Durham Police website hacked by SQL injection

In his/her posting, the cybervandal, left a message of: "Ur security sucks UK police this is my revenge against u."

"U are the one who are blasting bomb in Pakistan. Ur security is zero". the posting added.

In an official statement, Durham Police said that an investigation into what happened is under way and the "offending matter" has been removed by computer specialists.

Imperva, the data security specialist - who monitor websites for hacker activities, - said the the police portal appears to be vulnerable to SQL injection attacks.

SQL injection attacks - aka SQL insertion attacks - are a type of code injection technique that exploits a security vulnerability occurring in the database layer of an application.

The vulnerability is present when user input is either incorrectly filtered for `string literal' escape characters embedded in SQL statements or user input that is not correctly typed and therefore executes in an unexpected manner.

"Our research shows that the website does have vulnerabilities which could lead to the recent attack", said Amichai Shulman, Imperva's chief technology officer.

"Our researchers have seen that for a while hackers have been discussing the weak points of the Durham police website including discussions of being able to extract usernames and passwords that are used for the administration of the site", he added.

"This is an unfortunate situation for the police, but does go to show that no one is protected from these kinds of attacks unless the right precautions are taken."

What’s Hot on Infosecurity Magazine?