Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Rise of Everyday Hackers

Posted by samzenpus on from the hacker-mom dept.

An anonymous reader writes "Research suggests there will be a rise in everyday hackers. A simple Google search for 'SQL injection hack' provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities. The ready availability of this information makes it possible for less technically skilled hackers to take advantage of this common flaw. Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks. The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing."

22 of 126 comments (clear)

  1. Hacker = Script Kiddie? by Anonymous Coward · · Score: 5, Informative

    Really /. of all the places I'd not expect this particular stupidity.

    1. Re:Hacker = Script Kiddie? by jellomizer · · Score: 4, Funny

      Technically I am more of the old school definition of Hacker. And these criminals are actually crackers, and deserve to be punched in the face.

      Oh all high and mighty Hacker, who broke into a website, made by some guy on a tight deadline, or is probably their first programming job. By using a SQL injection attack. How 7337 are they. By copying and pasting you have shown yourself to be some real computer wiz.

      Sorry. I have no respect for these people. They just make the world a tougher place to live. Imagine how fast computers will be without layers of security to prevent people in breaking into their systems. But there are so many people who idealize these jerks think they are something special.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Hacker = Script Kiddie? by morgauxo · · Score: 3, Funny

      "But there are so many people who idealize these jerks think they are something special."

      Oh, yeah, script kiddies. All the girls want to have them and the guys want to be them.

    3. Re:Hacker = Script Kiddie? by Synerg1y · · Score: 3, Insightful

      That's like saying... imagine a world where i leave my front door open... hope i don't get robbed!

      Also, every time somebody argues the definition of hacker, cracker, and script-kiddie you folks are lowering the bar. By definition, neither of these 3 should care less what they're called by the media (real pros define themselves with hats? :P ). In fact, the more obscurity the better.

    4. Re:Hacker = Script Kiddie? by Anonymous Coward · · Score: 2

      Maybe I misinterpreted the point of TFA, but I took it as meaning there's something in between, where someone isn't what would have been called a "hacker" in the 1980s, but they might not necessarily be blindly running scripts without understanding them, either. That is, SQL injection attacks on websites are so well known, and well explained, that mainstream people are capable of "getting" it. What ESR calls a "larval stage" hacker might indeed write a script (without merely pasting) that automatically attacks sites, attempting injection on every GET parameter that its crawler detects.

      Even if you have no respect for them, writing the scripts is not something a "script kiddie" does. Call 'em juvenile assholes or worthless-piece-of-shit vandals if you like, but not "script kiddies." I think of script kiddies as people who use attack tools without knowing how the tools work or how to create them.

      Where it gets even more blurry, is how the tools have improved. You can be a "programmer" but use the incredibly high-level "batteries included" standard libraries, like what comes with Python. You can crawl a site without knowing how to write a parser. That makes it harder to tell who is a what.

    5. Re:Hacker = Script Kiddie? by ci13urn · · Score: 2

      It's also stupid because its common sense that Googling something will bring you a how-to. It's also stupid because I read this same article at least twice a month. SQL injection has, and probably for a long time coming, will be the most commonly exploited vulnerability on the web.

    6. Re:Hacker = Script Kiddie? by Opportunist · · Score: 2

      Those "sophisticated attacks" are the tiny minority. I spend my time auditing the security of systems, and the systems where I have to dig deep and bring out the big guns are few and far between, usually found in healthcare or finance (i.e. places where they bother to hire more expensive and knowledgeable people because that's cheaper than the stiff penalties which may include shutting your act down).

      Most systems already break down under an automated attack. Which sadly also means that in security auditing, a lot of snakeoil peddlers are traveling around and showing off cheap tricks that befuddle those that know even less than them about security, but ... well, as long as there are idiots posing as programmers, there will be idiots posing as hackers and of course you'll also find a lot of idiots posing as security experts. Just the natural order of things.

      And yes, I agree, I'd wish I didn't have to waste my time dealing with these monkeys.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. The rise of everyday... fuck, everything really. by rodrigoandrade · · Score: 5, Insightful

    If this is what passes for research nowadays, I got some more data. Check out these Google queries and the results... (something, something, think of the children, something).

    "make a bomb" 557,000,000 results
    "rape sister" 99,000,000 results
    "kill mother" 274,000,000 results (funny how "kill mother in law" turns up on Google's autocomplete thingy)
    "cheat taxes" 59,700,000 results

  3. Its called the internet by ci13urn · · Score: 5, Insightful

    My research suggests there will be a rise of everyday cooks. A simple Google search for "How to Cook" returns over 1 Billion links and videos describing how to cook! This is original news...

  4. what is this shit by Synerg1y · · Score: 2

    As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks. The research also concluded that the leading cause of security breaches and data loss for organizations is insecure software. The report found that 70 percent of software failed to comply with enterprise security policies on their first submission for security testing.

    No!

    Email Spear phishing is the leading cause of security breaches, you can patch software all you want, but patching an idiotic user? Good luck on that!

    And 70% sounds a little low, on an intense enough audit (there's many levels), it would look more like 95%.

  5. Re:The rise of everyday... fuck, everything really by geminidomino · · Score: 5, Funny

    After setting off every TLA alert system to make a point on slashdot, user "rodrigoandrade" received a midnight visit and was never heard of again.

