SQL injection: the oldest hack in the book

SQL injection: the oldest hack in the book

SQL injection: the oldest hack in the bookBy Dr. Bill Curtis, Chief Scientist, CAST

The latest reports suggest the highly publicised ‘Panama Papers’ data leak was the result of a hacking technique known as SQL injection. With 11.5 million files being leaked, the Mossack Fonseca breach exceeds even the 1.7 million files leaked by the infamous Edward Snowden. Once more, another high profile company has fallen victim to this common technique. Mossack Fonseca’s lawyers aren’t the first to get their pants pulled down by this trick. They are simply the latest in a long line of victims.

SQL injection has been used by cyber-criminals since the late 90’s. So it begs the question – why is ‘The oldest hack in the book’ still causing companies big problems? There are plenty of ways hackers can break in, but SQL injection remains among the easiest because, despite its age, hackers know there are persisting weaknesses they can exploit.

What is SQL injection?
When a user enters information into a system that uses Structured Query Language (SQL), the system should vet it to make sure that it does not contain malicious input that can be turned into a SQL command. If the system has not been explicitly programmed to vet the inputs, then a hacker can enter a string of characters that will be translated into a SQL command which can instruct the underlying database to return some of its contents such as financial records, credit card numbers, or other confidential information.

Vulnerability to SQL injection is why many systems do not allow users to enter certain characters that would be used in a SQL command. Considering how long we have known about the SQL injection weakness and how often it is exploited, why wasn’t it eliminated from systems years ago?

The continuing issue of SQL injection
Despite the numerous hacks that have been linked to SQL injection, too many IT departments have yet to clean up security holes in their applications. From the 130 million customer payment card details that were stolen at Heartland Payment Systems a few years ago, to 40 million customer records being breached at Target Stores, to the recent breaches at UK’s TalkTalk, and Panama’s Mossack Fonseca, the initial penetration into a system too often begins through a SQL injection vulnerability. Clearly, there is a severe lack of diligence in making systems secure.

IT organisations mobilised a massive attack on the turn of the century (Y2K) that threatened to bollix many computer systems at midnight on New Year’s Eve Year 2000. Why aren’t we attacking security weaknesses such as SQL injection with similar urgency to prevent this unending flood of breaches? With some of these breaches costing over $100,000,000, the financial justification should be clear. At Target, not only was the CIO fired, the CEO was released as well.

How businesses can protect themselves
Fixing the SQL injection issue is simple yet complex at the same time. New automated testing and measurement tools have come to market, removing the need to tediously go through each line of code manually. However, it is still a requirement to go through each system individually, and in today’s modern business environment that is no easy task. The main goal for companies embarking on this measurement process is to continually assess their systems for security and other IT risks before entering new code into production and exposing it to users.

At the crux of the issue is implementing the proper assurance processes and tools. Without automated analysis technologies, a thorough analysis of code cannot be performed at the scale of modern multi-tier applications. Without a system-level analysis of their applications, IT departments are unable to identify potential entry points where cyber-attacks can begin. Fortunately, static analysis and penetration testing technologies have improved dramatically over the past decade and enable businesses to address their security risks before hackers discover opportunities for SQL injection

What will it take to change?
CIOs face increasing pressure to do more with less as budgets tighten. At the same time businesses are demanding more functionality, and application quality is sacrificed in the trade-off. To increase focus on software trustworthiness and dependability, CIOs must elevate IT security and risk management to the business level, making it a boardroom issue. Only when other C-level stakeholders buy in can the necessary effort be budgeted.

[su_button url=”http://www.castsoftware.com/” target=”blank” style=”flat” background=”#df2027″ color=”#ffffff” size=”10″ radius=”0″ icon=”icon: arrow-circle-right”]For more information on CAST click here[/su_button]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Camera

Camera and microphone been hacked?

Microphone and camera hacking is when an attacker gains remote access to a device’s camera and microphone – usually with the…
HUMAN

HUMAN expands enterprise protection from sophisticated bot

HUMAN Security, Inc. (formerly White Ops), a cyber-security company that protects enterprises from bot attacks to keep digital experiences
hacker

Colombia catches hacker wanted in the US for ‘Gozi’ virus

Colombian officials say they have arrested a Romanian hacker who is wanted in the U.S. for distributing a virus

Wi-Fi users fed false sense of security

WatchGuard TechnologiesThreat Lab predicts in it’s Security Predictions 2019 that WPA3 Wi-Fi will be compromised and hacked in 2019.

Claranet acquires NotSoSecure enhancing security capabilities

Managed IT services provider Claranet has today announced the acquisition of ethical hacking training and penetration testing experts NotSoSecure.
Scroll to Top