SQL injection attacks exacerbated by work of ‘grey hat’ researchers

In this LastWatchdog guest blog post Phil Neray, vice president of database security vendor Guardium, which was  acquired by IBM last November, focuses attention on SQL injection vulnerabilities and attacks — and why they remain a substantive threat.

by Phil Neray

VP of Security Strategy, Guardium, an IBM Company

We’ve recently seen a series of SQL injection cyber-attacks conducted by “gray-hats” — including the recent  attack on a U.S. Army Website that revealed passwords stored in clear text.

Unlike black hats that are motivated financially or politically — like the hackers that allegedly penetrated Google to spy on Chinese dissidents — grey hats are essentially cyber-vandals who are mainly interested in outing weak security practices (and perhaps getting a little fame).

White hats, in comparison, work privately with Website owners and software vendors to correct flaws –without making them public.

As one of the better-known “serial grey-hats” (Unu) wrote on his blog, “I am not a thief. I’m just a guy who likes to do security testing, penetration. It’s like any other hobby.”

It has become very easy to break into sites using SQL injection. Hackers can easily download automated tools to locate sites running vulnerable applications — you can even use Google. According to IBM’s X-Force research team, SQL injection attacks increased a “staggering” 134% in 2008 and doubled from Q1 to Q2 of 2009.

So many of these vulnerable sites exists because all too many Web applications — created by a generation of inexperienced programmers — don’t adhere to good coding practices, leaving back-end databases wide open to manipulation. For instance, older versions of Microsoft SQL Server contain vulnerable procedures that are installed by default.

It’s believed that the Heartland attackers used this vulnerability to move from their initial SQL injection attack — against a low-value, Web-facing corporate server — to high-value servers processing hundreds of millions of sensitive credit card transactions.

Heartland isn’t alone. The vast majority of organizations don’t monitor activity on their database servers, leaving them vulnerable because they don’t even know when they’ve been hacked. In fact, according to the 2009 Data Breach Report by Verizon Business, 69% of breaches are discovered by a third-party external to the breached organization.

What can organizations do to stay protected? Here are some suggestions:

  • Educate Web developers about secure development practices.
  • Employ automated Web application scanners to locate code vulnerabilities.
  • Never store passwords in clear text.
  • Remove vulnerable procedures you don’t need.
  • Deploy automated vulnerability assessment tools to check for vulnerable databases.
  • Monitor all database activity in real-time for suspicious patterns.
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone