Compass illuminates credit card fraud-scandal

August 21, 2009;

A computer hacker from Miami (USA) is said to have committed credit card fraud on a grand scale. The PINs of more than 130 million credit cards have been affected by this. According to the latest findings the crackers made use of so-called SQL-Injection weaknesses to install spyware. So far, this is the biggest data theft affair. The techniques were so cunning and ingenious that the attacks could be disguised and the protective mechanisms of the damaged enterprises could be bypassed.

SQL-Injection is the infiltration of somebody's own commands into an SQL database via the browser. According to OWASP (Open Web Application Security Project) a very common vulnerability, which could be prevented by "secure programming". With this method, user entries must be sufficiently checked and validated, so that the attacker will not be able to modify the database queries from outside. In Java this is guaranteed through the use of "prepared statements" and with Oracle it is done by "stored procedures".

If it is not possible to gain access to the source code for the implementation of "secure programming" or if the manufacturer has not provided a patch for the problem, the application of a preceding Web Application Firewall, also called WAF, is sensible. This one is - similar to a traditional firewall - capable of analysing the data packets in web requests as well as to detect respectively prevent attacks.

Improving security skills and preventing attacks with Compass courses

In order to provide the customers with detailed technical instructions for the prevention of such incidents, Compass offers, apart from hack & learn events, seminars or online trainings with SQL Injection examples. These are available on the security portal www.hacking-lab.com . In a hands-on laboratory, the participants become acquainted with e.g. the OWASP TOP 10 web security gaps and learn adequate countermeasures.

Contents of the web security course of Compass

- OWASP Top 10-security gaps
- Authentication attacks
- Session fixation attacks
- Session prediction attacks
- Cookie security
- Cross Site Scripting
- Cross Site Tracing
- Cross Site Request Forgery
- Second Order Injection
- Simple and advanced SQL Injection
- URL Redirection Attacks
- Authorization Bypass Attacks
- Application Logging/Forensics
- XML Injection, XPath Injection
- JSON Hijacking
- Click Jacking/Surf Jacking

Links:	Further information on the courses