Lately I’ve been thinking about how successful exploitation and compromise of sensitive information has evolved over the years.
Sure social engineering has been around a long time, Kevin Mitnick was a master of it. But a lot of the damage done and information stolen didn’t even require social engineering. Even just a few years ago, amateur hackers and skiddies (script kiddies) could gain access to thousands, hundreds of thousands, and even millions of valid credit card information belonging to very real people. SQL injection and XSS vulnerabilities were (and some still are) commonplace among many international governments and companies. Teenagers could sit at home, read a simple tutorial on SQL injection, gain access to an unbelievable amount of sensitive information, deface websites, sell this information underground, and cause businesses plenty of headaches. Only after years of news headlines, great sites for education on vulnerabilities, best practices, and even many discussions on whether companies should be held liable for massive security breaches have companies begun to really take security seriously.
Continue reading →