SQL Injection is currently the widely used exploit to hack into servers. The novelty is not in the hack which garnered my attention but the fact that a Pen-Test tool being used to conduct this particular exercise.
Pen-test tools are like a double edged sword, if they can protect you and your infrastructure, the probability of being used by hackers is also high, as these tools provide all the necessary algorithms necessary for a hack.
The point of contention is that, when such tools are freely available and the organization is not willing to get their infrastructure pen-tested by a professional, atleast they can deploy their admins to do a pen-test on their infrastructure. Weed out the easy problems early on then this can ensure just one thing, that automation tools will not be successful in detecting anomalies and the hacker will have to sweat it out to gain access. Nothing is 100% security complaint nor can anyone claim that they are hacker proof.
Though this blog post is pro-hacker, all I would want to state is that, make it difficult for them, take some initiative, be pro-active.
US Public Broadcasting Service (PBS), was hacked a few hours ago using Havij, a freely available tool for Pen-testing SQL Injection and the database was made available online. But owning the server was done using a 0day vulnerability.
Hacked Site: http://www.pbs.org/lulz/
Reaffirms the thought – nothing is 100% secure.
- PBS.org was not owned by SQL, although to make things faster/easier for us we used Havij to dump db/tables in a nice html format.
- PBS.org was owned via a 0day we discovered in mt4 aka MoveableType 4.