[BreachExchange] SQL injection: The oldest hack in the book

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 9 17:51:41 EDT 2016


http://www.itproportal.com/2016/05/08/sql-injection-the-oldest-hack-in-the-book/

The latest reports suggest the highly publicised ‘Panama Papers’ data leak
was the result of a hacking technique known as SQL injection. With 11.5
million files being leaked, the Mossack Fonseca breach exceeds even the 1.7
million files leaked by the infamous Edward Snowden. Once more, another
high profile company has fallen victim to this common technique. Mossack
Fonseca’s lawyers aren’t the first to get their pants pulled down by this
trick. They are simply the latest in a long line of victims.

SQL injection has been used by cybercriminals since the late Nineties. So
it begs the question – why is ‘the oldest hack in the book’ still causing
companies big problems? There are plenty of ways hackers can break in, but
SQL injection remains among the easiest because, despite its age, hackers
know there are persisting weaknesses they can exploit.

What is SQL injection?

When a user enters information into a system that uses Structured Query
Language (SQL), the system should vet it to make sure that it does not
contain malicious input that can be turned into a SQL command. If the
system has not been explicitly programmed to vet the inputs, then a hacker
can enter a string of characters that will be translated into a SQL command
which can instruct the underlying database to return some of its contents
such as financial records, credit card numbers, or other confidential
information.

Vulnerability to SQL injection is why many systems do not allow users to
enter certain characters that would be used in a SQL command. Considering
how long we have known about the SQL injection weakness and how often it is
exploited, why wasn’t it eliminated from systems years ago?

The continuing issue of SQL injection

Despite the numerous hacks that have been linked to SQL injection, too many
IT departments have yet to clean up security holes in their applications.
>From the 130 million customer payment card details that were stolen at
Heartland Payment Systems a few years ago, to 40 million customer records
being breached at Target Stores, to the recent breaches at UK’s TalkTalk
and Panama’s Mossack Fonseca, the initial penetration into a system too
often begins through a SQL injection vulnerability. Clearly, there is a
severe lack of diligence in making systems secure.

IT organisations mobilised a massive attack on the turn of the century
(Y2K) that threatened to bollix many computer systems at midnight on New
Year’s Eve Year 2000. Why aren’t we attacking security weaknesses such as
SQL injection with similar urgency to prevent this unending flood of
breaches? With some of these breaches costing over $100m (£70m), the
financial justification should be clear. At Target, not only was the CIO
fired, the CEO was released as well.

How businesses can protect themselves

Fixing the SQL injection issue is simple yet complex at the same time. New
automated testing and measurement tools have come to market, removing the
need to tediously go through each line of code manually. However, it is
still a requirement to go through each system individually, and in today’s
modern business environment that is no easy task. The main goal for
companies embarking on this measurement process is to continually assess
their systems for security and other IT risks before entering new code into
production and exposing it to users.

At the crux of the issue is implementing the proper assurance processes and
tools. Without automated analysis technologies, a thorough analysis of code
cannot be performed at the scale of modern multi-tier applications. Without
a system-level analysis of their applications, IT departments are unable to
identify potential entry points where cyber-attacks can begin. Fortunately,
static analysis and penetration testing technologies have improved
dramatically over the past decade and enable businesses to address their
security risks before hackers discover opportunities for SQL injection

What will it take to change?

CIOs face increasing pressure to do more with less as budgets tighten. At
the same time businesses are demanding more functionality, and application
quality is sacrificed in the trade-off. To increase focus on software
trustworthiness and dependability, CIOs must elevate IT security and risk
management to the business level, making it a boardroom issue. Only when
other C-level stakeholders buy in can the necessary effort be budgeted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160509/6d4e7dda/attachment.html>


More information about the BreachExchange mailing list