One of the oldest ways of attacking an SQL database is still successfully being exploited by criminals to gain access to personal information, yet according to one expert it’s easy to prevent.
That’s the message from the revelation that a Russian gang has assembled what is described as one of the biggest caches of stolen data, some 1. 2 billion pairs of usernames and passwords, largely thanks to SQL injection attacks on Web sites worldwide.
The discovery was announced this week by consulting firm Hold Security of Milwaukee, which after seven months of investigation said the group has amassed a total of over 4.5 billion records, mostly consisting of stolen credentials from over 420,000 web and FTP sites.
Through the underground black market, gang got access to data from a large group of virus-infected computers controlled by one criminal system. “These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited,” said Hold Security. “Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone.” Then the gang plundered those sites’ databases.
SQL injection is a technique by which a hacker enters a malformed SQL statement into a Web site textbox that changes a query so that it can be used to break into a database. SQL databases from Microsoft, Oracle, MySQL and others. According to Microsoft, these attacks are possible in part because the SQL language has a number of powerful features including the ability to embed comments in a SQL statement using a pair of hyphens, to string multiple SQL statements together and execute them in a batch and to use SQL to query metadata from a standard set of system tables.
But Johannes Ullrich, the head of research at the SANS Institute, a security training provider, says there’s no reason why SQL injection vulnerabilities should exist today. The solution, he said in an interview, is for SQL coders to use prepared statements that separately send SQL statements and user data to the database. That way the user data can’t change the statement, he said.
The alternative is called dynamic SQL, where the SQL statement is assembled as a string using user data. “That is fraught with problems,” Ullrich said, “and usually leads to a SQL injection.”
Prepared statements are the current best practice for SQL database development, he said.
“The problem has been known for a long time – 10 years, maybe longer than that,” said Ullrich, who also heads the Internet Storm Center. But some databases didn’t support prepared statements until five years ago.
As a result some older database developers may not be familiar with it, he said, “and haven’t caught up with the times.” Prepared statements are “slightly more difficult to write – two or three lines of code instead of one line of code,” he added.
Ullrich also said he wasn’t surprised at the Hold Security revelation. If one adds up all the reported password breaches in the past it probably adds up to over a billion, he said. “You have to assume that if you use a password on multiple sites it’s has to leak.”
Kevvie Fowler, a partner in KPMG Canada’s security advisory service and co-author of a book on SQL injection attacks and defences, said in an email that the discovery of that someone has a database of stolen passwords isn’t new. “There are thousands of Internet systems currently containing data stolen as part of past breaches that have yet to be detected by victim organizations. The alarming point of this finding is the sheer magnitude of records involved.”
It isn’t clear how valuable the Russian trove is. Hold Security acknowledges that not all of the passwords are valid or current. Nor is it known how many of the passwords lead to important sites – banks, email accounts or flower enthusiast blogs. But the volume of what the gang has means at least some are likely linked to sensitive sites.
The Hold Security revelation has also drawn criticism for its timing and questions about its altruism. The company released the news during this week’s Black Hat IT security conference in Las Vegas, when a number of vendors are issuing press releases about their research discoveries and product strengths.
Hold Security itself accompanied its revelation by announcing a new corporate breach notification service. “We are not trying to get business from these people in a way that would be inconsistent or predatory,” company founder Alex Holden told the Milwaukee Journal Sentinel. “We are just making sure that we are putting ourselves on the map to be heard that this is an issue.”