In the world of computer security exploits, attacks by SQL injection have seen more recent attention from the press than any other malware attack.
Thanks to events like the massive LizaMoon attack and the notorious takeover of the webpage for shadowy IT security firm HBGary Federal by the Anonymous “hacktivist” group, the SQL injection has come to the forefront of IT security chatter for 2011.
If you like this article, you might be interested in oms of our older articles on Alternatives to Apache and IIS Web Servers, Server Monitoring Tools, How to Create a Basic Drupal Block Module, Exciting In CSS3, AB Testing, and QR Codes.
Like other code injection techniques, a SQL injection takes advantage of an existing bug or vulnerability. An injection of malicious code can effectively change the parameters of execution of a program with potentially calamitous results. SQL stands for Structured Query Language, a means to communicate with a database. Virtually all websites will contain a database feature of some sort. This is where webpage details, usernames, passwords, and other data can be stored. An attacker can use a SQL injection to target common databases such as MSSQL, SQLite, and the very popular open source MySQL (in fact, even the website mysql.com was hacked in late March with a blind SQL injection). With a SQL injection a successful attacker can bypass login procedures, gain access to stored data, deface a website, redirect traffic, and even shut down the database server.
According to Internet security firm Websense, the LizaMoon mass injection that took place at the end of March 2011 started with about 28,000 sites infected, including some very popular Internet destinations such as iTunes. In the following days, the number of infected websites grew to over one million. Websense is credited with having first identified the massive spread pf LizaMoon. In essence, LizaMoon is a “scareware” attack, tricking the end user in believing that his or her computer are compromised by a nasty virus. The ultimate goal of the attack is to get the user to download and install a piece of rogue software which could ultimately be used to extract sensitive information such as passwords and credit card information.
As the LizaMoon SQL injection continued to cut a trail of infected hosts, Microsoft acknowledged that it was aware of the attacks taking place and attributed them to vulnerabilities found in third party content management systems (CMS). Some security experts noted that Microsoft SQL Server versions 2003 and 2005 were at risk, but not SQL Server 2008. While it may appear that MS SQL Server has tighter security, the fact is that any database can be left vulnerable to an SQL injection if input is not validated.
In the case of the SQL injection that the Anonymous group used to gain access to HBGary’s website, mail server archives, and enterprise office applications, the culprit was a vulnerable web application. Security experts have commented that the CMS software used by HBGary was either poorly written or that it did not follow basic Open Web Application Security Guidelines(OWASP). Most off-the-box CMS packages are proactive when approaching security issues by offering fixes and updates and thus are less susceptible to SQL injection attacks.
Ever Increasing Attacks
Going back to the last point regarding being proactive about security, Microsoft has recently released a lengthy report that highlights the increase in complex attacks that can be used against Internet-connected devices. According to Microsoft, the vulnerabilities exploited by the new threats aren’t easily found.
IT security giant Symantec makes the same case on its Internet Security Threat Report, Volume 16. The report states that 286 million new threats were identified in 2010 alone. The number of websites under attack doubled in comparison to the previous year. And just to stoke the fire a little more, the popularity of mobile Internet-connected devices like smartphones and tablet computers is increasing the chances of the bad guys finding and exploiting vulnerabilities.
If there is anything to be learned from the incidents and reports mentioned above is that 2011 is shaping up to be one of the busiest years for computer security experts.