Once the focus of IT security was the network and its perimeter: stop hackers and viruses getting onto your network and you will secure your business. But over the last couple of years, businesses have begun to realise they left the back door open.
Encouraging the public to interact with them over the internet left a gaping hole in security. Although intrusion detection, firewall and anti-virus technology advanced, a user can key information into a web form, linked to a back-end database, and these security technologies could be bypassed.
In 2007, retailer TJX, which owns TK Maxx in the UK, revealed that hackers had stolen 45.7 million credit and debit card numbers from its databases over 18 months. Hackers are said to have planted unauthorised software on TJX's computer network to enable them to steal at least 100 files containing data on millions of accounts from systems in Framingham, Massachusetts and Watford in the UK.
The TJX hack is one of a number involving a group of techniques known as SQL injection, says Paul Davie, founder and chief operating officer of security software firm Secerno.
The technique is surprisingly simple. Hackers fool poorly designed database applications into treating input data from the user - such as an online address form - as executable code. With a series of probes using SQL commands keyed into online forms, a hacker can assess a database vulnerability and, if it is poorly programmed and unprotected, get hold of data. Network firewalls and anti-virus software will not pick up the hack because it will appear that a bona fide user is keying information into the database through the website.
This method of hacking is all the more serious because hackers themselves have changed. Gone are the days when precocious students wanted to prove their worth by defacing websites or jamming up corporate e-mail systems. Now it is a serious money game.
"If you look at security breaches, there has been a move towards ID theft," says Rik Ferguson, solutions architect with security firm Trend Micro. "Growth in sites trading personal information shows how organised the market has become. Identity information is a valuable commodity and the richest seam is in the database. You're not going to get that by hacking the web server."
Forrester principal analyst Noel Yuhanna agrees. "In the last five or 10 years, the focus has moved from disrupting business to gaining corporate assets and reselling those to other people," he says. "There is a focus on private data, credit card details, health details, social security numbers. It is organised crime, but if you leave the door open, there is going to be a problem.
"The fact is there are ways to attack, some of which are difficult to detect. A lot of times, organisations do not realise they have been attacked until it is too late."
Last year the US Treasury said cybercrime was worth more than the illegal drugs trade - more than £50bn a year - although some have doubted the accuracy of this figure.
Hacking methods have become industrialised, too. As internet tools have improved, they have made hacking more efficient. Lists of effective "Google hacks" are published on hacker websites. These enable criminals to quickly find online databases that may be vulnerable.
SQL injection attacks are not new, but not all businesses have measures in place to defend against them, says David Litchfield, chief research scientist with security consultant NGSSoftware. "SQL injection has been around for six or seven years and that is a long time," he says. "But then buffer overflow has been around for 20 years and people are still hit by it."
Vulnerability to these attacks continues because security can be left to IT security teams, or implementation and operations teams, says Litchfield, and not all IT professionals believe security is part of their role.
Forrester's Yuhanna says: "They do not think in terms of security. In most organisations, developers think they can leave it to the operational guys. Only 20% of organisations focus on security from the ground up and try to minimise risk."
But the situation is improving through better education, says Litchfield. "In the past it was the case that application developers, IT service and security were separate. However, more and more web and applications developers, C programmers, have to have security as part of their education."
Microsoft has taken the lead with its secure development lifecycle, he adds.
Database application developers must be aware of security because it is fairly straightforward to program out the starkest vulnerabilities. For example, coders can restrict the number of letter or numbers a particular field accepts. They can also outlaw characters used in SQL, such as the semi-colon or single quote, which are unnecessary for valid user input.
These measures will not remove the problem entirely, but they reduce risk. Programmers can go a step further by making a clearer distinction between user-inputted data and executable application code, called prepared data in SQL terms and bind variable in Oracle, says Litchfield.
This is a good approach for new applications, but legacy applications are still a problem. One of the main reasons for their vulnerability to SQL injection is that many database applications were written before anyone knew they might be put online.
For older applications, a code review is needed, says Litchfield. "Penetration testing has some value, but it is better, quicker and cheaper to do a code review."
Where rewriting code may be prohibitively expensive, there are tools on the market that specifically tackle database security. Secerno uses a system based on machine learning to understand the normal operations of a database.
