SQL injection continues to trouble firms, lead to breaches

By Robert Westervelt, News Editor 18 Aug 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

The hackers responsible for the largest data security breach in U.S. history allegedly used a SQL injection attack. A coding error was cited as the starting point in the indictment handed down against a Miami man and two Russian hackers, enabling them to allegedly bilk Heartland Payment Systems Inc. and Hannaford Brothers Co. of more than 130 million credit and debit card numbers.

But security experts say that while SQL injection errors are relatively easy to find – as simple as finding a poorly coded input field in a Web form – they are often difficult and costly to fix. A vulnerability scan is likely to turn up thousands of errors that lend themselves to SQL injection, said Gary McGraw, chief technology officer of Cigital Inc., a software security and quality consulting firm.

"Sometimes there's one problem that results in a thousand possible cross-site scripting issues and if you fix that problem they'll all be fixed, but that's not always the case," McGraw said. "There been a lot of bugs that built up behind the damn and now we're seeing the dam starting to rumble."

McGraw is referring to the fact that only now has the software development lifecycle started to mature to the point where developers have enough security skills and keep security in mind when they build applications. Other experts agree and point to the financial industry, where many of the major financial firms put in practice secure software development procedures. Still, new and popular programming languages, including Flash and JavaScript, are at a greater risk for vulnerabilities because their software is running on end-user machines rather than a server.

Jim Molini, a Microsoft security professional, has been a CISSP for more than 15 years and is also a key architect of the new Certified Secure Software Lifecycle Professional (CSSLP) certification. Molini, who was formerly vice president of Data Security at First USA Bank, said developing a common standard to drive people to focus on security in the software development lifecycle could make it harder in the long run for cybercriminals to steal sensitive data by exploiting coding vulnerabilities. Companies understand that they need to improve software security, Molini said, but they want to be able to measure what they're doing against other firms.

"You don't necessarily want to have an audit standard for software security yet, because I'm worried that it would reduce the amount of innovation that you could do," Molini said. "If you train your people to a certain skill level, that's going to pay off huge."

While a new generation of programmers hone their security skills to develop more hardened systems, vulnerabilities in current and older systems remain a major problem. SQL injection attacks, one of several popular Web-based attacks, come in many forms, some more sophisticated than others, said John Harrison, a security researcher and group product manager for Symantec Security Response. Like picking apples from a tree, attackers are choosing the lowest hanging branches, Harrison said. Last year the Trojan.Asprox was programmed to use search engines to find potentially vulnerable websites. The Trojan ended up infecting thousands and fueled a wave of SQL injection attacks. Experts who track web-based attacks say the number of SQL injection attacks has declined since last year, but estimate that up to 16% of all websites are vulnerable to attack.

"These types of errors can be difficult to get a handle on, which is why we see new problems come up every day" Harrison said.

The resulting holes can be used by a hacker to send additional SQL instructions which may then be passed directly into the backend database, Harrison said Hackers can simply set up a drive-by download attacks against website visitors or download additional malware that finds deeper vulnerabilities leading to more sensitive data.

"Many times a company has a custom application back-ending to a Web server, so it's very specific to their environment," Harrison said. "There are many tools the bad guys are using to find and exploit a SQL injection hole to get their malicious code on there.

Missing from the federal indictment handed down Monday is the technique used by Albert Gonzalez, the alleged mastermind behind the Heartland and Hannaford attacks. Gonzalez is also charged with two others for his role behind the successful attacks against the TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In a blog entry, Chris Wysopal, co-founder and chief technology officer of secure application testing vendor, Veracode, has written several theories as to how the Hannaford and Heartland attackers gained entry.

"Once an attacker has the tiniest foothold through a perimeter it can often be leveraged to compromise an entire organization," Wysopal said. "Thinking that attackers who find a Web vulnerability will only be able to manipulate Web transactions deprioritizes the risk inappropriately. Sometimes a Web vulnerability gives them the whole enchilada."

Companies are realizing that it is easier and more cost effective to eliminate software coding errors during development rather than after a system has been deployed, said Richard Wang, manager of Sophos Labs U.S.

"In many cases these are apps written in house and generally by developers who's first thought is not security," Wang said. "These problems can get quite complex if you're fixing it later."

Tags: Web Application Security,  Database Security Tools and Techniques,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation Securing Web applications with Web application firewalls CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Database Security Tools and Techniques Multifunction security device safeguards SOA, streamlines company's infrastructure Safend expands data leakage prevention product to plug more gaps How to prevent memory dump attacks Database activity monitoring lacks security lift Report: Firms avoid encrypting backup tapes, databases Cryptography for the rest of us Recent breaches show data theft prevention basics lacking Unpatched vulnerability discovered in Microsoft SQL Server How to use Excel for security log data analysis Monitoring program data and internal controls for risk management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary