The year 2008 can be viewed as the year of the SQL injection attack, according to IBM's Internet Security Systems "X-Force 2008 Trend Statistics" report issued Monday.
"SQL injection, in particular, took off in 2008," says X-Force researcher Tom Cross, noting that the annual trend report concludes that 55% of all vulnerability disclosures made by vendors affected Web applications, a number that does not include custom-developed Web applications. Of those vulnerability disclosures, SQL injection-related vulnerabilities jumped 134% to replace cross-site scripting as the predominant type of Web application vulnerability last year.
So it comes as no surprise that attacks against websites vulnerable to SQL injection rose from an average of a few thousand per day at the beginning of 2008 to several hundred thousands per day by year end, the IBM report notes.
In fact, news reports of 2008 did chronicle the occurrences of massive SQL-injection attacks that spanned the globe, sometimes causing huge disruption to organisations that had not patched applications or deployed defensive measures such as Web-application firewalls.
The IBM security-trends report also identifies other notable events in 2008, including the shutdown on Nov. 11th of the California-based Web hoster McColo by two upstream ISPs, Hurricane Electric and Global Crossing.
McColo had been a major source of spam production in the United States, and its "takedown," as IBM refers to it, was an event that had an impact in terms of spam volumes originating in the United States.
Just days before the McColo takedown, the United States had been ranked the No. 1 spot worldwide at 14.2% of spam production, followed by Russia, Turkey, Spain and Brazil. But after the McColo takedown, the United States immediately dropped to third place at 8%, with China suddenly surging to top place at 12.7%, the IBM report says.
But in the mercurial world of spam production, things can change quickly and Brazil ended up as the top spam generation spot by year-end with 11.7% of global production. The United States stood at 8.1%, followed by China at 6.6%, Turkey at 5.7% and Russia at 5.7%. "Looks like Brazil is now taking the lead as a source of spam," Cross said.