LAS VEGAS -- With so much attention focused on database security these days, organizations should be aware that the latest SQL injection threat, called an inference attack, may be able to deliver up their databases on a silver platter.
Though inference attacks require multiple steps and may look complicated on the surface, in reality they're quite simple to execute and many organizations could be vulnerable, said security researcher David Litchfield during last week's Black Hat Briefings in Las Vegas.
"We basically infer the value of data in the database server by making observations about artificial circumstances we create -- like
causing an error message," said Litchfield, managing director at Surrey, U.K.-based Next Generation Security Software Ltd. "We create it and then observe the error message or the absence of one. When we join multiple requests together, we get the data we're seeking."
He said such attacks successfully target SQL Server, Oracle and IBM's DB2.
"Very easily, with a couple of simple queries, we can start playing with your backend database," Litchfield explained. "So while it seems like you've got to do all these weird and wonderful things -- and that seems quite complicated -- it's not. Especially when you consider how easy it is to do compared to breaking through the firewall, gaining access to the host and hopping over to the backend, which is a much more complex proposition than just going straight through the Web application."
Tim Burke, an information security manager for an international insurance company was among conference attendees who told SearchSecurity.com he believed his systems are patched against SQL injection attacks. While that is quite possible, Litchfield cautioned organizations to be aware that there are multiple weak points for extracting such data.
"A lot of people think [an attacker] can't get data out because they're not returning any data, they've stripped out things like OpenRowSet or XP Mail, etc., but you can get data out by using inference," Litchfield said. "It's now raised the threat level again. Rather than thinking I don't need to patch because they can't get data out anyway, we've now changed the risk proposition."
If your organization wants to prevent inference attacks, Litchfield has some suggestions.
"The best way to mitigate the risk of SQL injection is to firstly design a robust application that doesn't accept user input to SQL queries without being sanitized, don't use dynamic queries and on the backend work with the principle of least privilege," Litchfield recommended. "Any sensitive data, such as credit card information stored in a database, should always be encrypted."
While the attack may be easy to execute, it does leave signs.
"Such a query leaves a large number of responses -- about 500 -- in log files," Litchfield said. "If you're not questioning that when you see it, you're in the wrong line of business."