Question

1. One reasearch database injection attack,research and discuss the mitigation for that specific threat. Please show...

1. One reasearch database injection attack,research and discuss the mitigation for that specific threat.
Please show Citation


2. Describe an instance of a data breach that has been made public in the news.
Describe the cause of the breach.

Investigate what mitigation could have been put in place to avoid the data breach.

Homework Answers

Answer #1

question1).

One reasearch database injection attack,research and discuss the mitigation for that specific threat.
Please show Citation.

answer)

SQL INJECTION ATTACT

SQL Injection (SQLi) is an injection attack where an attacker executes malicious SQL statements to control a web application’s database server, thereby accessing, modifying and deleting unauthorized data.

In the early days of the internet, building websites was a simple process: no JavaScript, no, CSS and few images. But as the websites gained popularity the need for more advanced technology and dynamic websites grew. This led to the development of server-side scripting languages like JSP and PHP. Websites started storing user input and content in databases. MySQL became the most popular and standardized language for accessing and manipulating databases. However, hackers found new ways to leverage the loopholes present in SQL technology. SQL Injection attack is one of the popular ways of targeting databases. SQL Injection targets the databases using specifically crafted SQL statements to trick the systems into doing unexpected and undesired things.

What can SQL Injection do?

There are a lot of things an attacker can do when exploiting an SQL injection on a vulnerable website. By leveraging an SQL Injection vulnerability, given the right circumstances, an attacker can do the following things:

  • Bypass a web application’s authorization mechanisms and extract sensitive information
  • Easily control application behavior that’s based on data in the database
  • Inject further malicious code to be executed when users access the application
  • Add, modify and delete data, corrupting the database, and making the application or unusable
  • Enumerate the authentication details of a user registered on a website and use the data in attacks on other sites

It all depends on the capability of the attacker, but sometimes an SQL Injection attack can lead to a complete takeover of the database and web application. Now, how does an attacker achieve that?

How do SQL Injection attacks work?

A developer usually defines an SQL query to perform some database action necessary for his application to function. This query has one or two arguments so that only desired records are returned when the value for that argument is provided by a user.

An SQL Injection attack plays out in two stages:

  1. Research: Attacker gives some random unexpected values for the argument, observes how the application responds, and decides an attack to attempt.
  2. Attack: Here attacker provides carefully crafted value for the argument. The application will interpret the value part of an SQL command rather than merely data, the database then executes the SQL command as modified by the attacker.

EXAMPLE

Consider the following example in which a website user is able to change the values of ‘$user’ and ‘$password’, such as in a login form:

1$statement ="SELECT * FROM user where username = '$user' AND password '$passw' "

This particular SQL statement is passed to a function which in turn sends the string to the connected database where it is parsed, executed and returns a result.

#Define POST variables

uname = request.POST['username']

passwd = request.POST['password']

#SQL query vulnerable to SQLi

sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”

#Execute the SQL statement

database.execute(sql)

Now, if the input is not properly sanitized but the application, the attacker can easily insert carefully crafted value as input. For example something like:

1$statement ="SELECT * FROM user where username = 'dean' OR '1'='1'- -' AND password ='Winchesters' ";

So, what’s happening here? The highlighted part is the attacker’s input, it contains 2 special parts:

  • OR ‘1’ = ‘1’ is a condition that will always be true, thereby it is accepted as a valid input by the application
  • –(double hyphen) instructs the SQL parser that the rest of the line is a comment and should not be executed

Once the query executes, the SQL injection effectively removes the password verification, resulting in an authentication bypass. The application will most likely log the attacker in with the first account from the query result — the first account in a database is usually of an administrative user.

Note that this is just one way of exploiting the SQL Queries to get the necessary information in an unofficial way. SQL Injection attacks are divided into multiple types.

question2).

Describe an instance of a data breach that has been made public in the news.
Describe the cause of the breach.

Investigate what mitigation could have been put in place to avoid the data breach.

answer)

an instance of a data breach that has been made public in the news.

  • Idaho Power Co. (Boise, ID): Four hard drives sold on eBay in 2006 contained hundreds of thousands of confidential documents, employee names and SSNs, and confidential memos to the CEO.
  • A computer at Loyola University containing names, Social Security numbers, and some financial aid information for 5800 students was disposed of before the hard drive was wiped.
  • The Georgia Dept. of Human Resources notified parents of infants born between 4/1/06 and 3/16/07 that paper records containing parents' SSNs and medical histories -- but not names or addresses -- were discarded without shredding.
  • Boston Globe used recycled paper containing credit, debit card, and personal check routing information for printing and for wrapping newspaper bundles for distribution. As many as 240,000 records were potentially exposed.
  • Photocopiers that were used to copy sensitive medical information were sent to be re-sold without wiping the hard drives. The data was discovered in the warehouse storing the copiers.

mitigation could have been put in place to avoid the data breach.

