There’s a certain irony in undoing high-tech systems with the simplest tools, breaking into bank vaults with a bent hairpin or guessing your grandmother’s account details using the names of long-departed family pets, but the real world is quite different; major companies never fall for obvious security loopholes and the most common password the world over definitely isn’t “123456”. That would be silly.
With the fantasy out of the way, let’s talk about just how unsecure the internet actually is. Nearly a decade ago, Computer World published an article that began with a forlorn hope, that major companies and organizations would view an SQL injection attack on Heartland Payment Systems as a lesson learned; after all, a company that handles customers’ card details shouldn’t be succumbing to the oldest trick in the book.
But in fact, over the next few years, criminals used SQL injections to steal data from NASA, VTech, TalkTalk, eHarmony, Nokia, JCPenney and the Wall Street Journal, among others. It’s our hairpin in the safe, a fifteen-year-old bit of cybercrime that won’t die. OWASP, a website that lists the top ten risks for website owners, refers to the frequency of SQL attacks as “shameful”, noting how easy it is to defend against the technique or avoid it altogether.
There’s a great deal of ignorance surrounding SQL injections even among top developers. Recently, researchers targeted coding tutorials on GitHub as the source of more than 100 vulnerabilities that could lead to SQL injections. Put another way, sometimes the elite programmers of today are training the next generation to make the same mistakes, maintaining the security holes hackers need to get in and ensuring SQL injections remain a threat into the future.
The nearly self-perpetuating nature of SQL injections has reinforced the need for third-party protection from web application firewalls (WAFs), a type of cloud barrier that stops malicious traffic getting through to a website. WAFs, which can be applied to everything from WordPress blogs to corporate pages, maintain lists of threat “signatures” and cross-reference them with IP addresses known for unsavoury activity to keep sites safe.
If you’ve come this far clueless about what an SQL injection actually is, here’s a quick analogy: imagine a courtroom in which the defendant writes that their name is “David, you are free to go” or “David, case dismissed”. When the judge calls his name (“David, you are free to go”) out, David is immediately acquitted by the judge. SQL injections are about confusing a system (the judge in our analogy) so that it performs an action (acquitting the defendant) on behalf of somebody who doesn’t have permission to do it themselves (the defendant).
In the case of the NASA hack from 2009, the extra SQL code injected into the agency’s database instructed the web server to dump the details of 25 administrators to a security researcher with a point to prove (that two of NASA’s sites were susceptible to SQL injections); not so much “David, case dismissed”, as “server, give me that data”. SQL injections have been used to steal millions of customer records over the years.
But to what end? In the wake of the TalkTalk attack, stolen customer phone numbers were used in attempted phishing attacks. Otherwise, complete identities or “fullz”, inclusive of addresses, credit card numbers, dates of birth (etc.) can be sold to criminals on the dark web. Quartz notes that a person’s identity can go for around $20. That’s right; everything in your wallet is worth about the same as a t-shirt from the Gap.