Once the focus of IT security was the network and its
perimeter: stop hackers and viruses getting onto your network and
you will secure your business. But over the last couple of years,
businesses have begun to realise they left the back door
open.
Encouraging the public to interact with them over the internet
left a gaping hole in security. Although intrusion detection,
firewall and anti-virus technology advanced, a user can key
information into a web form, linked to a back-end database, and
these security technologies could be bypassed.
In 2007, retailer
TJX, which owns TK Maxx in the UK, revealed that hackers had
stolen 45.7 million credit and debit card numbers from its
databases over 18 months. Hackers are said to have planted
unauthorised software on TJX's computer network to enable them to
steal at least 100 files containing data on millions of accounts
from systems in Framingham, Massachusetts and Watford in the
UK.
The TJX hack is one of a number involving a group of techniques
known as SQL
injection, says Paul Davie, founder and chief operating officer
of security software firm Secerno.
The
technique is surprisingly simple. Hackers fool poorly designed
database applications into treating input data from the user - such
as an online address form - as executable code. With a series of
probes using SQL commands keyed into online forms, a hacker can
assess a database vulnerability and, if it is poorly programmed and
unprotected, get hold of data. Network firewalls and anti-virus
software will not pick up the hack because it will appear that a
bona fide user is keying information into the database through the
website.
This method of hacking is all the more serious because hackers
themselves have changed. Gone are the days when precocious students
wanted to prove their worth by defacing websites or jamming up
corporate e-mail systems. Now it is a serious money game.
"If you look at
security breaches, there has been a move towards ID theft,"
says Rik Ferguson, solutions architect with security firm Trend
Micro. "Growth in sites trading personal information shows how
organised the market has become. Identity information is a valuable
commodity and the richest seam is in the database. You're not going
to get that by hacking the web server."
Forrester principal analyst Noel Yuhanna agrees. "In the last
five or 10 years, the focus has moved from disrupting business to
gaining corporate assets and reselling those to other people," he
says. "There is a focus on private data, credit card details,
health details, social security numbers. It is organised crime, but
if you leave the door open, there is going to be a problem.
"The fact is there are ways to attack, some of which are
difficult to detect. A lot of times, organisations do not realise
they have been attacked until it is too late."
Last year the US Treasury said cybercrime was worth more than
the illegal drugs trade - more than £50bn a year - although some
have doubted the accuracy of this figure.
Hacking methods have become industrialised, too. As internet
tools have improved, they have made hacking more efficient. Lists
of effective
"Google
hacks" are published on hacker websites. These enable criminals
to quickly find online databases that may be vulnerable.
SQL injection attacks are not new, but not all businesses have
measures in place to defend against them, says David Litchfield,
chief research scientist with security consultant NGSSoftware. "SQL
injection has been around for six or seven years and that is a long
time," he says. "But then buffer overflow has been around for 20
years and people are still hit by it."
Vulnerability to these attacks continues because security can be
left to IT security teams, or implementation and operations teams,
says Litchfield, and not all IT professionals believe security is
part of their role.
Forrester's Yuhanna says: "They do not think in terms of
security. In most organisations, developers think they can leave it
to the operational guys. Only 20% of organisations focus on
security from the ground up and try to minimise risk."
But the situation is improving through better education, says
Litchfield. "In the past it was the case that application
developers, IT service and security were separate. However, more
and more web and applications developers, C programmers, have to
have security as part of their education."
Microsoft has taken the lead with its secure development
lifecycle, he adds.
Database application developers must be aware of security
because it is fairly straightforward to program out the starkest
vulnerabilities. For example, coders can restrict the number of
letter or numbers a particular field accepts. They can also outlaw
characters used in SQL, such as the semi-colon or single quote,
which are unnecessary for valid user input.
These measures will not remove the problem entirely, but they
reduce risk. Programmers can go a step further by making a clearer
distinction between user-inputted data and executable application
code, called prepared data in SQL terms and bind variable in
Oracle, says Litchfield.
This is a good approach for new applications, but legacy
applications are still a problem. One of the main reasons for their
vulnerability to SQL injection is that many database applications
were written before anyone knew they might be put online.
For older applications, a code review is needed, says
Litchfield. "Penetration testing has some value, but it is better,
quicker and cheaper to do a code review."
Where rewriting code may be prohibitively expensive, there are
tools on the market that specifically tackle database security.
Secerno uses a system based on machine learning to understand the
normal operations of a database.
