Ruminations of J.net idle rants and ramblings of a code monkey

Sql Injection #1 Hacker Technique

Security

On April 15, Verizon Business Security Solutions released The 2009 Data Breach Investigations Report, a comprehensive analysis of the data breaches that they investigated throughout 2008. A total of 285 million records were compromised as a result of these breaches and 79% (approximately 214 million records) of the compromised records were compromised utilizing SQL injection based attacks, typically through custom-developed web applications. As attackers are targeting the financial industry (representing 93% of total records) and, in particular, PIN data together with their associated credit and debit accounts, for focused attention, these records represent a far greater risk to the compromised user’s financial data and funds than magnetic stripe records or simple credit card account numbers.

Do I have your attention yet? Are you thinking to yourself “Holy Cow!”? I know that I was when I first saw this … we’ve known about the potential exploits of Sql Injection for a long time now (almost 10 years) and it’s still the most successful method of choice for data breaches. And these aren’t easy or simple breaches … the breaches that are considered the most complex are responsible for 95% of the compromised records … some of these attacks were the result of months of research. Who, you may ask, would have the time, patience and resources to dedicate so much time to an attack? Of the external breaches where the IP was traced to a specific entity, 16 out of 25 were traced to known organized crime outfits We aren’t dealing with the zit-faced script kiddie here, munching pizza in the darkness of his parent’s basement. We’re talking about career criminals that will take advantage of this information. Conventional wisdom often points to insiders as the most dangerous breach, but this data does put give pause to that assumption. The largest and most damaging breaches were externally sourced, not internally. Still, one should not, and in looking at the data, cannot, dismiss the damage potential of internal breaches; while the largest individual breaches were external, the median number of records compromised from internal attacks was just over 2.5 times the number of records from external sources. As far as risk and damage potential, both sources are a high risk for compromise.

“Wow!” you say “I thought that Cross Site Scripting was OWASP’s #1 threat!” Well, injection attacks are #2 and I’d bet it was a close race. That said, it’s not so simple. Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) have been used to spread JavaScript-based worms that then use Sql Injection for an attack. Attacks vectors, it seems, don’t like to be alone and prefer to travel with their buddies.

We’ve known about Sql Injection and its potential for damage for a long time now. We’ve known that this type of attack is technology and database agnostic. Yet it is still a major issue. And it’s difficult to get developers to actually listen to security talks … there is still the attitude, it seems, that security is an infrastructure problem – but it clearly is not.

Are you one of the ones that care deeply about security? Or do you want to prove my previous statement wrong (I’d love to be proven wrong on that)? Why don’t you show up at the Houston OWASP group or your local OWASP group?