SQL flaws remain an Achilles heel for IT security groups

Another example: Five charged today with using SQL injection attacks to breach corporate networks to steal some $300 million from U.S. businesses

Indictments filed against five persons charged in a massive international hacking scheme indicate that SQL injection vulnerabilities continue to be a huge security Achilles heel for large IT operations.

The residents of Russia and Ukraine were indicted Thursday in connection with the theft of more than 160 million credit card numbers and other financial data from a virtual Who's Who of big business, including NASDAQ, JCP, Carrefour, Discover Bank, Hannaford, Heartland and Dow Jones.

The indictments allege that the victims lost some $300 million over a seven-year period between 2005 and 2012.

In a statement, Paul Fishman, U.S. Attorney for the District of New Jersey described the attacks as "cutting edge" and called the work a threat to the U.S. economy and national security.

The indictment also suggest that the hackers, in most cases, did not employ particularly sophisticated methods to gain initial entry into the corporate networks. The papers show that in most cases, the breach was made via SQL injection flaws -- a threat that has been thoroughly documented and understood for well over than a decade.

The NASDAQ network, for instance, was initially attacked via a SQL injection vulnerability on an online password reminder page. The flaw let hackers access the network without authorization to get a foothold that eventually let them gain full administrative control.

Similarly, initial unauthorized access to corporate networks at Heartland, JC Penney, Wet Seal, Visa Jordan and Diners Singapore came as a result of SQL coding errors. In each instance, the attackers rapidly escalated their privileges on the network to install malware and backdoors for stealing credit card and other data.

Via SQL injection attacks, hackers take advantage of poorly coded Web application software to install malicious code in a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate data entered by a user -- such as when ordering something online or when resetting a password.

An attacker can take advantage of input validation errors to send malformed SQL queries to the underlying database letting them break into it, plant malicious code and/or access other systems on the network.

SQL injection flaws are relatively simple to fix, once found. The challenge for IT personnel is knowing where to look for them. There are hundreds of places in large Web applications where users can input data, each of which can provide a SQL injection opportunity.

Hackers have taken advantage of SQL injection flaws for years because they can be exploited with relative ease. In recent years, SQL injection attacks have consistently ranked as one of the most popular methods for hackers to break into networks.

Security experts and organizations like the Payment Card Industry Security Council have long urged companies to thoroughly scan Web applications for such flaws. They suggest using Web application firewalls to mitigate the threat.

The PCI council mandates that companies either do a complete source code analysis to weed out such flaws or use a Web application firewall.

Even so, many companies fail to fully implement measures that can mitigate SQL injection threats, said Avivah Litan, an analyst with Gartner. "SQL injection attacks succeed because companies aren't protecting themselves well enough against them," she said.

Though companies understand the need for application code reviews and to maintain application firewalls, many neglect the task due to resource issues, Litan said.

"[Companies] just don't do it well enough because they are overwhelmed. They don't have the money or the resources," needed to address SQL issues, she said. "It really is about budget prioritization and organizational silos."

Jeremiah Grossman, founder and chief technology officer of Web application security specialist WhiteHat Security, said that software development resources are completely maxed out in many companies.

"Your coders have to push new features to customers that will drive future revenue. If they slow down, or work on anything else, like fixing vulnerabilities in their code, there is a certain monetary sacrifice. There simply isn't enough time or resources to do everything," Grossman said.

Therefore, he said. "If you are after data, as these bad guys [were], then SQL injection is the best and fastest way to breach the database. There is nothing technical about SQL injection that we don't know. We know what it is, we know how to fix it, we know how to prevent it. The central issue is the scale of the problem and development resource constraints."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingsecuritylegal

More about CarrefourDow JonesGartnerTopicVisaWet Seal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place