'Rasputin' Hacks 60 Universities And Government Agencies

Not open for further replies.
I get universities might have some issues as they are ran cheep but that statement "The problem is that many groups--from tech companies like Yahoo and LinkedIn" I doubt is true. Most I know of has software to do penetration tests and part of that is testing for SQL injection. I know who I work for does that even for internal applications on the local network. Its rather pathetic these days that people even write code without using bind variables that prevent this in the first place.

For example placing something like this in the password box: mypass or 1=1

When the backend query is written it will run a select on the table containing the hash password and 1 always equals 1 so it lets you in. Simply using a bind variable in the code prevents this type of hack as everything in the text box becomes the password i.e. "mypass or 1=1" gets passed as only the password not part of the query.

Long story this was pathetic crappy code that wasn't penetration tested which is so simple to do today with the various software packages.


Utterly shocking that some large organisations are still vulnerable to SQLi. This is very easy to prevent (i.e. good coding practices). Additionally, there are numerous free tools they could use to test an online database. How do they think the hacker was able to select them? If these organisations allow things like
' OR '1'='1' /*
in an input box (and there are other injection attack types) to alter a query, and they are holding personal/CC info then they should be accountable in court.


Jun 4, 2012
I stopped reading when I hit this line

The EAC database breach was the result of SQL Injection (SQLi), an attack that is technically easy, but expensive to defend.
That's such an obvious mistake that I refuse to read the rest. I doubt the veracity of the rest of the story if someone puts out this kind of misinformation.
Not open for further replies.