At Blue Hat, David Litchfield of NGS asked me ‘how many of the issues we see are related to SQL injection?’ I did a review of the breach archive here, and found less than half a dozen that seemed decent candidates:
- State of Rhode Island, 4,118 or 53,000 CC, Hacker
- http://www.emergentchaos.com/archives/2005/12/reeves_namepins.html
- USC Admissions, 320,000 SSNs, SQL Injection
- University of Cincinnati, 7,000 SSN, Hacker
- CardSystem Solutions, 40,000,000 CC, hacker
Its not clear if all of these are SQL injection. Some I’m interpreting the lack of understanding or words like “sophisticated hacker.” That’s poor analysis technique, but the best I can do right now. We need to do better to help answer questions of where security resources are best allocated.
In a few weeks, there will be a fairly comprehensive list available of breaches of commercial entities. Stay tuned…
Is the conclusion here to be drawn that there are far fewer SQL injection attacks than we thought, and therefore the threat is overplayed?
I’d bet on observational bias before I’d bet that there are that few SQL injection attacks going on.