Little thing...big mess

Simple SQL injection vulnerability to blame for biggest ever theft of passwords

Coman Hamilton
injection

Securing an API against SQL injection is relatively simple, and yet 420,000 websites have fallen victim to the old-school hack

The largest ever cache of stolen passwords has been
amassed using a simple SQL flaw. A Russian e-crime ring absconded
with 1.2 billion passwords from 420,000 websites, the New York
Times has learned.

Although the group of hackers have set a new record in
cybercrime, their black hat technique is by no means new. SQL
injections, which occur when an interpreter is tricked by hostile
data sent to it as part of a command or query, is an old trick used
to trick old code into giving it access to data or even allowing
hackers to make commands.

SQL injection is not unlike walking into a tax office
and pretending to submit your taxes – only instead you convince the
clerk to hand over information about your neighbours.
Cybercriminals will set up an automated system that will test sites
for injection flaws, according to the
New York Times
, who broke the story on the password theft. Once
a vulnerability is spotted, the individuals can return later to
plunder the site of any valuable data.

Injection attacks are a relatively common phenomenon
in cybercrime, due to the sheer frequency of the vulnerability. On
top of the high success rate, an attack will almost always lead
cybercriminals to valuable data, sometimes about the application –
in this instance a treasure trove of user passwords.

A SQL injection flaw in the Wall Street Journal was
recently exploited by a lone hacker called w0rm to gain access to
the newspaper’s database. Flaws like these are often first
uncovered by white hat
hackers
, bounty hunting for vulnerabilities. But many companies
like Facebook or Volkswagen have been reluctant to reward
benevolent hackers with their “bug bounty”.

Many of the stolen passwords will likely be encrypted,
which can be complicated to unscramble. However it seems that the
criminals have already successfully spammed many of the victims’
social networks, which implies that the passwords have already been
cracked or may even have been unencrypted to begin with.

Defending against injection attacks is “extremely
simple”

It’s not only SQL that is vulnerable to Jedi mind
tricks like these: NoSQL, LDAP and Xpath queries in legacy code are
also open to injection attacks. Although there is extensive
documentation on successful defence techniques, which
OWASP
describe as “extremely simple”. The problem with a black
hat method like this, however, is that it can be tricky to spot
during testing.

At the same time, it appears that it isn’t (only)
amatuer startups or 20th-century companies that have been affected.
Hold Security, the US firm that uncovered the theft, claims the
Fortune 500 companies are among those to have lost personal user
credentials to the cybercriminals.

Securing SQL queries against injection attacks

The Open Web Application Security Project (OWASP)
lists three major defence approaches to secure an API against SQL
injection attacks. The first is to use
prepared statements
(or parameterized queries) which make sure
the attacker cannot change the intent of query, as a certain
Russian cybercrime organisation did.

The second defence is
stored procedures
, which defines the SQL code for a stored
procedure on the database, which is then called from
application.

Finally, OWASP suggests alternatively
escaping user input
before putting it in the query. Although
less reliable than the previous two techniques, this method of
defence is best for developers worried that prepared statements or
stored procedures might slow down a legacy application’s
performance.

Author
Coman Hamilton
Before becoming Editor of JAXenter.com (S&S Media Group), Coman completed an M.A. in Cultural Studies and wrote for numerous websites and magazines, as well as several ad agencies. // Want to submit a story? Get me at coman[AT]jaxenter.com or linkedin.com/in/comanhamilton
Comments
comments powered by Disqus