The Lethal Injection

Blog Date:  10/23/2017
Author:  Ray Coulombe

Real Life SQLI Examples
As Time magazine reported in their July 20, 2017 article, “Inside the Secret Plan to Stop Vladimir Putin’s U.S. Election Plot,” hackers targeted a number of state voter registration and election sites, including the state of Illinois. In one Illinois jurisdiction, as the article states, “instead of entering his personal information in one of the fields for names and addresses, the hacker uploaded a string of malicious prewritten code, executing a classic hack known as SQL Injection (SQLI). With that, the hacker opened a back door to all 15 million files on past and current voters in the state since 2006. And for nearly three weeks, no one knew he was there.”

Companies small and large aren’t immune. In fact, many smaller firms and individuals use WordPress to construct their web sites, yet it’s an environment which is known historically to be vulnerable. Wordfence reports that 18 percent of the nearly 1,600 WordPress vulnerabilities enumerated over 14 months were SQL Injection based.

A Veracode analysis has determined that our Federal Government has the highest prevalence of easily exploitable vulnerabilities like SQL Injections and cross-site scripting. Want to see more examples? Visit http://codecurmudgeon.com/wp/sql-injection-hall-of-shame.

SQL stands for Structured Query Language which provides an architecture, structure, and syntax for constructing and interacting with relational databases. Among its database functions, SQL can execute queries, retrieve data, and insert, delete, and update records.

Objectives for SQLI attacks differ, but include:

  • Theft of financial information
  • Theft of personal or personnel information
  • Theft of competitive information
  • Strategic, or state-sponsored
  • General mischief or damage
  • Privilege escalation and control

How it Works
Database-driven web applications typically contain server-side script written in a programming language that extracts information from a back-end database in a user-driven process. A client-side interface passes information to the web server that calls an API from the application server (e.g., a database server). The database application will reach into the database to fulfill the request. An example of a statement (drawn from my own website) passed to the web server is found here, which is requesting product information from a company whose ID in the database is 496. The “?” is a separator preceding the query string. Manipulating the query string is a means to work your way into the database or to tickle enough information out to further refine the attack strategy. A successful SQLI attack requires the attacker to construct a syntactically correct SQL Query to present to the logic tier.

At this point, you might ask what this has to do with our world pf physical and electronic security. For starters, most enterprise access control systems use relational databases to store everything from users to privilege levels to credentials and more. SQLI is a potential vulnerability along with an attack known as cross-site scripting (XSS). Further, LDAP (Lightweight Directory Access Protocol) is being increasingly used for enterprise-wide access and may also be subject to these injection attacks.

How to Protect Your Applications
Manufacturers should take a number measures to protect their applications. It starts with secure coding, which should be an integral part of the development process. Code analysis tools are available which include the insertion of random data into the inputs and running test case scenarios. Validating inputs is essential, where input is checked to ensure that it conforms to rigid specifications, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. Employ “least privilege” with an understanding of what levels of access individual users really need. Also, Admin privileges should be provisioned so that there’s a barrier between the database application and other applications on the system or the operating system itself. Techniques such as stored procedures and parameterized queries can prevent the implementation of bad commands masked as variables.

Manufacturers and end-users both can use the services of outside organizations to perform penetration testing on their applications and networks. Representatives of both Lenel and Software House confirmed to me that they do this. End users should also make sure that their servers are cyber-hardened, consider Intrusion Detection and Intrusion Prevention systems, and subscribe to the Defense in Depth concept.

Knowledge is Power
Integrators and end-users alike should ask the hard questions of the manufacturers about means taken to cyber-harden applications. But it’s more vital that security professionals should make it their business to become as knowledgeable as possible! These threats are increasingly complex and attack tools are only becoming easier to use.

 

Resource Blogs

Most Recent Blog List for Blog Author: Ray Coulombe

Security Specifier Blog List Image for  Stay Safe! While Traveling This Summer

Stay Safe! While Traveling This Summer

It’s summer vacation time! The last thing you need to worry about it is getting your identity stolen while you’re sitting on a beach somewhere exotic. In 2016, more than 15 million Americans were victims of identity theft, up 16 percent from the previous year, according to Experian. Plus, about 33 percent of that fraud took place when people were traveling. Here’s a few tips to staying safe all summer while traveling...
read more -->

Security Specifier Blog List Image for Rethinking Cabling

Rethinking Cabling

Cat 5e became an ANSI/TIA/EIA standard in 2001, Cat 6 in 2002, and Cat 6a in 2008. However, it may be extremely useful to consider taking advantage of other existing cabling infrastructure in lieu of running new. Read more to learn how to approach cabling.
read more -->

Security Specifier Blog List Image for Off the Beaten Path at ISC West

Off the Beaten Path at ISC West

This year at ISC (the International Security Conference and Exposition), I was determined to try to see the latest iStechnologies hiding in the nooks and crannies—literally! I visited booths in the back, the basement, small kiosks hidden inside larger vendor books, and throughout the Emerging Technology Zone.

In case you missed the show, I’ll round up some of the best new technologies and companies to keep an eye on. Read more.
read more -->

Security Specifier Blog List Image for Cyber Crime Taking Down Cities

Cyber Crime Taking Down Cities

Earlier this year, in March, the City of Atlanta’s nearly 8,000 employees heard words they never thought they would hear: “It’s okay to turn your computers on.” Their computers were powered off for five days. In those five days Atlanta residents could not pay traffic tickets, water bills, or report city issues. Read how ransomware impacted this metropolitan area.
read more -->

Security Specifier Blog List Image for A Few Thoughts on K-12 School Security

A Few Thoughts on K-12 School Security

There is no one size fits all when it comes to K-12 school security. Schools vary in so many ways: size, age, local environment, affluence, culture, governance, and more. Read some helpful tips and resources that might just help your school be better prepared.
read more -->


Copyright Ⓒ 2010 SecuritySpecifiers™
>