At a recent manufacturer’s A&E event, I asked a simple question: “How many of you have heard of SQL Injection?” Among this highly knowledgeable group of industry experts, only about 30 percent of the hands were raised. If you are thinking that it is some type of cyber thing, you are correct; if you are thinking that it will not affect you, you are wrong.
As Time Magazine reported in its July 20 article, “Inside the Secret Plan to Stop Vladimir Putin’s U.S. Election Plot,” hackers targeted a number of state voter registration and election sites, including Illinois. In one Illinois jurisdiction, “instead of entering his personal information in one of the fields for names and addresses, the hacker uploaded a string of malicious prewritten code, executing a classic hack known as SQL injection (SQLI). With that, the hacker opened a back door to all 15 million files on past and current voters in the state since 2006. And for nearly three weeks, no one knew he was there.”
Even large IT companies are not immune. In July, the US-CERT/NIST National Vulnerability Database published an analysis (CVE-2017-8002) which states” EMC Data Protection Advisor prior to 6.4 contains multiple blind SQL injection vulnerabilities. A remote authenticated attacker may potentially exploit these vulnerabilities to gain information about the application by causing execution of arbitrary SQL commands.”
Many smaller firms and individuals use Word Press to construct their web sites, blogs, etc., yet it’s an environment which has historically been vulnerable. Wordfence reports that 18% of the nearly 1600 Word Press vulnerabilities it enumerated over 14 months were SQL Injection based.
A Veracode analysis has determined that our federal government has the highest prevalence of easily exploitable vulnerabilities like SQL injection and cross-site scripting. If you would like to see more, visit http://codecurmudgeon.com/wp/sql-injection-hall-of-shame.
Objectives for SQLI attacks differ, and may include:
- theft of financial information;
- theft of personal or personnel information;
- competitive information;
- strategic, state-sponsored;
- mischief or damage; and
- privilege escalation and control.
Inside the Vulnerability
SQL stands for Structured Query Language, which provides an architecture, structure and syntax for constructing and interacting with relational databases. Among its database functions, SQL can execute queries, retrieve data, and insert, delete and update records. Databases may contain personal files, passwords, credit numbers, medical data, purchase history and more.
Numerous websites publish lists of discovered vulnerable sites. SQL applications are available from Oracle, Microsoft, and open source. Open source MySQL has arguably a larger percentage of less sophisticated implementers and probably the weakest security model.
Database-driven Web applications typically contain server-side script written in a programming language that extracts information from a back-end database in a user-driven process. A client-side interface passes information to the web server, which call an API from the application server (e.g., a database server). The database application will reach into the database to fulfill the request. An example of a statement (drawn from my own website) passed to the web server is the following: https://securityspecifiers.azurewebsites.net/FP_ProductAreas.asp?CompanyID=496, which is requesting product information from a company whose ID in the database is 496. The”?” is a separator which precedes the query string. Manipulating the query string is a means to work your way into the database or to tickle enough information out to further refine the attack strategy.
A successful SQLI attack requires the attacker to construct a syntactically correct SQL Query to present to the logic tier.
The Impact on Physical Security
Other than making for interesting reading, you might ask what this has to do with our world of physical and electronic security. For starters, most enterprise access control systems use relational databases to store everything from users to privilege levels to credentials and more. SQLI is a potential vulnerability along with an attack known as cross-site scripting (XSS). Further, LDAP (Lightweight Directory Access Protocol) is being increasingly used for enterprise-wide access and may also be subject to injection attacks.
Manufacturers should take a number measures to protect their applications. It starts with secure coding, which should be an integral part of the development process. Code analysis tools are available which include the insertion of random data into the inputs and running test case scenarios. Validating inputs is essential, where input is checked to ensure that it conforms to rigid specifications, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules.
Employ “least privilege” with an understanding of what levels of access individual users really need. Also, admin privileges should be provisioned so that there is a barrier between the database application and other applications on the system or the operating system itself. Techniques such as stored procedures and parameterized queries can prevent the implementation of bad commands masked as variables.
Manufacturers and end-users both can use the services of outside organizations to perform penetration testing on their applications and networks. Representatives of both Lenel and Software House confirmed to me that they do this. End-users should also make sure that their servers are cyber-hardened, consider intrusion detection and intrusion prevention systems, and subscribe to the “Defense in Depth” concept.
Integrators and end-users alike should ask the hard questions of the manufacturers about means taken to cyber-harden applications.
Security professionals should make it their business to become as knowledgeable as possible, because the threats are increasingly complex and attack tools easier to use.
“Products in the industry today are blended – we have desktop, web and mobile interfaces all interacting with the same back-end system,” explains Ed Gauthier, Software Manager at Lenel. “We need to analyze and understand independent attack vectors across multiple platforms, as well as how they can be leveraged together, to achieve a sufficient level of security.”
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and RepsForSecurity.com. Reach him at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or please follow him on Twitter: @RayCoulombe.