Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

New keys to your confidential databases

Ross O. Storey | May 19, 2009
Infrastructure and network security is fine, but what about your enterprise applications?

Last week in Singapore, I watched while hackers blithely drilled into the back-end databases of a US video rental companys website, extracting subscriber names, e-mails and telephone numbers.

The exercise took about 10 minutes and they told me they could easily find credit card numbers if they had more time.

They did this simply by using Standard Query Language (SQL) which they typed into the top URL address bar of the companys website. They told me that this language is what most computer programmers learn in their training and anyone with this knowledge can use it to interrogate back-end databases to find out confidential information.

In other words, an enterprises front door web page is too often an open back door into their valuable databases. Our guest hackers simply added some letters and symbols after the URL address, and, by a process of reading information provided in the error pages that came up, were able to retrieve names of specific files, which they used to further interrogate the database to find tables of information.

The hackers were not wearing black hats, they were actually employees of the worlds biggest software company, HP. And they gave their demonstration live from Atlanta, Georgia in the US, while I spoke directly to them from Singapore using HPs amazing HP Halo Telepresence system, installed in a specialised room. The so-called hackers were in Atlanta in the US, I was in Singapore and the exercise was also being watched, or listened to, by IT officials in India and Australia.

Real-time global conference

HP organised this four-nation telepresence video conference linking cities across the globe.

These professional hackers were Billy Hoffman, HPs manager of their web security research group, Prajakta Jagdale and Matt Wood, both senior security researchers with the same HP group.

The point of the exercise was to show that attacking applications was the new wave of security threats to major enterprises across the world.

Network and infrastructure security were now relatively old hat, said the HP exerts, the new kid on the block for hackers was application security, directly exploiting the many software vulnerabilities that come with the latest programmer rush to develop snazzy Web applicationsall too many which have security holes.

Security is not the major concern of Web developers and more and more lay people are becoming Web developers, because its getting easier.

The point is, say these professional hackers, that application security now requires a whole lifestyle approach. Developers need to fix software faults much earlier in the process, and applications need to be properly stress-tested, monitored and tested across their whole lifecycle.

Asia Pacifics unique position

On the good news front, Hoffman said he believes countries in the Asia Pacific are in a unique position because they can leapfrog issues suffered by other major developing economies. Just like many Chinese people jumped straight to owning mobile phones, rather than having land lines first, Asia Pacific economies could adopt information security at a much faster rate.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.