Skip to main content

SQL Injection - So Easy, Your Server is Already Cracked

In a simple demonstration, a hapless team discovers the truth. "Your server is vulnerable. It's already been cracked. Oh, and by the way, it's already distributing malware for a botnet."

A Big Case of Oops!

Attitude of management in many organizations is one of the biggest barriers to improved security on the internet. People simply don't want to believe that their systems are vulnerable. Denial is pervasive, and affects organizations from the biggest of the Fortune 500 or Federal government agencies, down to modestly sized companies, local governments, and non-profit corporations.

The attitude of the unnamed client described at the "Following the White Rabbit" blog (link above) is all too common. I suspect that an underlying cause is that people want to believe several things that worked pretty well from an evolutionary perspective, but don't work very well on the internet. When everybody around is a bunch of cave dwellers, consumed entirely with finding food, the marginal difference between the capabilities of "our team" and "the other guys" might be pretty modest, or easy to assess (e.g. "there's five of us, and ten of them... run away!") In fact, even considering the industrialized history of the world, we don't have much experience with the type of scalability that a virtual, software driven environment can provide to an attacker.

Consequently, when faced with a vague potential threat from "the internet", people tend to default to reptillian brain denial.

"These vulnerabilities and exploits look complicated. It's not very likely that anybody could actually exploit them."

They might look complicated to you, a manager, or even a programmer (depending on your particular skill set, which typically won't include "cracking").

They look like a modest engineering or programming exercise, to the people who routinely crack computers for a living. There are toolkits and sample code and it isn't very difficult to build a test bench and try permutations over and over until the crack works.

"Our team isn't that stupid. We wouldn't build and deploy a system that can be easily hacked."

Your site doesn't need to be easily crackable, merely crackable. Some exploits require knowledge of assembly language, SQL, C, C++, and some other specific combination of arcane skills with Internet Explorer, Microsoft Windows, Apache, SQL Server, MySQL, and so forth.

Once somebody with the proper combination of skills has developed the exploit, and shared it with the world, your site could be cracked by somebody with little more programming proficiency than a typical user of IRC (Internet Relay Chat), perhaps someone who needed only drag-and-drop proficiency with a mouse.

"Nobody is that interested in hacking us."

You might be boring, yes. You might have no secrets. But you do have something interesting to them: a computer with a full time internet connection running a web server, and people who visit your web site (sometimes they just want to use your site to spread their botnet to your customers). Furthermore, the bad guys don't know that you don't have any secrets, until they've finished perusing your hard drives and data bases.

Finally, there's the typical denial offered by individual people, when pondering the vulnerability of their own workstation:

"I don't surf to bad web sites, so I won't get a virus (trojan, rootkit, botnet, worm or other malware) on my computer!"

You don't need to point a web browser to a "bad" web site to be victimized by a browser-crawlback. The malware that gets onto your computer may also start poking around your company's internal network, and find ways to exploit or infect systems that don't "surf to a bad web site" or any other web site, at all.


The moral of this story is that we cannot afford to live in a state of denial about the importance of application, network and computer systems security. Enterprises, large and small, need to take the security of their web sites, applications, and internal systems more seriously. The bad guys are kicking your butts. They're stealing your data, and you don't even know it. They're using your systems to spread botnets to your customers.

Comments

Smith said…
Hey Thanks for very nice and detailed review,i had gone through the article,The information provided here is most useful for a person who is interested in computer security. SQL Injection and buffer overflows are the scripting flaws where data overflows which a stable system cannot handle and crashes. Such flaws in developing stages should be avoided. But the intent of forcible insertion of buffer flow code is the nature of a hacker to gain certain ends. For more information:http://www.eccouncil.org/certification/certified_ethical_hacker.aspx

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Virus Vulnerability for RFID (Radio Frequency ID tags)?

The breeding ground for the computer virus will be expanding continually and rapidly over the next decade as appliances, automobiles, and all manner of other things become equipped with wireless networking and miniature computers. Cell phone and similar networks may enable worms to leap between devices over long distances and other networks over short distances. Researchers have recently demonstrated that RFID tags may be vulnerable next. Articles on the topic: RFID worm created in the lab [NewScientist.com]Viruses leap to smart radio tags [BBC.co.uk]RFID tags could carry computer viruses [SecurityFocus.com] The details for the curious: RFID Viruses and Worms The AntiVirus paradigm that we [the IT community and industry] have foisted upon PC users is already breaking down under the strain of too many virus variants and too many non-technical PC users. The paradigm probably won't work at all for cell phones and the paradigm is completely broken for the typical RFID device whi…