  • Destroy or securely delete sensitive data prior to re-use or disposal of equipment or media. For information on how to securely delete files, see PC/Mac, or email.
  • Work with Copy Services or ITS to securely erase printers, fax machines and photocopiers before disposal, resale or returning them to the vendor.
  • Shred sensitive paper records before disposing of them. Do not re-use them where the information could be exposed.
Know the answer?
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Not the answer you're looking for?
Ask your own homework help question
Similar Questions
QUESTION 1 Advanced Security Inc. was hired by the Treasury Bank Inc. for securing their systems....
QUESTION 1 Advanced Security Inc. was hired by the Treasury Bank Inc. for securing their systems. The first thing they did was implement the best practice if separation of domains. As a result of this The bank had to get a new domain name. any change made in the records points to only one party who could have made that change. If you are a technical person, you must have office in a particular area of the building. accessing outside...
      MK Restaurant: Branding of Thai-Style Hotpot The restaurant industry is one of the most...
      MK Restaurant: Branding of Thai-Style Hotpot The restaurant industry is one of the most competitive in Thailand. With a large number of players ranging from restaurants in five-star hotels, global fast-food chains to small stalls along the streets and everything in between, the Thais are spoiled for choice. In addition, as the world becomes globalized, consumers are familiar with international dishes and would not hesitate to try new offerings from the other side of the globe. As a...
Scenario Pigs R Us is a second generation, family-owned Richmond-based company with about 400 employees. It...
Scenario Pigs R Us is a second generation, family-owned Richmond-based company with about 400 employees. It slaughters, manufactures, and sells pork food products.  Pigs R Us (PRU) is a low-tech, hands-on, “bricks and mortar” type of company with solid brand recognition, an impeccable reputation for high quality and ethical standards. The processes used in manufacturing are with the highest ISO20002 standards, and the plant is maintained immaculately. The personnel are comprised of an older work force (average employee age is late...
read Seasons of Love chapter:measuring a child's life after suicide. please answer the questions : reflect...
read Seasons of Love chapter:measuring a child's life after suicide. please answer the questions : reflect on what happens to the families when there is a suicide in the family, based on the Seasons of Love chapter...how should people be told? What details are best left unshared? below is the story These theories may have a certain face-validity, but they often neglect environmental or contextual factors that are innate to answering the question of “why” a person might engage in...
Please answer the following Case analysis questions 1-How is New Balance performing compared to its primary...
Please answer the following Case analysis questions 1-How is New Balance performing compared to its primary rivals? How will the acquisition of Reebok by Adidas impact the structure of the athletic shoe industry? Is this likely to be favorable or unfavorable for New Balance? 2- What issues does New Balance management need to address? 3-What recommendations would you make to New Balance Management? What does New Balance need to do to continue to be successful? Should management continue to invest...
Please read the article and answear about questions. Determining the Value of the Business After you...
Please read the article and answear about questions. Determining the Value of the Business After you have completed a thorough and exacting investigation, you need to analyze all the infor- mation you have gathered. This is the time to consult with your business, financial, and legal advis- ers to arrive at an estimate of the value of the business. Outside advisers are impartial and are more likely to see the bad things about the business than are you. You should...
Discuss ethical issues that can be identified in this case and the mode of managing ethics...
Discuss ethical issues that can be identified in this case and the mode of managing ethics Enron finds itself in this case. How would you describe the ethical culture and levels of trust at Enron? Provide reasons for your assessment. THE FALL OF ENRON: A STAKEHOLDER FAILURE Once upon a time, there was a gleaming headquarters office tower in Houston, with a giant tilted "£"' in front, slowly revolving in the Texas sun. The Enron Corporation, which once ranked among...
What are 4 key things you learned about the topic from reading their paper? How does...
What are 4 key things you learned about the topic from reading their paper? How does the topic relate to you and your current or past job? Critique the paper in terms of the organization and quality. Team 3 answer questions above. Part I In today’s world we see fear among people when dealing with sexual harassment. This leads to people not reporting sexual harassment. A misconception about sexual harassment is that it’s only about touching and forcing other people...
Actually a HISTORY question: what tactics does Einhard use to portray Charlemagne in "Life of Charlemagne"...
Actually a HISTORY question: what tactics does Einhard use to portray Charlemagne in "Life of Charlemagne" and what tactics does Procipius use to describe Justinian in a positive light in the "Nika Riots"? Ive posted both excerpts. "Life of Charlemagne" Charles the Great, (Charlemagne in French) reigned 768-814 as king of the Franks and the most important ruler of the Carolingian Dynasty, conquering lands in what is now Germany, France, Spain, and Italy. On Christmas Day 800 C.E., Pope Leo...
INTRO NewForm IT is a seven-year-old IT consulting company founded in 2012 that provides services to...
INTRO NewForm IT is a seven-year-old IT consulting company founded in 2012 that provides services to small businesses in their local and regional area. NewForm employs 83 people, 61 of whom are IT professionals/ consultants. NewForm is struggling financially; it has not met its revenue projections in the last five quarters. NewForm has suffered excessive leadership turnover in the past three years. The original founders sold NewForm in 2015; one of them, James Stanton, remained on as CHRO but sold...
ADVERTISEMENT
Need Online Homework Help?

Get Answers For Free
Most questions answered within 1 hours.

Ask a Question
ADVERTISEMENT