[BreachExchange] SQL injection: why is the oldest hack in the book still causing big problems?

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 23 19:39:17 EDT 2016


http://www.information-age.com/technology/security/123461470/sql-injection-why-oldest-hack-book-still-causing-big-problems

The latest reports suggest the highly publicised ‘Panama Papers’ data leak
was the result of a hacking technique known as SQL injection.

With 11.5 million files being leaked, the Mossack Fonseca breach exceeds
even the 1.7 million files leaked by the infamous Edward Snowden. Once
more, another high-profile company has fallen victim to this common
technique.

Mossack Fonseca’s lawyers aren’t the first to get their pants pulled down
by this trick. They are simply the latest in a long line of victims.

SQL injection has been used by cybercriminals since the late 90s. So it
begs the question: why is the oldest hack in the book still causing
companies big problems?

There are plenty of ways hackers can break in, but SQL injection remains
among the easiest because, despite its age, hackers know there are
persisting weaknesses they can exploit.

What is SQL injection?

When a user enters information into a system that uses structured query
language (SQL), the system should vet it to make sure it does not contain
malicious input that can be turned into a SQL command.

If the system has not been explicitly programmed to vet the inputs, a
hacker can enter a string of characters that will be translated into a SQL
command that can instruct the underlying database to return some of its
contents, such as financial records, credit card numbers, or other
confidential information.

Vulnerability to SQL injection is why many systems do not allow users to
enter certain characters that would be used in a SQL command.

Considering how long we have known about the SQL injection weakness and how
often it is exploited, why wasn’t it eliminated from systems years ago?

The continuing issue of SQL injection

Despite the numerous hacks that have been linked to SQL injection, too many
IT departments have yet to clean up security holes in their applications.

>From the 130 million customer payment card details that were stolen at
Heartland Payment Systems a few years ago, to 40 million customer records
being breached at Target Stores, to the recent breaches at UK’s TalkTalk
and Panama’s Mossack Fonseca, the initial penetration into a system too
often begins through a SQL injection vulnerability. Clearly, there is a
severe lack of diligence in making systems secure.

IT organisations mobilised a massive attack on the turn of the century
(Y2K) that threatened to bollix many computer systems at midnight on New
Year’s Eve Year 2000.  Why aren’t we attacking security weaknesses such as
SQL injection with similar urgency to prevent this unending flood of
breaches?

With some of these breaches costing over $100,000,000, the financial
justification should be clear. At Target, not only was the CIO fired, the
CEO was released as well.

How businesses can protect themselves

Fixing the SQL injection issue is simple yet complex at the same time. New
automated testing and measurement tools have come to market, removing the
need to tediously go through each line of code manually.

However, it is still a requirement to go through each system individually,
and in today’s modern business environment that is no easy task.

The main goal for companies embarking on this measurement process is to
continually assess their systems for security and other IT risks before
entering new code into production and exposing it to users.

At the crux of the issue is implementing the proper assurance processes and
tools. Without automated analysis technologies, a thorough analysis of code
cannot be performed at the scale of modern multi-tier applications.

Without a system-level analysis of their applications, IT departments are
unable to identify potential entry points where cyber-attacks can begin.
Fortunately, static analysis and penetration testing technologies have
improved dramatically over the past decade and enable businesses to address
their security risks before hackers discover opportunities for SQL injection

CIOs face increasing pressure to do more with less as budgets tighten. At
the same time businesses are demanding more functionality, and application
quality is sacrificed in the trade-off.

To increase focus on software trustworthiness and dependability, CIOs must
elevate IT security and risk management to the business level, making it a
boardroom issue. Only when other C-level stakeholders buy in can the
necessary effort be budgeted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160523/bbdf1ebc/attachment.html>


More information about the BreachExchange mailing list