what is a sql injection attack and should I be concerned?


SQL (referring to Database platforms such as Microsoft SQL Server, MySql) has once again made headlines.  Not only can it affect you directly, in the form of being redirected to a malicious website, your information stored on someone's server could be exposed, and you don't have to be visiting their website.  The reasons for this are multiple, in this writeup I'll focus on P and P. Patching and programming.

Programming

SQL, or Structured Query Language, is the language by which humans communicate with a database to obtain information.  Think of databases as a huge tin can.  In that tin can are tables.  Tables contain related information, and there could be hundreds of tables (if not more!).  There could be a table on your customer information, such as First Name, Last Name, Address, City, State, Zip, Phone Number, Password, and Credit Card number on file.  Each entry (First Name, Last Name) represents a field.  That's how websites know who you are when you login to place a purchase.  In the background, a web script runs a command SELECT * from Customers where customer name = Eric Braun, for example, when you login. A SQL Injection attack occurs as the result of making unexpected or unintended commands to the database, and programmers who do not anticipate someone would be entering bogus information.

For example if you were filling in an on line order form, and you enter your address as 8500 Stemmons Freeway, Ste. 500, (in a text entry field) this is good legitimate information.  However, if you entered something like '8500 Stemmons Freeway, Ste. 500 ; DROP DATABASE customers' this could have severe consequences to the database.  Granted, many things must be set incorrectly "in place" for this to succeed.

The SQL user id has to have the elevated privleges. This is transparent to the end user. Programmers in a rush sometimes allow generic SQL users too many permissions. The programmer may have little or no input validation. Since a semi-colon character is a way to enter multiple commands, the programmer could scan the address field for semi-colons and present an error box to the user. The programmer could disallow characters or words not normally used in an address, such as Asterisks, Greater-Than and Less-Than symbols, Semi Colons, Equals signs, etc. Again, a programmer on a deadline may use little or no input validation at all.

Patching

Content managed websites are favorite targets of hackers, mainly because the CMS sites themselves are not kept up to date.  This results in malicious HTML code can be inserted into a seemingly harmless website.  This can be the attack vector for a malicious website for one of those fake security programs (called Rogues). A malicious hyperlink could be inserted into a web page, so subsequent visitors could be misdirected to a bad website, such as the highly publicized LizaMoon malicious website.  Unpatched PHP - PHP is a Unix derived Server Scripting language, used mainly on web servers.  It can be ported to the Windows Web platform.  Unpatched PHP can be used as an attack vector, so can unpatched Microsoft IIS (Microsoft's own web server) and Apache for Linux and Windows.

http://www.tgdaily.com/security-features/55124-mass-injection-attack-hits-a-million-websites

These are just simple, basic examples.  Hackers are coming up with very sophisticated ways of compromising and exposing databases, as well as misdirecting your browser to a malicious website.  There are steps you can take to help mitigate these threats, beyond the normal security software.  You do have security/anti-malware software?

1.  Use Firefox with the NoScript add-in.  Use of this causes some pain, as many websites rely heavily on javascript.  I suggest using this when you are doing random searches for information, and you don't know where such searches may lead.  An alternative may be a virtual PC running fully patched UBuntu Linux but running a virtual session takes more computing horsepower and a somewhat higher level of computer expertise.

Mozilla Firefox

NoScript Add-On for Firefox

2.  Stick to mainstream websites.  They are likely to have more safeguards in place to insure a safe shopping environment, and the likelihood your personal information will stay private.

3.  Use virtual credit card numbers.  See if your card issuer offers virtual card numbers. These are single use card numbers with preset limits.  In the event of a data breach, the card numbers will likely not function.

4.  Forget about using a universal password.  If all your passwords to each website is the same, and hackers recover that password, this can be a huge security risk.