Dutch authorities have shuttered a transit website after a hacker demonstrated it gave him access to addresses, birthdates, and other sensitive information belonging to some 168,000 passengers. Ironically, Ervaar het OV, which translates to "Experience the OV," was intended to promote the use of smartcards on the OV system by …
Are you shitting me?
An SQL injection attack? Really? Is this where we *still* are? Whomever wrote that system needs to be flogged with several extraneous semicolons.
"An SQL injection attack? Really? Is this where we *still* are? Whomever wrote that system needs to be flogged with several extraneous semicolons."
Security takes *effort* and *always* works badly if its bolted on.
This has been known for *decades*.
They could have at least had the courtesy to put it on a dvd to lose it.
Remember this is government IT, so it was done on the cheap. They got some people to make the site. It's probably their first main site and since they just learnt about SQL and databases, they didn't bother to read about security. They did some code and saw it works and then just submitted it without bothering to learn about secure code. That's the problem with easy "programming languages" and those who do not learn secure coding or proper programming techniques.
M$ and SQL
Or they have only been using a datasource such as Access, which isn't subject to SQL injection attacks and this was the first client they had that insisted on a SQL server because that's what M$ told them to use...
why assume M$?
this problem happens just as easily with PHP and MySQL or Java and Oracle. Before you assume it's MS go check
hmmm... Don't think MS SQL runs here...
Apache/2.2.11 Unix mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.0
re: sql injection attacks
Yes, this still where we are, along with PHP. Never mind the attack method, or secure coding, or programming language simplicity, these are still the foundations for websites\servers. Security is another issue altogether. I'm thinking the implications are more a reflection on the mindset of the sites owner, or their attitude towards their users information security, the attack is just a byproduct that highlights that.
Only 168,000 ?
Amateurs, in every respect.
Par for the course
Note that what they're promoting is the "OV Chipkaart", powered by the U1tr4 H4xx0r-pr00f Mifare Classic.
One quick google for "sql security test suite"...
Don't trust the client software.
> SQL injection flaws are the result of poorly written web applications that fail to vet user-supplied input before passing it to back-end systems.
Yes and no - the security needs to be present on the back-end systems too, or what's to stop people circumventing the front-end system entirely and just sending their own hand crafted queries and commands to the back end.
Server software shouldn't assume it's talking to a friend.
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- NASA finds first Earth-sized planet in a habitable zone around star