This should, but likely will not, serve as a wakeup call for banks, educational institutions, and private businesses that posting an insecure public website on the internet should be a felony. A web database that can be exploited by the SQL Injection hack has a DBA and network sysadmin who need to be fired ASAP. The crime is that nobody at USC tested the vulnerability of the database internally. I presume that USC has a BSc and MSc program in Computer Science. Here's a suggestion for other universities: hire some of your best undergrad and grad CS students to conduct vulnerability testing on all the institutions's public and intranet website databases; have them sign NDAs; pay them a bounty for all vulnerabilities found. Once they proved their worth - if I were an enterprising university official - their services could be offered to other institutions on a fee basis as a security 'tiger team'.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11389/33863#33863