Tag Archives: SQL Injection

Cybersecurity SQL Injection Irony

letters on cork board spelling ironyIt’s been a funny week for the SQL Injection Hall-of-Shame. As those who follow the Hall-of-shame know, there’s a pretty steady trickle of new incidents published regarding SQLi. It’s usually a few every month, not as many as are currently going into my new IoT Hall-of-Shame but still very regular.

So I was surprised that this week we have two new entries and they’re both cybersecurity companies. It’s partially funny, partially sad and partially scary.

First up is Staminus. They’re a DDoS protection company and seem to have a very good product. I spend more time on the SwSec and AppSec side of things but the kind of work they do is also important. However when you’re a security company, it’s just funny to people when you get hacked.

In this case Staminus was not only vulnerable to sql injection, but they were also doing other bad cybersecurity practices. In particular they seem to be storing customer credit card data unencrypted. One tenet of security is that you can never stop all attacks. You have to prepare for the inevitable day when someone breaches your system. That’s why it’s important that we have strong encryption, complaints from the FBI notwithstanding.

Following the attack the hackers actually left a funny message. The published a document called Tips when running a security company and detailed all the weaknesses they discovered due to bad security practices. In their defense, security expert Brian Krebs noted that anti-DDoS companies are regular targets for attackers.

Also in the news this week was well-known computer security company Symantec. They have a large share of the enterprise computer security market with their Symantec Endpoint Protection (SEP) product. SEP allows companies to manage the security software for all of their computers from a central management console (SEPM) and this was the tool that has the vulnerabilities.

As it turns out there are two vulnerabilities in SEPM, one is cross-site request forgery and one is SQL injection. While Symantec has called this a routine advisory, it was serious enough for US-CERT to issue an update advisory telling people to patch their SEPM software. US-CERT (United States Computer Emergency Readiness Team) is the government body in the US that keeps track of cybersecurity issues.

Yes, cybersecurity issues can and do happen to everyone. But we can all get at least a bit of a laugh when companies who’s only job is security are the targets. This is especially true when the issues involved are simple and preventable like SQL injection.

SQL Injection – When Will We Learn?

Once again a major web site has been hacked using good old-fashioned SQL injection. Over the weekend Nokia’s developer forum was hacked, resulting in a Homer Simpson face being put up on their web (funny) and the loss of names, email, and other personal for many developers (not funny). This is but the latest in a now very long string of SQL injection attacks, and personally I don’t see much excuse on the part of those attacked.

It might have been possible a year ago for a major corporation to decide that the threat of SQL injection was less than the cost of preventing it, although that’s debatable. In an AntiSec world, that is no longer possible. The threat is well known, as well as the mechanisms to prevent such a threat. There are well-known steps once can take to avoid injection issues. This will not guarantee that hackers cannot do anything, but why make it easy for them. One LulzSec programmer said in an interview that it was almost embarrassing to use such a simple hack – it made him look bad as a hacker.

So what CAN be done to improve software security? Well a few simple things: policy, tools & training.

It all starts with having a proper security policy. This means the organization needs to think ahead of time about what can happen and how to prevent it. Assessment of the likelihood of particular threats happening, their ease, the cost of dealing with them versus that cost of preventing them, all need to be part of a standard threat assessment. If you’re not sure how to do this, seek professional help from someone that knows what they’re doing.

Having the correct policy based on real world information lets you control and justify costs and scheduling delays. Frequently organizations end up checking security in the QA phase of software development where it is way too late to do what’s needed. Better to bake it into the process.

Be especially careful not to fall in the trap of “We’ll make sure nothing bad ever happens” which can lead to further problems. You need to understand that at some point someone WILL get in, and decide now how you’re going to mitigate the loss. In other words, you shouldn’t have passwords stored in plain text on the fallacious theory that you can prevent all break-ins.

Your security policy should include at a minimum requirements for password strength, encrypting private data, proper use of admin passwords, and other such items.

First and foremost – there are NO silver bullets. There is not a single tool or a set of tools out there that will secure your site. Such a solution is not likely in the foreseeable future either. That being said, there are definitely tools available to make the process of securing your site and software easier. Such tools should be a critical part of your security tool kit.

Static analysis is the most critical tool to prevent SQL injections. Outside of making all your database calls into stored procedures, it’s about the only thing that can really batten down the hatches. If you really want to secure your site, you must have static analysis tools that will identify dangerous input API’s, and check that validation is always, always, always performed.

Which leads me to my next point, there are those who concentrate on penetration testing tools and fixing issues found there. They believe that flow analysis is a much more interesting technology that stodgy old static analysis. Therein lies the problem. Flow analysis is a fine paranoia tool to make sure that you didn’t miss anything, but it can never find all paths through a site or application, and cannot ensure that you are safe merely because it didn’t find anything.

Use static analysis to make sure you’re validating everything, use penetration testing to be sure that your static analysis is setup properly. If pen testing finds anything, fix it, but look back at your process, tools, and procedures and figure out how it slipped through the cracks. Pen testing tells you more about your security infrastructure than it does about your software.

I’m including various techniques that reduce or eliminate the possibility of SQL injection as part of training. Learning techniques is after all the point of training. I have worked with organizations who were trying to improve security and not surprisingly find developers challenging the results of a security assessment. It’s not a measure of how smart or experienced they are, but rather another reminder that on the whole the software industry is lacking proper training in secure software development.

Michael Sutton, VP of security research at Zscaler said it very well: “It’s very easy to create a Web application today. It’s not easy to properly secure that application.”

The techniques to be used should easily map back to your security policies. For example encryption should be required for all private data. Database credentials must be appropriate to the account, IE the web site should not be accessing the database as an administrative user.

Used stored procedures where ever possible. They will take some extra effort, but make it much more difficult for hackers. As a side benefit you may see a performance improvement switching to stored procedures. You also make it less likely that a missed input validation will have a negative effect.

Validate all input, every bit, no matter where it comes from. Don’t just check input fields in forms, also check when you’re pulling data out of the database, from an input stream, etc. No excuses, steps. Hackers frequently gain access to systems in an incremental fashion – image that someone was able to subvert your very secure web forms because he found a way to put corrupt data in a field in your database.

When validating do not rely on penetration testing and flow analysis to find out if you’ve used tainted data. As mentioned above, these techniques are not thorough. Use proper naming conventions so you can spot input methods, black-list unknown API’s during testing, and require that the distance in the code between input and validation is zero. This means that your flow analysis won’t find anything, but that’s OK. It also means that you’re safe.

There are many other simple things you can do. To find out more in detail, check many of the excellent articles and tutorials on the web, such as Strike Back at SQL Injections and Stop SQL Injection Attacks Before They Stop You, seek expert advice, and feel free to ask questions.

SQL Injection can almost always be avoided. Yes, there are other security issues out there that you need to handle as well, but this is one that can be easily executed and is very likely to happen. It’s also relatively easy to prevent, which should put it high on anyone’s to-do list if they’ve made a thorough risk assessment.