David Litchfield Asked Me
(Posted by adam)
At Blue Hat, David Litchfield of NGS asked me 'how many of the issues we see are related to SQL injection?' I did a review of the breach archive here, and found less than half a dozen that seemed decent candidates: - State of Rhode Island, 4,118 or 53,000 CC, Hacker
- http://www.emergentchaos.com/archives/2005/12/reeves_namepins.html
- USC Admissions, 320,000 SSNs, SQL Injection
- University of Cincinnati, 7,000 SSN, Hacker
- CardSystem Solutions, 40,000,000 CC, hacker
Bookmark this post: Posted by adam on March 15, 2006 at 9:24 AM
in breach analysis
. You can:
comment, view comments (3),
see trackbacks (0) or
search Technorati.
Comments
In a few weeks, there will be a fairly comprehensive list available of breaches of commercial entities. Stay tuned...
Posted by: Allan Friedman | March 15, 2006 5:34 PM
Is the conclusion here to be drawn that there are far fewer SQL injection attacks than we thought, and therefore the threat is overplayed?
Posted by: Iang | March 19, 2006 2:47 PM
I'd bet on observational bias before I'd bet that there are that few SQL injection attacks going on.
Posted by: Adam | March 19, 2006 2:59 PM