Biggest Threat Today SQL Injections

Identity Theft Expert Robert Siciliano

There is just no end to the vulnerabilities that computer users face. SQL injection. SQL is abbreviation of Structured Query Language. Pronounced ”Ess Que El” or ”Sequel” depending on who you ask.

IBM Internet Security Systems discovered 50% more web pages infected in the last quarter of 2008 than in the entire year of 2007.

The infection is called a SQL injection. According to Wikipedia, a “SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.”

In other words, a SQL injection is a virus or bug that effects an application that is not properly coded or secured. There are many different configurations of various software used to build and run a website. An example would be the common Wordpress blog platform that many use and that has been found to be vulnerable. This sql is just one of hundreds of applications that can be hacked in this way.

In 2005, a now defunct 3rd party payment processor called CardSystems suffered a SQL injection, compromising a reported 40 million credit cards.

Since that time, criminal hackers have multiplied their efforts. SQL injections have evolved in their purpose and sophistication. Originally meant as a tool to attack a merchants database and steal data, the attack was reconfigured last summer to install viruses on users’ computers that contain a remote control component.

Matt Chambers with Corporate IT Solutions says, “Web applications are one of the most outward facing components a corporation contains in its network design, and one of the least protected. Applications typically take input information and send it to a database for storage and processing. We interact with these kinds of applications every day, whether its a signup form or a login page for a favorite networking site.”

The attack on the user’s PC is simple. This type of attack is often called a “drive-by,” because sometimes all the user needs to do is surf the site. Many of the attacks take place during common web tasks such as watching videos, listening to music or downloading files.

The unsuspecting PC user surfs an infected site and bam, code is injected onto their PC and they are infected. Their PC becomes part of a “botnet,” which is a robot network of computers specifically designed for hacking.

Bots, the infected PCs, are also known as zombies. Zombies, as a result of the SQL injection, generally have a virus installed that gives the hacker control from anywhere in the world. The “botnet” can consist of 10 PCs, 10,000 PCs or into the hundreds of thousands. Studies show there are potentially millions of zombies globally, all part of numerous botnets. botnet1

Lax security practices by consumers and small businesses are giving scammers a base from which to launch attacks. Botnet hackers set up phishing websites targeting well known online brands. They send junk mail emails and install redirection services to deliver viruses, malware and keyloggers.

USA Today reports IBM Internet Security Systems blocked 5000 SQL injections every day in the first two quarters of 2008. By midyear, the number had grown to 25,000 a day. By late fall, attacks climbed to 450,000 daily.

The key to identity theft protection and preventing your computer from becoming a zombie is to engage in every update for every browser and media player that you use, keeping your operating system updated and using anti-virus software such as McAfee Total Protection.

Identity Theft Speaker Robert Siciliano discusess SQL injection here

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Tags: expert, identity, mcafee, prevention, protection, security, speaker, theft, uniball

Add a Comment

You need to be a member of Geeks! to add comments!

Join this Ning Network

Comment by Alex on March 24, 2009 at 3:48pm: switch to linux or mac

Comment by Identity Theft Expert Robert Siciliano on March 24, 2009 at 11:20am: Sometimes the DNS attack you'd be launching would be on some Grandmas PC. A botnet often is the tool used to commit the crimes. Thats the genius of it.

Comment by Justin on March 24, 2009 at 11:08am: I have an idea, why just protect ourselves. Protecting yourself isn't enough anymore how about instead we punish them. Set up a security application that sense a change in the file system then traps it and runs it in a quarantine environment and notes the address at which is sends its information than it can launch a DoS attack on that address by feeding it copious amounts of useless data. The cops/federal agencies could easily do the same by using trap credit cards with systems that run similar software and track purchases made with the trap card.

Comment by dave on March 24, 2009 at 10:28am: People should also be aware of this SQL when logging into a site . Make sure you un check the remeber the password box . It makes the cookies that remember the password more vulnerable to the SQL viruses when you check the box remember the password . It actually gives the hackers the password to the sites you go on . You can also tell if your a zombie of the SQL . By typing in your search and list SQL . If it shows up then you know you have been hit . Also there is a few programs that IBM is trying to get out to cutomers that protect your computer from the SQL situation. Just go to IBM.com and check .

Comment by Identity Theft Expert Robert Siciliano on March 24, 2009 at 5:53am: Some of the free tools available include RUBotted (Beta) from Trend Micro, BotHunter from SRI International, or try an online virus scan with the Windows Live OneCare safety scanner.