SQL injection continues to trouble firms, lead to breaches

By Robert Westervelt, News Editor 18 Aug 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The hackers responsible for the largest data security breach in U.S. history allegedly used a SQL injection attack. A coding error was cited as the starting point in the indictment handed down against a Miami man and two Russian hackers, enabling them to allegedly bilk Heartland Payment Systems Inc. and Hannaford Brothers Co. of more than 130 million credit and debit card numbers.

But security experts say that while SQL injection errors are relatively easy to find – as simple as finding a poorly coded input field in a Web form – they are often difficult and costly to fix. A vulnerability scan is likely to turn up thousands of errors that lend themselves to SQL injection, said Gary McGraw, chief technology officer of Cigital Inc., a software security and quality consulting firm.

Defend against SQL Injection: Three indicted for Hannaford, Heartland data breaches: A grand jury has charged three men for their role in stealing more than 130 million credit and debit cards from Heartland Payment Systems and several other companies. New defenses for automated SQL injection attacks: By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites. SQL injection attacks targeting Flash, JavaScript errors: Coding errors leave thousands of websites vulnerable, but attackers are starting to target Flash and JavaScript errors for exploitation, experts say. Fuzzing tool helps Oracle DBAs defend against SQL injection: A new open source fuzzing tool is available to test PL/SQL applications for security vulnerabilities. The free tool was developed by database security vendor Sentrigo.

"Sometimes there's one problem that results in a thousand possible cross-site scripting issues and if you fix that problem they'll all be fixed, but that's not always the case," McGraw said. "There been a lot of bugs that built up behind the damn and now we're seeing the dam starting to rumble."

McGraw is referring to the fact that only now has the software development lifecycle started to mature to the point where developers have enough security skills and keep security in mind when they build applications. Other experts agree and point to the financial industry, where many of the major financial firms put in practice secure software development procedures. Still, new and popular programming languages, including Flash and JavaScript, are at a greater risk for vulnerabilities because their software is running on end-user machines rather than a server.

Jim Molini, a Microsoft security professional, has been a CISSP for more than 15 years and is also a key architect of the new Certified Secure Software Lifecycle Professional (CSSLP) certification. Molini, who was formerly vice president of Data Security at First USA Bank, said developing a common standard to drive people to focus on security in the software development lifecycle could make it harder in the long run for cybercriminals to steal sensitive data by exploiting coding vulnerabilities. Companies understand that they need to improve software security, Molini said, but they want to be able to measure what they're doing against other firms.

"You don't necessarily want to have an audit standard for software security yet, because I'm worried that it would reduce the amount of innovation that you could do," Molini said. "If you train your people to a certain skill level, that's going to pay off huge."

While a new generation of programmers hone their security skills to develop more hardened systems, vulnerabilities in current and older systems remain a major problem. SQL injection attacks, one of several popular Web-based attacks, come in many forms, some more sophisticated than others, said John Harrison, a security researcher and group product manager for Symantec Security Response. Like picking apples from a tree, attackers are choosing the lowest hanging branches, Harrison said. Last year the Trojan.Asprox was programmed to use search engines to find potentially vulnerable websites. The Trojan ended up infecting thousands and fueled a wave of SQL injection attacks. Experts who track web-based attacks say the number of SQL injection attacks has declined since last year, but estimate that up to 16% of all websites are vulnerable to attack.

"These types of errors can be difficult to get a handle on, which is why we see new problems come up every day" Harrison said.

The resulting holes can be used by a hacker to send additional SQL instructions which may then be passed directly into the backend database, Harrison said Hackers can simply set up a drive-by download attacks against website visitors or download additional malware that finds deeper vulnerabilities leading to more sensitive data.

SearchSecurity radio:

"Many times a company has a custom application back-ending to a Web server, so it's very specific to their environment," Harrison said. "There are many tools the bad guys are using to find and exploit a SQL injection hole to get their malicious code on there.

Missing from the federal indictment handed down Monday is the technique used by Albert Gonzalez, the alleged mastermind behind the Heartland and Hannaford attacks. Gonzalez is also charged with two others for his role behind the successful attacks against the TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In a blog entry, Chris Wysopal, co-founder and chief technology officer of secure application testing vendor, Veracode, has written several theories as to how the Hannaford and Heartland attackers gained entry.

"Once an attacker has the tiniest foothold through a perimeter it can often be leveraged to compromise an entire organization," Wysopal said. "Thinking that attackers who find a Web vulnerability will only be able to manipulate Web transactions deprioritizes the risk inappropriately. Sometimes a Web vulnerability gives them the whole enchilada."

Companies are realizing that it is easier and more cost effective to eliminate software coding errors during development rather than after a system has been deployed, said Richard Wang, manager of Sophos Labs U.S.

"In many cases these are apps written in house and generally by developers who's first thought is not security," Wang said. "These problems can get quite complex if you're fixing it later."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Database Security Management,  Web Application and Web 2.0 Threats,  Software Development Methodology,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Database Security Management Research Web Application and Web 2.0 Threats Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary