The term SQL Injection was thrust into the public eye this week, but what does it mean and what can you do about it?
In the past 24 hours, major news sources around the globe have been reporting on a large scale online security attack, which is thought to have affected as many as a billion passwords and half a billion email addresses.
The news spread quickly, with most reporters referencing a specific post from Hold Security, a security firm based in Milwaukee. The post is titled “You have been hacked!” and it gives details of a scam by a Russian cyber gang that Hold Security has named ‘CyberVor’.
Hold Security claims that ‘CyberVor’ has stolen credentials, like user names and passwords, from 420,000 websites around the world by using SQL injections and botnets.
But what exactly is SQL Injection and what can you do to protect yourself from these sorts of attacks?
What is SQL Injection?
Techopedia.com defines SQL Injection as, “A computer attack in which malicious code is embedded in a poorly-designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed”. This is a fairly common method used by hackers to attack computers and the information they contain.
Basically, what happens is a hacker is able to bypass an authentication system with SQL errors within the database. For example, a login page could technically be manipulated if the hacker knows enough information about the codes used when the database was created. The hacker can then trick the database into divulging small pieces of information like a puzzle until the puzzle is complete. This form of hacking has been used since the late nineties as a way to obtain passwords and other information.
How do you protect yourself against SQL Injection attacks?
Protecting yourself against an SQL Injection attack can get quite technical. At the deepest level, it takes coding knowledge to defend your technology against such attacks. As usual with security, though, defence mechanisms need to be laid down from the very beginning.
OWASP is the Open Web Application Security Project, working to make “software security visible so that individuals and organizations worldwide can make informed decisions about true software security risks.”
They recommend two methods of mitigating SQL Injection attacks. These include…
Parameterizing queries using bound, typed parameters
Parameterized queries keep the query and data separate through the use of placeholders known as “bound” parameters.
Careful use of parameterized stored procedures
The use of parameterized stored procedures is an effective mechanism to avoid most forms of SQL Injection. In combination with parameterized bound queries, it is very unlikely that SQL injection will occur within your application.
For more technical information about SQL Injection and how you can avoid them within your own databases visit owasp.org.
What if you’re not technical and you think you’ve been hacked?
From what we can tell at this point, the worst you can expect from this giant attack on information is a few spoofed emails. Spoofed emails are sent with a false email address as the sender. This can trick receivers into opening links that could contain malicious information. Never ever click on links that you are unsure about the origin. Running a malware scan on such messages is a very good idea and can save you from computer virus infection.
If your details have been hacked, there are several easy tasks anyone can complete to protect themselves. These are best practices when it comes to online security, regardless of whether you have been a victim of a SQL Injection attack.
Change your passwords
This super easy step can save you from attacks. Get creative! Don’t use pet names or sports teams. Create your own algorithm for solid passwords. For example, if you love Oreo cookies create a password like 0reO1over5yuMM (but don’t actually use that one). Never use the same password for multiple sites, your information becomes a buffet for easy pickings if you do.
Use two-step verification whenever you can
Setting up your email to request a code from your phone whenever you log in from a new computer can make you a much tougher target. It can be a pain to have to have your phone handy at first, but it’s already in your pocket so use it!
Keeping your computer software up to date is a critical part of keeping your information safe. Developers are always looking for holes in their code and fixing them by issuing updates. An out of date application is similar to leaving your back door open with security cameras and a guard dog in your front yard.
Pay attention to the email you receive
If you receive a message you think is spam, mark it. This lets your email provider know what is happening and also gives them a way to fix the problem. It also allows you to look for bounce back messages that could indicate that you are spamming others without being aware.
For more information concerning this post or others, please get in touch with our support staff