10 comments

[ 2.8 ms ] story [ 41.7 ms ] thread
> Mr Gonzales used a complicated technique known as an "SQL injection attack" to penetrate networks' firewalls and steal information, the US Department of Justice said.

I'm not at all shocked that a credit card processing company has no regard for security. Also the news media should be banned from using the word "firewall".

Also, SQL injection being described as "complicated"?
(comment deleted)
It sounds a little better than "using a relatively trivial attack known as 'SQL Injection'" :p
I've heard of SQL injection attacks to log into websites, but this new use on firewalls is unprecedented! This man is a hacking GENIUS. We have our next Kevin Mitnick right here...
I really can't believe they called it 'complicated'.
Look we're all hackers here. We know SQL Injection isn't complicated for us, but it is complicated for the majority of the world. In fact, it's probably an impossible task for 95% of the world, and very very difficult for another 4% on top of that, and even the last 1% would have to experiment a bit to figure out which string to submit to get the information.
Do you mean "any company that accepts credit cards" or "banks that issue cards"? In the first case, they care about security because breaches like this get them in hot shit with the banks. And the banks care because they have to refund the fraudulent charges. They probably don't care too much about your privacy, but they definitely would prefer to keep credit card numbers safe.

Also, the usage of firewall is totally appropriate. The firewall kept the bad guys from connecting directly to the database, so they had to bypass/penetrate via the webapp.

I see your point, but saying that a "'SQL injection attack'" was used to "penetrate networks' firewalls" really does conjure the image of somebody setting their IP to "' OR 1=1;".
(comment deleted)