SQL Injection Vulnerabilities
Recent indictments filed against five persons charged in a massive international hacking scheme indicate that SQL injection vulnerabilities continue to be a huge security issue for companies.
The indictments were filed against residents of Russia and Ukraine were for their connection to a theft of more than 160 million credit card numbers and other financial data from big businesses that included such companies as NASDAQ, JCP, Carrefour, Discover Bank, Hannaford, Heartland and Dow Jones.
The indictments allege that the victims lost some $300 million over a seven-year period between 2005 and 2012.
These recent attacks are seen as "cutting edge" and called are a threat to the U.S. economy and national security.
The indictment also suggest that the hackers, in most cases, did not employ particularly sophisticated methods to gain initial entry into the corporate networks. The breaches primarily involved SQL injection flaws — a threat that has been thoroughly documented and understood for well over a decade.
The NASDAQ network was initially attacked via a SQL injection vulnerability in a online password reminder page. The flaw let hackers access the network without authorization to get a foothold that eventually let them gain full administrative control of the NASDAQ servers.
Unauthorized access to corporate networks of Heartland, JC Penney, Wet Seal, Visa Jordan and Diners Singapore came as a result of SQL coding errors. In each instance, the attackers rapidly escalated their privileges on the network to install malware and backdoors for stealing credit card information and other data.
SQL injection attacks allow hackers take advantage of poorly coded Web application software to install malicious code in a company’s systems and network. The vulnerability exists when a Web application fails to properly filter or validate data entered by a user, such as when ordering something online or when resetting a password.
An attacker can take advantage of input validation errors to send malformed SQL queries to the underlying database letting them break into it, plant malicious code and/or access other systems on the network.
SQL injection flaws are relatively simple to fix, once found. The main challenge for IT personnel is knowing where to look for them. In large Web applications where users can input data, there could literally be hundreds of these flaws.
Hackers have taken advantage of SQL injection flaws for years because they can be exploited with relative ease. In recent years, SQL injection attacks have consistently ranked as one of the most popular methods for hackers to break into networks.
Some things that you can do to prevent these types of attacks are:
- Make sure that your operating system, MS SQL software, and application software programs have up-to-date service pack installed. This would include any client workstations that use these applications.
- Make sure that you have your anti-virus and anti-malware programs regularly updated.
- Ensure that you have PCI compliant passwords on all of your systems.
- Have your systems security thoroughly review for security flaws. The CCS Retail Systems Support Department can assist with this process.