SQL injection attacks still enable breaches, all these years later
An indictment unsealed in Newark, N.J. last week listed SQL injection as the network infiltration method for 12 of 17 corporations that were fleeced of roughly 160 million credit card numbers in a seven-year-long hacking campaign that ended last year.
The attack method has been on the radar of security pros for more than 15 years, yet organizations still are struggling mightily with shoring up their code defenses.
But what is SQL injection and why is it still such a powerful attack method for hackers?
SQL stands for structured query language and is a programming language designed for managing data. SQL injection typically involves an attacker inputting SQL statements into an entry field that will force the system to execute potentially malicious commands, such as, for example, allowing illicit access to a credit card database.
“In a nutshell, it's about breaking out of the data context and entering the query context,” software architect Troy Hunt wrote in a recent post on his website. Hunt has written several reports on injection-based attacks and always emphasizes the severe, potentially reputation-damaging, effects the attacks have on organizations.
A successful SQL injection exploit can read sensitive data from a database, modify that data, execute administration operations on a database or, in some cases, issue commands to an operating system, according to the Open Web Application Security Project (OWASP).
WhiteHat Security founder Jeremiah Grossman and Bill Curtis, senior vice president and chief scientist with software analysis and measurement firm CAST, both recommended to SCMagazine.com penetration testing as a mandatory quality assurance practice.
Curtis said corporations must not expedite code writing for their go-to services – he said businesses are not saving much time anyway since 40 percent of programming efforts are rework – and added that automated technology has advanced to a point of greatly helping sniff out vulnerabilities.
“There's more than 600 million active websites and we're still cleaning up [poorly written] code from six years ago,” Grossman said, adding this is due, in part, to companies still spending too much security dollars on perimeter-focused technologies, like anti-virus and firewalls.
Curtis additionally expressed concerns over an increasing demand for programmers. He said many inadequately trained programmers are being hired despite having received little education and added that appropriate training should be mandatory for every IT or computer science degree.
The tide eventually will turn, Grossman said.
“SQL injection will never go away entirely, but in a few years it'll be a footnote,” he said, adding hackers will likely turn to attacking mobile devices as defenses improve on the home computing front.
The OWASP website offers up some best defenses against SQL attacks, including use of parameterized queries instead of dynamic queries, to ensure an attacker is unable to change query intent, in addition to the use of stored procedures that require developers to define the SQL code first and pass parameters after.
“Each parameter that comes from a client has to be evaluated and protected so that it cannot potentially inject any SQL,” David Topping, vice president of global marketing with security provider Brainloop, told SCMagazine.com. “Having this as a central method that cannot be circumvented protects the application best and avoids someone having to protect each new function individually.”