News Stay informed about the latest enterprise technology news and product updates.

SQL injection continues to trouble firms, lead to breaches

Security experts see the secure software development lifecycle improving, but legacy applications and Web server flaws continue to offer a rich treasure trove for attackers.

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

SQL injection, one of the most basic and common attacks against websites and their underlying databases, offer an easy entry point for cybercriminals, according to security experts.

The hackers responsible for the largest data security breach in U.S. history allegedly used a SQL injection attack. A coding error was cited as the starting point in the indictment handed down against a Miami man and two Russian hackers, enabling them to allegedly bilk Heartland Payment Systems Inc. and Hannaford Brothers Co. of more than 130 million credit and debit card numbers.

But security experts say that while SQL injection errors are relatively easy to find – as simple as finding a poorly coded input field in a Web form – they are often difficult and costly to fix. A vulnerability scan is likely to turn up thousands of errors that lend themselves to SQL injection, said Gary McGraw, chief technology officer of Cigital Inc., a software security and quality consulting firm. 

Defend against SQL Injection:

Three indicted for Hannaford, Heartland data breaches: A grand jury has charged three men for their role in stealing more than 130 million credit and debit cards from Heartland Payment Systems and several other companies.

New defenses for automated SQL injection attacks: By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites.

SQL injection attacks targeting Flash, JavaScript errors: Coding errors leave thousands of websites vulnerable, but attackers are starting to target Flash and JavaScript errors for exploitation, experts say.

Fuzzing tool helps Oracle DBAs defend against SQL injection: A new open source fuzzing tool is available to test PL/SQL applications for security vulnerabilities. The free tool was developed by database security vendor Sentrigo.

"Sometimes there's one problem that results in a thousand possible cross-site scripting issues and if you fix that problem they'll all be fixed, but that's not always the case," McGraw said. "There been a lot of bugs that built up behind the damn and now we're seeing the dam starting to rumble."

McGraw is referring to the fact that only now has the software development lifecycle started to mature to the point where developers have enough security skills and keep security in mind when they build applications. Other experts agree and point to the financial industry, where many of the major financial firms put in practice secure software development procedures. Still, new and popular programming languages, including Flash and JavaScript, are at a greater risk for vulnerabilities because their software is running on end-user machines rather than a server.

Jim Molini, a Microsoft security professional, has been a CISSP for more than 15 years and is also a key architect of the new Certified Secure Software Lifecycle Professional (CSSLP) certification. Molini, who was formerly vice president of Data Security at First USA Bank, said developing a common standard to drive people to focus on security in the software development lifecycle could make it harder in the long run for cybercriminals to steal sensitive data by exploiting coding vulnerabilities. Companies understand that they need to improve software security, Molini said, but they want to be able to measure what they're doing against other firms.

"You don't necessarily want to have an audit standard for software security yet, because I'm worried that it would reduce the amount of innovation that you could do," Molini said. "If you train your people to a certain skill level, that's going to pay off huge."

While a new generation of programmers hone their security skills to develop more hardened systems, vulnerabilities in current and older systems remain a major problem. SQL injection attacks, one of several popular Web-based attacks, come in many forms, some more sophisticated than others, said John Harrison, a security researcher and group product manager for Symantec Security Response. Like picking apples from a tree, attackers are choosing the lowest hanging branches, Harrison said. Last year the Trojan.Asprox was programmed to use search engines to find potentially vulnerable websites. The Trojan ended up infecting thousands and fueled a wave of SQL injection attacks. Experts who track web-based attacks say the number of SQL injection attacks has declined since last year, but estimate that up to 16% of all websites are vulnerable to attack.

"These types of errors can be difficult to get a handle on, which is why we see new problems come up every day" Harrison said.

The resulting holes can be used by a hacker to send additional SQL instructions which may then be passed directly into the backend database, Harrison said Hackers can simply set up a drive-by download attacks against website visitors or download additional malware that finds deeper vulnerabilities leading to more sensitive data. 

"Many times a company has a custom application back-ending to a Web server, so it's very specific to their environment," Harrison said. "There are many tools the bad guys are using to find and exploit a SQL injection hole to get their malicious code on there.

Missing from the federal indictment handed down Monday is the technique used by Albert Gonzalez, the alleged mastermind behind the Heartland and Hannaford attacks. Gonzalez is also charged with two others for his role behind the successful attacks against the TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In a blog entry, Chris Wysopal, co-founder and chief technology officer of secure application testing vendor, Veracode, has written several theories as to how the Hannaford and Heartland attackers gained entry.

"Once an attacker has the tiniest foothold through a perimeter it can often be leveraged to compromise an entire organization," Wysopal said. "Thinking that attackers who find a Web vulnerability will only be able to manipulate Web transactions deprioritizes the risk inappropriately. Sometimes a Web vulnerability gives them the whole enchilada."

Companies are realizing that it is easier and more cost effective to eliminate software coding errors during development rather than after a system has been deployed, said Richard Wang, manager of Sophos Labs U.S.

"In many cases these are apps written in house and generally by developers who's first thought is not security," Wang said. "These problems can get quite complex if you're fixing it later."

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.