The Expert's View

Heartland Data Breach: What is an SQL injection?

So what is an SQL injection? Simply put, it is a way of getting legitimate access to back-end databases through a web application, which leverages the same databases.

A hacker could, through various means, inject additional SQL database queries into the database with the intent to gather information that might otherwise only be accessible by the owner of the information or authorized systems.

A short exercise of root cause analysis will undoubtedly lead to one conclusion: The cause of SQL injections is improperly validated user input. 

SQL injection is a widely-defined term that encompasses a multitude of attacks that not only allow a hacker to read information from the database, but also manipulate the database, as well as insert content into the database and in some cases even run operating system commands funneled through SQL queries.

What happened in the Heartland case?

At this point the details are sketchy, at best, but here are my theories:

Leveraging SQL injection, it was possible to map out the structure of the database and perform additional queries to extract information, which by design should be inaccessible by the web application.
It was possible to run commands on the operating system, leveraging the credentials of the SQL service. This would lead to the potential ability to introduce foreign code/applications on the same system where the database service was run and have them executed with the same operating system privileges as the database service, which in most cases is of "Administrator" level.
It was possible to inject staged code as part of the content stored into the database, which if executed would then compromise the host running the web application or database service or both.

How can it be prevented?
A short exercise of root cause analysis will undoubtedly lead to one conclusion: The cause of SQL injections is improperly validated user input.

Rooting out even the most ingenious SQL injection attacks boils down to embedding logic in the web application to look for and eliminate anything that is not properly formatted and acceptable data. This would address the problem at its root and therefore is the most recommended course of action.

Solutions such as web application firewalls are also helpful, but since they don't really address the root of the problem they are often perceived as band-aid solutions.

Why are so many sites so vulnerable?
Frankly speaking, the industry has taken a reactive stance to security rather than a proactive one. Institutions have launched web applications in a rush to be competitive in a very dynamic market and thus emphasizing heavily the user experience and additional bells and whistles, but spending little development, validation and testing efforts on security.

Remember: Until widely-publicized compromises of wireless systems caused some institutions major embarrassments, nobody bothered to properly secure their wireless infrastructure.

Unfortunately, the Heartland incident sounds the alarm on behalf of web application security. And if institutions do not react to this call, there is no doubt that similar attacks will happen again and again.

About Dan Grosu:
Dan Grosu is a strategic IT security consultant and has over 10 years experience in information security. He has extensive knowledge in network security and network system design, testing and implementation, information security network assessment, IT auditing and application development. He has developed security solutions for community banks as well as Fortune 500 companies.

About the Author

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.