The hacking of a police website earlier this week is indicative of a lack of secure website development.
Phil Neray, vice president of security strategy for Guardium, claimed that SQL injection is a big problem worldwide, and restricted budgets mean organisations are unable to hire the most sophisticated web developers, which results in security flaws like SQL injection.
The Durham police website was hacked earlier this week with messages posted protesting over terrorist-related deaths in Pakistan. A spokesperson for Durham police told BBC News that an investigation was now under way and the ‘offending matter' was being removed by computer specialists. A spokesman said: “We are aware of a problem with the force website and the offending matter is being removed. An investigation into how this occurred is under way.”
Neray said: “Since it's now fairly easy to download automated toolkits for finding these flaws, almost anyone can perform these attacks, including politically-minded cybervandals.
“In the case of the Durham Police attack, it's more of an embarrassment and a nuisance, but now you see how organised crime uses the same approach to loot websites for hundreds of thousands of credit card numbers, which they can then sell on the open market for anywhere from 7 to 70 Euros per card. That's the real threat from cyberattacks like SQL injection.”
CTO of Imperva Amichai Shulman, said: “Our researchers have seen that for a while hackers have been discussing the weak points of the Durham police website including discussions of being able to extract usernames and passwords that are used for the administration of the site.
“This is an unfortunate situation for the police, but does go to show that no one is protected from these kinds of attacks unless the right precautions are taken.”