Last week, a hacker group claimed that it breached computer systems at 100 major universities. Team GhostShell gained access to servers at Stanford, Harvard, and the University of Michigan, among others. The technique used, SQL injection, is not new or complex, but reportedly it's becoming increasingly common. Here's a quick guide to defending your servers.
We asked researchers at security firm Sophos to explain what an SQL injection is and how it can be stopped. Before launching into that, though, for laymen, here are a couple things you need to know about an SQL injection before learning how to stop one.
- SQL stands for Structured Query Language. It is an international standard for interacting with databases.
- Statements in SQL can retrieve, insert, create and otherwise change data in a database.
- Code injection is a technique used by hackers to exploit vulnerabilities in a website.
“SQL injection is an old, well established method of attacking systems," said Sophos threat researcher Fraser Howard. "It consists of inserting malicious SQL statements into an application to cause it to perform some undesirable function.”
Mechanics Of An Attack
Undesirable action sounds nasty. What does it mean exactly? Here are a few examples:
- Dump table (i.e., return a dump of the entire contents of a database table). This is a great way to steal data. Could be used to gain access to a system (dump admin password, then access the system etc.)
- Drop table (delete table contents). Destructive. Attackers do not necessarily gain access to the data, but they can break the system. Data may be irretrievably lost.
- Modify table. Insert additional data into the database table.
Basically, once a SQL injection has its hooks in your database, it can do whatever the heck the malicious hacker behind it wants. Steal your data (most commonly), delete your data, change your data.
“Imagine a website where page contents are stored in a database,” Howard wrote. “When you browse the site, the database is queried, and the page shows you whatever information is relevant. For example, a shopping site. You search for carrots, it queries the database and gets the price. The page you view displays this price.” A malicious hacker using SQL injection could download the store's entire stock list, wipe it out, and/or change all the prices (or any other category of information).
One further problem with SQL injection not related to theft: Hackers can change the query instructions for a Web application. So instead of the application querying its own server and obtaining information, the query can be sent to a server of the hacker’s choice. This can lead to malware infecting a user’s computer.
Scary stuff, huh?
How To Defend Your Servers
According to Howard, defense against this type of attack is all about the Web application that is the door to the server. Protect that application and you protect the server. In theory, at least. Most organizations likely will remain vulnerable to a dedicated, sophisticated hacker no matter what they do.
Not all hackers are so single-minded, so it makes sense to be prepared. Here are the steps Howard recommends to defend against SQL injection attacks:
- Secure programming. Design applications securely from the start. SQL injection is not new, and there are many books and online resources to help developers build applications that are secure against this attack. The most common vulnerability is an application that doesn't sanity-check user input such as data entered into Web forms. If the input is not checked, an attacker can use such forms to inject malicious instructions.
- Firewalling. This does not replace secure programming. However, it can add a layer of defense in front of your Web server. Web application firewalls can help to block most attacks.
Many organizations are vulnerable to SQL injections because they outsource their Web application development, rush production, test poorly and take little regard for security. “Recipe for disaster,” Howard said. “Lots of easy targets out there.”
In security, the guidelines are usually pretty simple: Take your time, factor security into everything you do, and use common sense. Security might seem like the boring part of what you do, but if you do not pay attention to it, there is a hacker just waiting to break into your databases and steal, destroy, or alter your data.