Three security threats you'll never have heard of

NEWS Company networks could soon be subjected to a host of as-yet unheard of high-tech attacks, according to David Wray, the MD of Sec-Tec, an independent security consultancy. Security expert Wray said although most companies are aware of viruses, worms, Trojans and Denial of Service (DOS) attacks, many IT departments have never heard of such threats as input validation attacks, SQL injection or reverse channel Trojans. Wray said: "These methods of attack have not been widely reported, but there is evidence they can easily take place. Most of the attacks exploit the vulnerabilities caused by developers' oversights, as it is impossible to build software where every single possibility is taken into consideration." Input validation attacks - common to C-based languages such as C# - allow hackers to trick the remote system running any programme and take control of the server. SQL injections attack middleware and cause the SQL server to create a fake name and an address filed in the middleware database where, for example, credit card details could be stored. The attacker can then send a command requesting all the information in that database. The reverse channel Trojans are far more vicious than regular Trojans, which can be stopped by firewalls. Once the reverse channel Trojan has got inside a system via an attachment or a download, the Trojan initiates an outbound connection. This connection can be made to look like a normal FTP/web connection, normally permitted by firewalls, allowing the attacker to take control of the system remotely.