  6. Who is Veracode and what are they trying to sell? by glwtta · · Score: 2

    Leaping to faulty conclusions from spotty data is basically my day job, but it seems these people take it to a new level.

    30% of breaches will be from SQL injections, because that's the percent they found to be vulnerable?

    A certain type of attack will increase because they googled some shit?

    What the actual fuck is this?

    --
    sic transit gloria mundi
  7. Re:The word is cracker, not hacker by fustakrakich · · Score: 2, Interesting

    No, a cracker is a thin, crisp wafer often eaten with cheese or other savory toppings.

    --
    “He’s not deformed, he’s just drunk!”
  8. Students by nightfury · · Score: 2

    "'Little Bobby Tables', we call him..."

  9. Pure FUD by a security web site... by David_Hart · · Score: 5, Insightful

    I think that most comments are missing the fact that this is an article on a security web site which will be used to sell CEOs on the latest in security platforms. It's pure marketing, which means that it doesn't have to be logical or adhere to real world facts.

    I agree that it should have never made it to Slashdot. However, it is interesting to read silly articles like this from time to time to remind ourselves where management gets their ideas about security.

  10. Re:The word is cracker, not hacker by dkleinsc · · Score: 5, Funny

    No, "cracker" is a synonym for "honky", although it's arguably correctly spelled "cracka".

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  11. Report finds that by biodata · · Score: 2

    Insecure software is insecure

    --
    Korma: Good
  12. Lies, damn lies, and statistics by Loosifur · · Score: 3, Insightful

    "A simple Google search for 'SQL injection hack' provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities."

    Which means that people could be searching to learn what that means because they read or heard it somewhere, or because they want to prevent SQL injection hacks on their site. There are two alternative explanations that don't involve cracking, and I'm sure you can come up with more.

    "Although SQL injection flaws are easy to identify and fix, Veracode found that 32 percent of web applications are still affected by SQL injection vulnerabilities. As a result, as many as 30 percent of breaches in 2013 will be from SQL injection attacks."

    The quoted statistic does not prove the subsequent claim. This violates basic principles of logic, and anyone who's taken a statistics course (as all reporters should) would see the problem here. Just because 1/3 of web apps are vulnerable to a given attack does not mean that 1/3 of web apps will subsequently fall victim to said attack. The less horrible way to phrase this would be to say that there's a 1 in 3 probability that future attacks will involve SQL injection, and even that's not born out by the statistic.

    Here's an analogy (non-automotive): 15% of college basketball players are talented enough to be drafted into the NBA, let's say. This does not mean that 15% of college basketball players WILL be drafted into the NBA, nor does it mean, and this is the kicker, that 85% of new NBA players will be talented players coming from somewhere other than college teams. Or, 1/4 of all homes being vulnerable to electrical fires does not mean that 1/4 of all home fires will be electrical.

    --
    This unbiased moderation brought to you by the Porcine Aviation Group!
  13. Re:Hmmmm by JWW · · Score: 2

    There used to be...

  14. Re:The rise of everyday... fuck, everything really by SuricouRaven · · Score: 3, Insightful

    Attitudes towards potentially dangerous material are often contradictory. For example, in an episode of Mythbusters the team required thermite for an experiment. They made this themselves, in a procedure not shown. The ingredients bottles were blurred out to hide the labels. Jamie sarcastically warned viewers never to mix 'blur' and 'blur.' So clearly, someone at the studio considered this information to be too dangerous to reveal to the audience - either because it could be used to create a weapon, or because of the risk someone would experiment with it and then sue the studio after they burned their hand off. And yet, this material that so scared the studio is widely known. Not only can it be looked up with ease on the internet, but it's the textbook example of a redox reaction - quite literally the textbook example. When I studied chemistry in a perfectly ordinary public school it was the example in the textbooks, including not just the ingredients but instruction in how to calculate the correct ratio and, thanks to a practical demonstration given by the teacher, instruction in the importance of particle size, correct safe preperation method and means of ignition. Does that mean the school chemistry text is a terrorism handbook?

    You probably could use thermite for terrorism too. If it's used to weld rails, it can be used to sever them too. Sever a rail, derail a train. Could kill hundreds of people if you time it right.

  15. Re:Everyday? by SuricouRaven · · Score: 2

    "result in is another generation of children [1] too afraid to test limits,"

    That may be the intended result.

    In the early days of the internet, there was a very casual attitude to hackers. It was fully expected that most aspiring technical types would go through a 'phase' of aggressive exploration and pranking, and so long as they didn't do any serious damage it was regarded as a standard part of the learning process and something they would eventually mature out of once they no longer felt they had to prove their skills by such a game. If someone broke your system, you'd fix the hole and silently congratulate someone who'd shown skill, initiative and enthusiasm for the field. Things are very different now. With computers much more involved in high-value commercial and governmental usage, their is much less room to tolerate hacking attempts - that playful, still-learning script kiddie could get lucky and cost the company millions. So attacks that once would have been shrugged off now result in calling in the police and the lawyers.

    Also, Wargames 2 exists: It was a direct-to-DVD sequel generally regarded as an insult to the original.

  16. Obligatory XKCD by OhSoLaMeow · · Score: 2

    XKCD

    --
    They can take my LifeAlert pendant when they pry it from my cold dead fingers.