Week 11: SQL Injection

Hacking an API endpoint is the web request sibling of SQL injection. It is a place where SQL Injection best practices  – parameterization and sanitization of input can be bypassed by directly interacting with a server in JSON or XML (or whatever vernacular your endpoint may spit out)

This would have interested me also…partner.steamgames.com/partnercdkeys/assignkeys/

This (and another more ~classic~ SQL injection attack) were discovered by a HackerOne guy who received bounties for his efforts and the full disclosure to the Steam company.

https://www.zdnet.com/article/steam-bug-could-have-given-you-access-to-all-the-cd-keys-of-any-game/

https://hackerone.com/reports/383127

https://partner.steamgames.com/

https://partner.steampowered.com/login/?goto=%2F

Despite the fact that phishing is not by any means a new phenomenon, people are still falling victim to phishing attacks, and in greater numbers. According to this articles, phishing attacks are up by 297 percent in Q3 2018. Mainly, these attacks are being used to trick customers into revealing their credit card and login information to perpetrators. According to the article, fake apps and fake social media profiles are also on the rise by almost 500%. These sources can also be used to trick and deceive consumers into revealing personal information. One thing that really jumps out to me is that Phishing attacks aren’t really technically sophisticated. They don’t require you to hack into hardware or even use the command line. You just need to convince someone that you are someone else and not a bad guy.

https://www.securitymagazine.com/articles/89512-phishing-attacks-up-by-297-percent-in-q3-2018

A fired Chicago Schools employee copied a database containing the personal information of around 70,000 people involved with CPS before she left her office for the last time. It is believed that she did this in retaliation for being fired. Thankfully, it doesn’t seem as if the information was used or disseminated in any way, but the potential damage that could be accomplished with that amount of personal information is extremely substantial. People with criminal records could be blackmailed, for example, under threat that their record would be released in a public place. It seems as if the Chicago Schools has a very reliable system in place for detecting these breaches because the former employee only had possession of the information for 24 hours before they were arrested. Companies should be aware that this is a very real and dangerous threat.

https://www.securitymagazine.com/articles/89553-fired-chicago-schools-employee-causes-data-breach

This is kind of a related post but I’ve been very interested in the ways hackers can interfere in an election, so I’m going to write about it from another angle. Security experts were very optimistic about this year’s voting systems’ integrity. When asked why, an expert from IBM explained that Russian interference in the 2016 elections were actually not very technically sophisticated, but consisted of spear phishing, which we have covered in class. Spear Phishing involves sending an email from what appears to be a trusted sender in order to induce the victim to respond with highly confidential information. This actually has nothing to do with hacking a voting machine. Thus, perceivably, the solution to this spear phishing actually doesn’t involve these machines, but improved employee training, so that people don’t fall for these kinds of attacks in the future.

https://www.cbsnews.com/news/midterm-election-hacking-cybersecurity-experts-think-we-should-trust-results/

There were tons of people worrying about cyber hacking in this recent midterm election cycle. Concerns about Russian, Chinese, and even North Korean hacking dominated the concerns of voting organizers. However, remarkably, no serious attempts at hacking the election/voting mechanisms were detected, at least according to major news reports about the matter. This article focuses on the state of Utah, which has highly prioritized cyber security in its elections. In fact, they were one of the first states to coordinate with DHS and the FBI to ensure the integrity of their voting systems. Perhaps the fact that more states took serious measures to protect themselves deterred would-be hackers?

https://www.deseretnews.com/article/900040705/election-night-why-utahs-cybersecurity-team-was-on-high-alert.html