SQL Injections Explained

The words SQL injection have hit the headlines this week in connection with a Russian cyber criminal gang. But what exactly does it mean? And how does it affect you?

If you’ve read a newspaper in the past 24 hours, you might have heard the words SQL Injection. It’s contained in reports on the activities of a Russian hacking gang, who are believed to have stolen usernames and passwords from more than 420,000 websites worldwide. In case you’re wondering, SQL Injections are one of the methods the gang used to do this.

But what exactly is SQL Injection? And how can you defend yourself against these sorts of data breaches?

What is SQL Injection?

SQL injection is a method of attacking a website, in which a hacker makes use of bugs in a website’s design whereby user-provided data isn’t properly sanitised and is used directly in a database query.

In this instance, an attacker can replace the valid input with input that contains code that the database will recognise and act upon. Depending on how the software handles the response from the database, the hacker could end up with access to all the sensitive information in that database.

Here’s the science bit…

For example, here’s a simple injection attack that could be performed against a site that uses poor input validation. Standard practice when checking a username and password is to create a hash of the user-provided password and then check it against the database.

In older sites and poorly-designed ones, the password would be stored in plain text and a simple SQL query would be used to verify that the login was correct – such as “SELECT * FROM users WHERE username=’user-supplied-name’ AND password=’user-supplied-password’;”.

Now, if the database returns any rows, the site can see that someone logged-in correctly. If the user gives the password of “user-supplied-password’ OR 1=1;” and that text is added straight to the SQL query used, then the site will return any rows where the username matches, because the database will see the query “SELECT * FROM users WHERE username=’user-supplied-name’ AND password=’user-supplied-password’ OR 1=1;”.

The OR 1=1 will mean that the database will check whether the password matches the stored password, but it will return a positive response as regardless of the password entered the “OR 1=1” means that the check is always seen by the database as TRUE.

One would hope that no-one makes such basic mistakes these days, but I’ve seen plenty of programming tutorials that use this as an example for how to create a user login without mentioning the perils of the use of such code.

What can you do to protect yourself against SQL Injection attacks?

If you’re highly technical, there are ways you can set up your web server to give it extra protection against SQL injection attacks. These include whitelisting and, perhaps most importantly, making sure your system has strong input validation.

If you’re not up to speed on these things, however, there are a few things you can do to make sure you are as safe as you can be in the instance that your details do become leaked following SQL injection attack.These include…

Never open emails that you don’t know the origin of

It’s possible that the passwords and emails collected by CyberVor could be used for email spoofing. This is a similar technique to phishing or spamming. You can avoid spoofed emails by only ever opening emails from trusted sources.

Run a malware scan

Running regular malware scans can help to defend your computer against any viruses sent on the back of the CyberVor scams.

Change your passwords

Don’t be lazy when it comes to password creation. The strongest passwords are more than 14 characters long and contain a variety of letters, numbers and symbols.

Use two-step verification

Email systems like Gmail let you set up two-step authentication to double check the right person is accessing your emails. When this is set-up, your email account will ask you to prove who you are by sending a code to your mobile phone, which you then have to type into your email account in order to access it.

Don’t put off updates

Update alert pop ups can be irritating, but they are necessary. Out of date software is more vulnerable to attacks, so always update your system when prompted.

Mark spam

If you receive an email you think is suspicious, mark it as spam. This will alert your email provider and they will be able to look out for and fix future problems.

For more information about this blog or any others, contact our tech support team.