Categories
Internet

Newswire hacking case is a reminder that organisations need to mitigate the threat of SQL injection attacks

newswire-hacking

In a recent press release published by the FBI, details have emerged of the scale of the attacks against international newswire services such as PR Newswire and Business Wire. Between 2010 and 2015, Ukrainian hackers Oleksandr Ieremenko and Ivan Turchynov gained unauthorised access to various computer systems, enabling them to steal “yet to be published” press releases that had been scheduled by major financial organisations. Containing financial reporting and other sensitive data, the hackers sold on the information and facilitated an estimated $30 million in illegal trading profits.

Nine people have now been charged in connection with this case which involved the theft of over 150,000 press releases. The hackers used sophisticated methods of attack including malware and phishing, SQL injection and brute force. SQL injection is used to attack data-driven applications and involves inserting malicious SQL statements into an entry field for execution (enabling, for example, exfiltration of the database). This latest high profile case highlights the need for organisations to be aware of and resilient to this line of attack.

Mitigating the threat of SQL injection

Senior business managers may have read about this story and be wondering how they can better protect their organisation against this kind of threat. There are numerous steps that can be taken but perhaps one of the most fundamental preventative measures is to ensure that you regularly monitor and carry out checks on all of your network’s private and closed applications. Having adequate security procedures in place to protect your applications will significantly hinder attackers from being able to carry out this sort of attack in the first place.

However, to further reduce the threat of SQL injection, there are numerous steps that can be taken on a coding level to mitigate this form of attack. The priority steps include:

1. Using ‘parameterised’ SQL statements – putting clear parameters into SQL instruction.
2. Validating each parameter ID. For example, the ID parameter must be a number, or is restricted to certain terms.
3. Using ‘escape’ parameters before insertion to the SQL statement. This ensures the commands inserted by the hacker are treated as a variable rather than a command. So instead of comparing the id with ‘XX’ and then executing ‘truncate table news’, the id is compared with ‘XX; truncate table news’ which is not a legitimate id and is rejected.

In addition to the steps above, and dependant upon the framework used, the following should also be considered:

4. Performing validation on data being read from a database (as in points 1-3), in addition to data being inserted into it. This prevents second order injection. In short, trust no source of input.
5. Setting the permissions on the database so it’s limited to only the data it’s required to read. This won’t stop injection, but it might limit the impact.
It should be noted that using escape parameters as in point 3 is the least desirable method compared to 1 & 3 as there are many ways for an attacker to encode data.

Finally, don’t forget the basics. Change the passwords of application accounts into the database regularly. Update and patch all applications and databases as early as you possibly can.

About the Author

Mike James is part of the technical team at Redscan – a managed threat detection and security services company.

Categories
Browsers Internet

7 Best Browser Security Extensions you need to stay safe

Why Browser Security Extension

The internet is essentially like a vast disease and parasite filled jungle. If you’re moving around on it through your browser, you need to make sure that you’re well protected from infections of all types. It’s easy, very easy, to find yourself the victim of hackers, Trojans, data miners, information thieves, viruses, worms and malicious bots all over the web. There are also fun programs like spyware, malware and adware that can screw your computer up. With all these threats lurking around the net, hidden in many forms, you should really think about maintaining tight security all around.

While it’s a good idea to install a firewall on your computer, a malware scrubber and reliable antivirus software, your first line of defense will be the point of entry: your browser; secure this and you will dramatically decrease the possibility of attacks from external threats before they get a chance to enter your computer or steal your personal data. Here are some excellent browser extensions that can help you keep your machine and your private information safe.

NotScript and NoScript

NotScript is a Chrome extension while NoScript is a Firefox extension; they both do essentially the same thing to different degrees. Both programs will block script using applications on the websites that run them while you browse. Since these scripts are commonly prone to code attacks on your machine, it’s generally a good idea to avoid them where possible. NoScript is considerably more versatile than NotScript since it will block any kinds of scripts, while its Chrome counterpart can only be used against JavaScript.
In the case of both programs, you can place certain sites you trust on a white-list to avoid having their scripting apps blocked off. This is also useful since some web pages that are trustworthy absolutely depend on flash or JavaScript to run.

Web of Trust

If you decide to use just a single security extension for your Chrome, Firefox or Internet Explorer browser, make it Web of Trust. This extension rates almost every website you visit and gives it a green, amber or red warning depending on its trustworthiness. The information that generates this is based on user reviews, so you can also add your own opinion into the mix; very accurate and very reliable.

Adblocker Plus

This handy little extension will essentially purge your browsing experience of advertisements and other annoying ad based things like popup ads and such. Adblocker isn’t so much as security plugin as it is a nuisance elimination tool, but the extension’s ability to eliminate ads does play an important security function: ads are where many renegade malware and spyware programs Gide, waiting to infect the computer of someone who clicks on them. Getting rid of them removes the potential for many accidents.

LastPass

This excellent data security extension, available for Chrome, Firefox and IE, is a great tool for managing all your online passwords easily while keeping them extremely secure. The extension allows you to create a single master password with which you manage all your other login prompts through the plugin’s internal password creator. The security benefit is that LastPass creates much stronger passwords for all your online data than any you are likely to try remembering later on. This tool is very handy for stopping brute force password crack attacks against your online banking, credit card and any other passkey enabled access pages.

HTTPS Everywhere

This extension was created by the Electronic Frontier Foundation to secure all digital communication between your browser and other servers and websites through high strength encryption. It mainly protects your data transmissions so that the login information and other sensitive data you’re inputting all over the place cannot be stolen and used to defraud you or hack your personal accounts or web based access points. Unfortunately, the HTTPS Everywhere plugin is still only available for Firefox.

Keyscrambler

Keyscrambler is a keystroke encryption tool that will take all of your typed in characters and encrypt them at the level of your keyboard drivers while at the same time letting you see what you’ve written on your screen. The encryption protects your typed information from secretly installed keystroke loggers that might be hiding in your computer; they will only see a stream of gibberish instead of your vulnerable personal data. The Keyscrambler extension is available for both Firefox and Internet Explorer.

Your Browser

No, this isn’t another security extension, it’s a bonus point you should keep in mind: The brand of browser you use will also have a big impact on your data and computer security. Of the three main browsers, Firefox, Chrome and Internet Explorer, Chrome has recently been ranked as the most secure and most robustly protected against frequently updating threats. Chrome’s list of features such as script and process sandboxing, Just in Time engine hardening and basic plugin installation security make it the award winner against its less advanced rivals Firefox and IE. Chrome also seems to have the shortest response time against constantly changing malware threats. Go with Chrome for better security; it’s sleek, fast and won’t overload your RAM like Firefox is prone to doing with its latest versions.