Top Identity Theft Protection Services
Sign Up For Our Newsletter
450,000 website hacks every day
Posted by Robert Siciliano
Robert Siciliano is a NextAdvisor.com Expert Guest Blogger
You could be surfing the net without a care in the world, when you get a virus.
IBM Internet Security Systems discovered 50% more web pages infected in the last quarter of 2008 than in the entire year of 2007.
The infection is called a SQL injection. According to Wikipedia, a "SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application."
In other words, a SQL injection is a virus or bug that effects an application that is not properly coded or secured. There are many different configurations of various software used to build and run a website. An example would be the common WordPress blog platform that many use and that has been found to be vulnerable. This 
is just one of hundreds of applications that can be hacked in this way.
In 2005, a now defunct 3rd party payment processor called CardSystems suffered a SQL injection, compromising a reported 40 million credit cards.
Since that time, criminal hackers have multiplied their efforts. SQL injections have evolved in their purpose and sophistication. Originally meant as a tool to attack a merchants database and steal data, the attack was reconfigured last summer to install viruses on users' computers that contain a remote control component.
Matt Chambers with Corporate IT Solutions says, "Web applications are one of the most outward facing components a corporation contains in its network design, and one of the least protected. Applications typically take input information and send it to a database for storage and processing. We interact with these kinds of applications every day, whether its a signup form or a login page for a favorite networking site."
The attack on the user's PC is simple. This type of attack is often called a "drive-by," because sometimes all the user needs to do is surf the site. Many of the attacks take place during common web task such as watching videos, listening to music or downloading files.
The unsuspecting PC user surfs an infected site and bam, code is injected onto their PC and they are infected. Their PC becomes part of a "botnet," which is a robot network of computers specifically designed for hacking.
Bots, the infected PCs, are also known as zombies. Zombies, as a result of the SQL injection, generally have a virus installed that gives the hacker control from anywhere in the world. The "botnet" can consist of 10 PCs, 10,000 PCs or into the hundreds of thousands. Studies show there are potentially millions of zombies globally, all part of numerous botnets. 
Lax security practices by consumers and small businesses are giving scammers a base from which to launch attacks. Botnet hackers set up phishing websites targeting well known online brands. They send junk mail emails and install redirection services to deliver viruses, malware and keyloggers.
USA Today reports IBM Internet Security Systems blocked 5000 SQL injections every day in the first two quarters of 2008. By midyear, the number had grown to 25,000 a day. By late fall, attacks climbed to 450,000 daily.
The key to identity theft protection and preventing your computer from becoming a zombie is to engage in every update for every browser and media player that you use, keeping your operating system updated and using anti-virus software such as McAfee Total Protection. You should also consider an identity theft protection service.
See identity theft speaker Robert Siciliano discuss SQL injections here.
Robert Siciliano is CEO of IDTheftSecurity.com , an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of 2 books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.
2 Responses to “450,000 website hacks every day”
Leave a Reply
Popular Services Reviewed:
Credit Monitoring Services |
Find Us On:
Copyright© 2006 - 2013 NextAdvisor.com - All rights reserved.
Disclosure: NextAdvisor.com is a consumer information site that offers free, independent reviews and ratings of online services. We receive advertising revenue from most of the services we review. Our editors thoroughly research and whenever possible test each service we review and offer their honest opinions about each one. We are independently owned and operated and all opinions expressed on this site are our own.
January 27th, 2011 at 2:01 pm
[...] our job with solutions that are easy to deploy and manage.NY Times/Nextag blog on web site hacking: Full StoryMatthew Chambers, a Systems Security Engineer, with Corporate IT Solutions says, "Web [...]
February 24th, 2013 at 10:59 pm
"…In other words, a SQL injection is a virus…"
In blatantly incorrect words, sure. In words that are accurate, SQL injection is a means by which a client machine run by someone with malicious intent (or, really, anyone who accidentally chances on SQL syntax) can extract information from a database the inputs to which are unsanitized.
As anyone with even basic information security knowledge could tell you.
Or just anyone whose written any code at all could tell you.
Or even just anyone who bothered to read the entire damned wikipedia article would know.
…Moving on to the next offense to common decency in this article…
"…the attack was reconfigured last summer to install viruses on users' computers that contain a remote control component."
Reconfigured? This is not a subtle or sophisticated attack. SQL injection, at its subtlest and most sophisticated, has all the subtlety and sophistication of trying to punch someone really hard in the face.
And… it installed things on users' computers? How? It is fundamentally an attack used to access/modify database entries. On webservers. So, unless if by 'users' you mean 'sysadmins' and by 'install viruses … that contain a remote control component' you mean 'find [likely encrypted] pieces of user information', you're about as far from accurate as Columbus was from the West Indies.
"The unsuspecting PC user surfs an infected site and bam, code is injected onto their PC and they are infected. Their PC becomes part of a "botnet," which is a robot network of computers specifically designed for hacking."
You really should have read the rest of that Wikipedia article, instead of just copypasting the first sentence. You've somehow managed to confuse SQL injection with a cross between XSS and drinking unicorn blood.
"Zombies, as a result of the SQL injection, generally have a virus installed that gives the hacker control from anywhere in the world."
Zombies, as a result of SQL injection, generally cannot exist. The zombie-making SQL attack is, like the perpetual motion machine, not something likely to be hitting shelves anytime soon.
"The key to identity theft protection and preventing your computer from becoming a zombie is to engage in every update for every browser and media player that you use, keeping your operating system updated and using anti-virus software such as McAfee Total Protection. You should also consider an identity theft protection service."
Every update? So… not just security patches? What if the update creates a massive security hole? As happened in [insert name of one of the many examples you can easily find using Google here]?
And why not also suggest exercising caution about browsing habits rather than just saying 'pay for all these extra things, some of which I sell (link)'?
…And, larger question…
How, when you clearly have no knowledge of computing whatsoever (please feel free to argue the point- I haven't had a good laugh in ages), do you feel you have the right to give anyone advice on anything to do with computing?
Especially security?
Security is the thing you learn once you already have a firm grasp of the basics. You do not have a firm grasp of the basics. I'm not saying you need to learn circuit theory (because, hey, frequency-domain math is hard… for some people), but at least knowing the difference between a server and a browser would certainly help pass you off as only unremarkably incompetent (since here you clearly seem remarkably incompetent; hence the remarks).