The company's Paul Davie says network security tools are not
effective in dealing with this type of attack. "Older systems look
at the network layer, but SQL does not lend itself to that kind of
analysis," he says. "You could block the word 'union', an SQL term,
but it is used so frequently, especially if you're the Western
Union bank, that it wouldn't work. Analysis needs to be more
sophisticated. Traditional approach generates many false positives.
We look at SQL before it enters the database."
The Secerno system has established a model of normal behaviour
and anomalies that aims to block hacks and alert the administrator
or security team, says Davie.
"There's a lot of value in this approach," says NGSSoftware's
Litchfield. "It will get rid of 95% of the problem, but an
extremely good professional hacker can bypass it."
Another approach to securing databases uses signatures in the
same way as anti-virus software does. The security tool uses a list
of "signatures" characteristic of hacking methods. When a match
occurs, the system block entry.
But the problem with this approach is that database hacks can be
unique and do not appear on signature lists until it is too late,
says Litchfield.
"A signature-based approach will do nothing to protect database
servers. You can encode an instruction [to a database] an infinite
number of ways. You can spend £100,000 on a database firewall. My
advice is not to have the vulnerability in the app in the first
place."
For the most sensitive data, businesses can achieve better
security with data encryption, so that even if hackers access the
data, they can't use it or sell it.
Although many businesses are still vulnerable to these database
attacks, greater awareness is improving the situation, says
Litchfield. "As new applications are developed, SQL injection
becomes rarer, but whether it will disappear in five or 10 years is
a different question. Maybe six years ago, eight or nine out of 10
databases were prone to this kind of attack. Now it is six or
seven. Maybe in five years it will be two or three."
But Litchfield warns against complacency. There is the potential
for hackers to develop new "secondary" or "lateral" SQL injection
attacks by fooling databases into believing malicious code has come
from within the application and is therefore safe. He says IT
departments must continually rise to the challenge of new hacking
techniques from an increasingly organised criminal fraternity.
Consequences of SQL injections
Using SQL injections, cybercriminals can take complete remote
control of a database and be able to manipulate it to do anything
they want, including:
• Insert a command to get access to all account details in a
system, including user names, and retrieve VNC passwords from
registry.
• Shut down a database.
• Upload files.
• Through reverse lookup, gather IP addresses and launch an
injection attack on those computers.
• Corrupting, deleting or changing files and interact with the
OS, reading and writing files.
• Online shoplifting, for example changing the price of a
product or service.
• Insert a bogus name and credit card into a system to scam it
at a later date.
• Delete the database and all its contents.
How to protect against SQL injection
• Check and filter user input.
• Limit the length on input because most attacks depend on query
strings.
• A crude defence is to restrict particular keywords used in
SQL, such as "drop", "insert", "shutdown" and "name". This is hard
to do in practice, because the context of commands is vitally
important. Also ban SQL code such as single quotes or
semi-colons.
• Powerful intelligent approaches exist that take into account
the intent of the command and not just the keywords used.
• Deploy database patches as they are released - don't wait
until a service pack is available.
• Make sure database application developers are trained in
secure programming.
These applications security basics will also help:
• Grant the least privileges possible per user.
• Always change default passwords.
• Encrypt sensitive data.
Examples of SQL injection
Here are some examples of alleged SQL injection attacks:
• 3,000 records were exposed and 20 stolen at Commerce Bank in
the central USA, October 2007.
• Online corporate gift retailer Scarborough & Tweed
potentially had 570 customers' personal and credit card details
compromised.
• The United Nations website was defaced by a group of activists
with an anti-war protest, August 2007.
• Microsoft's UK events web page was defaced, June 2007.
• Auction.co.kr was hacked and 18 million customer records
stolen, February 2008.
• DA Davidson, a local US financial services firm, was hacked
and lost records of 226,000 clients, February 2008.
• Pennsylvania's state government website was hacked, defaced
and malware laced though an SQL injection attack, January 2008. The
malware would probably have been part of an operation such as the
Storm worm.
• The RIAA website was twice attacked in one weekend with SQL
injections, causing denial of service and, later, defacement,
January 2008.
And finally, even the geeks aren't safe. In December of last
year, geeks.com, a £75m company, was hacked using an undisclosed
means and detailed records of customers were stolen from the site.
The records included name, address, telephone number, e-mail
address, credit card number, expiration date, and most notoriously,
card verification number.