Wednesday, April 28, 2010

SQL Injection Hacks

In March Albert Gonzalez (28) and two Russian co-conspirators were sentenced to 17 - 25 years in jail for the Heartland Payments Systems security breach (along with several other smaller breaches), in which they stole 130 million credit card records and made a reported $4 million on the scam.

As reported in PC Magazine, Gonzelez and company hacked into these systems using a "SQL injection" method, which is similar to a buffer overrun attack but more "brute force." According to John Verdi, senior counsel at the Electronic Privacy Information Center (EPIC), many companies are exposed to SQL injection hacks because of the prevalence of SQL and a lack of strong security practices. "Heartland did something dangerous, but it didn't do anything other companies aren't doing also."

SQL injection hacks are easy to prevent using commonly available encryption techniques. It's not rocket science, and it's essential if your system is based on SQL/Server databases. Even better is to prevent user -supplied input which contains malicious SQL from affecting the logic of an executed SQL query.For a discussion of how to do this, see the SQL Injection Prevention Cheat Sheet.

No comments:

Web Analytics