The company's Paul Davie says network security tools are not effective in dealing with this type of attack. "Older systems look at the network layer, but SQL does not lend itself to that kind of analysis," he says. "You could block the word 'union', an SQL term, but it is used so frequently, especially if you're the Western Union bank, that it wouldn't work. Analysis needs to be more sophisticated. Traditional approach generates many false positives. We look at SQL before it enters the database."
The Secerno system has established a model of normal behaviour and anomalies that aims to block hacks and alert the administrator or security team, says Davie.
"There's a lot of value in this approach," says NGSSoftware's Litchfield. "It will get rid of 95% of the problem, but an extremely good professional hacker can bypass it."
Another approach to securing databases uses signatures in the same way as anti-virus software does. The security tool uses a list of "signatures" characteristic of hacking methods. When a match occurs, the system block entry.
But the problem with this approach is that database hacks can be unique and do not appear on signature lists until it is too late, says Litchfield.
"A signature-based approach will do nothing to protect database servers. You can encode an instruction [to a database] an infinite number of ways. You can spend £100,000 on a database firewall. My advice is not to have the vulnerability in the app in the first place."
For the most sensitive data, businesses can achieve better security with data encryption, so that even if hackers access the data, they can't use it or sell it.
Although many businesses are still vulnerable to these database attacks, greater awareness is improving the situation, says Litchfield. "As new applications are developed, SQL injection becomes rarer, but whether it will disappear in five or 10 years is a different question. Maybe six years ago, eight or nine out of 10 databases were prone to this kind of attack. Now it is six or seven. Maybe in five years it will be two or three."
But Litchfield warns against complacency. There is the potential for hackers to develop new "secondary" or "lateral" SQL injection attacks by fooling databases into believing malicious code has come from within the application and is therefore safe. He says IT departments must continually rise to the challenge of new hacking techniques from an increasingly organised criminal fraternity.
Consequences of SQL injections
Using SQL injections, cybercriminals can take complete remote control of a database and be able to manipulate it to do anything they want, including:
• Insert a command to get access to all account details in a system, including user names, and retrieve VNC passwords from registry.
• Shut down a database.
• Upload files.
• Through reverse lookup, gather IP addresses and launch an injection attack on those computers.
• Corrupting, deleting or changing files and interact with the OS, reading and writing files.
• Online shoplifting, for example changing the price of a product or service.
• Insert a bogus name and credit card into a system to scam it at a later date.
• Delete the database and all its contents.
How to protect against SQL injection
• Check and filter user input.
• Limit the length on input because most attacks depend on query strings.
• A crude defence is to restrict particular keywords used in SQL, such as "drop", "insert", "shutdown" and "name". This is hard to do in practice, because the context of commands is vitally important. Also ban SQL code such as single quotes or semi-colons.
• Powerful intelligent approaches exist that take into account the intent of the command and not just the keywords used.
• Deploy database patches as they are released - don't wait until a service pack is available.
• Make sure database application developers are trained in secure programming.
These applications security basics will also help:
• Grant the least privileges possible per user.
• Always change default passwords.
• Encrypt sensitive data.
Examples of SQL injection
Here are some examples of alleged SQL injection attacks:
• 3,000 records were exposed and 20 stolen at Commerce Bank in the central USA, October 2007.
• Online corporate gift retailer Scarborough & Tweed potentially had 570 customers' personal and credit card details compromised.
• The United Nations website was defaced by a group of activists with an anti-war protest, August 2007.
• Microsoft's UK events web page was defaced, June 2007.
• Auction.co.kr was hacked and 18 million customer records stolen, February 2008.
• DA Davidson, a local US financial services firm, was hacked and lost records of 226,000 clients, February 2008.
• Pennsylvania's state government website was hacked, defaced and malware laced though an SQL injection attack, January 2008. The malware would probably have been part of an operation such as the Storm worm.
• The RIAA website was twice attacked in one weekend with SQL injections, causing denial of service and, later, defacement, January 2008.
And finally, even the geeks aren't safe. In December of last year, geeks.com, a £75m company, was hacked using an undisclosed means and detailed records of customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number.