Well everybody, Happy St. Patrick’s Day!!! Here in Chi Town, the Chicago River is already dyed in its ever so famous green color, and hundreds of pictures of it swarming all over Twitter. I really don’t celebrate it, so for me it’s another work day (even a Sunday). As I was perusing the news headlines on what to write about it, it dawned on me that I have not really written a techie kind of blog since last year.
All of the blogs (well most of them) have been about what has happened in 2018, and what is happening now, in terms of trends. So, in today’s blog, we are going to review one of the most traditional forms of a Cyberattack – that of what is known as a “SQL Injection Attack”, which involves the intentional or malicious manipulation of databases.
A database in a very general sense, is a software application that stores information and data. For most businesses and corporations, this means stuff relating to their customers, thus, there is a need to obviously protect it as much as possible from a Cyberattacker.
However, a database just doesn’t store this information and data, it can also be processed and manipulated in certain ways so that you can only get the information/data that you absolutely need.
For example, rather than having the database output all of its records, you can write various commands in order to filter through so you can get what you only need. These commands are very often issued through a special programming code called the “Structured Query Language”, also known as “SQL”.
The most widely used databases in Corporate America (which include the Microsoft SQL Server; MySQL, Oracle, PostGRESQL, etc. have the SQL functionality embedded into it.
But this functionality has certain flaws and vulnerabilities in it, which make it open for the Cyberattacker to penetrate into. In particular, a Cyberattacker can easily find an unknown backdoor in the database, and from there, insert unauthorized, or malicious lines of SQL command statements in order to gain covert access to the database.
This is known, in the world of Cybersecurity as a “SQL Injection Attack”. This kind of Cyberattack is aimed primarily towards those databases that serve as the backend for Web based applications. A typical example of this could be an airline website, where a customer, in order to book their tickets, has to enter in their PII and their credit card information (a perfect example of this is the recent Cyberattack on the British Airways website which occurred late last year).
This then gets transmitted and stored into the database and becomes a much sought-after target for the Cyberattacker to get their hands on.
But apart from just entering into the database and stealing the PII, the Cyberattacker can do far more damage, such as alter, edit or even wipe out all of the information that resides in the database. The goal here is to go beyond financial fraud and instead, launch Identity Theft attacks against the victims. The unfortunate part about this is that the victims may never even know about this until years later, when it is too late to do anything about it.
Overall, there are four broad categories of a SQL Injection Attack, and they are as follows:
- The Error Based SQL Injection Attack:
This primarily occurs when a Cyberattacker takes advantage of the error messages that the database reveals to the end user, or even to the Database Administrator. To most of us, an error message means that there is something and needs to be fixed, and that is it. But to the Cyberattacker, these error messages can reveal far more than what is actually displayed on the error message dialog box.
- The Boolean SQL Injection Attack:
With this kind of attack, a specialized SQL query statement is transmitted to the database which forces it to return a different result, depending on whether the SQL query returns a TRUE or FALSE result. From this point the Cyberattacker will then try to confirm if the database is vulnerable to a SQL Injection Attack by carefully evaluating these particular results.
- The Time-Based SQL Injection Attack:
In this scenario, the Cyberattacker will literally issue various commands to tell the SQL Database to “fall asleep” for a certain period of time. If the database does not load up quickly within the established parameters (meaning it is taking too much time to extract information and data when queries are issued to it from a legitimate user), then this will be a telltale sign for the Cyberattacker that there are some serious, unknown vulnerabilities and weaknesses in the SQL database itself.
- The Out of Band SQL Injection Attack:
This occurs when the Cyberattacker uses nontraditional methods into hacking the SQL database, thus the name “Out of Band”. In this instance, the Cyberattacker uses an entirely different line of communication (than what was originally used to launch the SQL Injection Attack) in which to transmit back the hijacked PII, thus further enabling them to cover their tracks and avoid detection.
What is the best way to protect your organization from being a victim of a SQL Injection Attack?
- Make sure that all information and data that is going into the SQL database is “sanitized” and “cleansed”;
- As far as possible, try to turn off the public visibility of the error messages that appear from the SQL database (this is actually of the primary duties of the Database Administrator);
- Construct SQL statements that are error free and which contain legitimate parameters for information and data extraction (this should also minimize the number of error messages that appear);
- Always make sure that you keep your databases updated with the latest patches and upgrades and keep them protected behind a firewall and/or a router.
My thoughts on this?
Well, there you have it, a simple breakdown of what a SQL Injection Attack looks like. But keep in mind, it can be far more complex than this. If you want to see specific examples of SQL Injection Attacks, do a Google search, and you will find a ton of information.
It is important to keep in mind that although the SQL Injection Attack is considered to be one of the most traditional forms of hacking, it is widely used, so don’t let your guard down in this aspect. Just like Phishing Attacks, there are many new variants of SQL Injection Attacks coming out today. If you have any questions or concerns about the information and data you are about to import into your companies’ database, always consult first with your Database Administrator before embarking onto any actions.