除了法律法规、相关制度和行业标准不断完善的顶层设计,通过技术手段保护数据安全,防止黑客攻击,阻断黑客“拖库”路径也成为保障互联网金融安全的必要举措。
Rapid7 has gone public with news of an e-commerce SQL injection vulnerability, saying it couldn’t raise a response from the vendor.
The software in question, SmartVista, is an e-commerce and financial product from BPC Banking, and in this post, Rapid7 says it told the company about the issue back in May 2017.
The US CERT Coordination Centre and SwissCERT joined the security company’s effort to alert the Switzerland-based vendor in July and August, ahead of yesterday’s disclosure.
While exploiting the vulnerability needs authenticated access to the front end (SmartVista’s transactions), the attacker can pass through to much more sensitive data: “A successful exploitation can yield sensitive data, including usernames and passwords of the database backend”.
That’s because the front end doesn’t sanitise the card number or account number input fields used in the transaction module.
An attacker adept at scripting could go a long way, the post explains:
“To access usernames and encrypted passwords in the DBA_USERS table of database SYS (Oracle specific), one could craft a series of database queries to ask true/false statements such as ‘Does the first character, of the first row, in the user’s column start with a?’

“On a true response, the transaction values would be returned, indicating that the first character does indeed start with ‘a’. On a false reply, no data would be returned, and the automated system could move on to the next character. This could continue until the full username has been discovered, as well as the password.”
安全前线——关注信息安全中人的因素
Since there’s no public acknowledgement of the bug, Rapid7 suggests companies using the software contact BPC Banking. Suitable Web application firewalls could help block SQL injection attempts. ®
Sponsored:
The Joy and Pain of Buying IT – Have Your Say
客户的数据曝光,不仅影响客户的隐私,更重要的是损害自己的声誉,造成客户资源的流失和丧失未来竞争优势,所以搜集和处理客户身份信息要小心,安全保护措施要到位,从内部人员的安全意识开始。

猜您喜欢

广州实行邮件、快件实名收寄 寄件必须出示本人有效身份证件_金羊网…
信息安全培训考卷
网络安全法宣传视频系列001《网络安全法》背景知识
楼市限购限售全面升级:年内调控措施出台近180次
JACKSONVILLEMAG PEACHSTATELAWYER
互联网安全宣传——识别和应对社会工程学诈骗