution of this experimental inter
Slashvertisement (Score:2)