SQL injection, one of the most basic and common attacks against websites and their underlying databases, offer an easy entry point for cybercriminals, according to security experts.
The hackers responsible for the largest data security breach in U.S. history allegedly used a SQL injection attack. A coding error was cited as the starting point in the indictment handed down against a Miami man and two Russian hackers, enabling them to allegedly bilk Heartland Payment Systems Inc. and Hannaford Brothers Co. of more than 130 million credit and debit card numbers.
But security experts say that while SQL injection errors are relatively easy to find – as simple as finding a poorly coded input field in a Web form – they are often difficult and costly to fix. A vulnerability scan is likely to turn up thousands of errors that lend themselves to SQL injection, said Gary McGraw, chief technology officer of Cigital Inc., a software security and quality consulting firm.
Defend against SQL Injection:
New defenses for automated SQL injection attacks: By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites.
Fuzzing tool helps Oracle DBAs defend against SQL injection: A new open source fuzzing tool is available to test PL/SQL applications for security vulnerabilities. The free tool was developed by database security vendor Sentrigo.
"Sometimes there's one problem that results in a thousand possible cross-site scripting issues and if you fix that problem they'll all be fixed, but that's not always the case," McGraw said. "There been a lot of bugs that built up behind the damn and now we're seeing the dam starting to rumble."
Jim Molini, a Microsoft security professional, has been a CISSP for more than 15 years and is also a key architect of the new Certified Secure Software Lifecycle Professional (CSSLP) certification. Molini, who was formerly vice president of Data Security at First USA Bank, said developing a common standard to drive people to focus on security in the software development lifecycle could make it harder in the long run for cybercriminals to steal sensitive data by exploiting coding vulnerabilities. Companies understand that they need to improve software security, Molini said, but they want to be able to measure what they're doing against other firms.
"You don't necessarily want to have an audit standard for software security yet, because I'm worried that it would reduce the amount of innovation that you could do," Molini said. "If you train your people to a certain skill level, that's going to pay off huge."
While a new generation of programmers hone their security skills to develop more hardened systems, vulnerabilities in current and older systems remain a major problem. SQL injection attacks, one of several popular Web-based attacks, come in many forms, some more sophisticated than others, said John Harrison, a security researcher and group product manager for Symantec Security Response. Like picking apples from a tree, attackers are choosing the lowest hanging branches, Harrison said. Last year the Trojan.Asprox was programmed to use search engines to find potentially vulnerable websites. The Trojan ended up infecting thousands and fueled a wave of SQL injection attacks. Experts who track web-based attacks say the number of SQL injection attacks has declined since last year, but estimate that up to 16% of all websites are vulnerable to attack.
"These types of errors can be difficult to get a handle on, which is why we see new problems come up every day" Harrison said.
The resulting holes can be used by a hacker to send additional SQL instructions which may then be passed directly into the backend database, Harrison said Hackers can simply set up a drive-by download attacks against website visitors or download additional malware that finds deeper vulnerabilities leading to more sensitive data.
"Many times a company has a custom application back-ending to a Web server, so it's very specific to their environment," Harrison said. "There are many tools the bad guys are using to find and exploit a SQL injection hole to get their malicious code on there.
Missing from the federal indictment handed down Monday is the technique used by Albert Gonzalez, the alleged mastermind behind the Heartland and Hannaford attacks. Gonzalez is also charged with two others for his role behind the successful attacks against the TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In a blog entry, Chris Wysopal, co-founder and chief technology officer of secure application testing vendor, Veracode, has written several theories as to how the Hannaford and Heartland attackers gained entry.
"Once an attacker has the tiniest foothold through a perimeter it can often be leveraged to compromise an entire organization," Wysopal said. "Thinking that attackers who find a Web vulnerability will only be able to manipulate Web transactions deprioritizes the risk inappropriately. Sometimes a Web vulnerability gives them the whole enchilada."
Companies are realizing that it is easier and more cost effective to eliminate software coding errors during development rather than after a system has been deployed, said Richard Wang, manager of Sophos Labs U.S.
"In many cases these are apps written in house and generally by developers who's first thought is not security," Wang said. "These problems can get quite complex if you're fixing it later."