Security expert ben schneier no ted a particularly

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: r 29, 2009. The upside? Tho se smart devices are so metimes crime f ighters themselves. A P ittsburgh mugging victim turned o n Apple’s “Find My iP ho ne” f eature within its Mo bileMe service, mapping the perpetrato r’s path, then sending the law to bust the bad guys while they ate at a lo cal restaurant.J. Murrell, “The iWitness News Ro undup: Crime-f ighting iP ho ne,” Go o d Mo rning Silico n Valley, August 31, 2009. Figure 1 3. 5 A “jail­broken” iPhone get s “Rick rolled” by malware. Compromising Web Sites So me explo its directly target po o rly designed and pro grammed Web sites. Co nsider the SQL injectio n technique. It zero s in o n a slo ppy pro gramming practice where so f tware develo pers do n’t validate user input. It wo rks like this. Imagine that yo u visit a Web site and are asked to enter yo ur user ID in a f ield o n a Web page (say yo ur user ID is smith). A Web site may be pro grammed to take the data yo u enter f ro m the Web page’s user ID f ield (smith), then add it to a database co mmand (creating the equivalent o f a co mmand that says “f ind the acco unt f o r ‘smith’”). The database then executes that co mmand. But Web sites that do n’t verif y user entries and instead just blindly pass alo ng entered data are vulnerable to attack. Hackers with just a rudimentary kno wledge o f SQL co uld type actual co de f ragments into the user ID f ield, appending this co de to statements executed by the site (see sidebar f o r a mo re detailed descriptio n). Such mo dif ied instructio ns co uld instruct the Web site’s database so f tware to dro p (delete) tables, insert additio nal data, return all reco rds in a database, o r even redirect users to ano ther Web site that will scan clients f o r weaknesses, then launch f urther attacks. Security expert Ben Schneier no ted a particularly ghastly SQL injectio n vulnerability in the publicly f acing database f o r the Oklaho ma Department o f Co rrectio ns, where “anyo ne with basic SQL kno wledge co uld have registered anyo ne he wanted as a sex o f f ender.”B. Schneier, “Oklaho ma Data Leak,” Schneier o n Security, April 18, 2008. No t trusting user input is a cardinal rule o f pro gramming, and mo st well-trained pro grammers kno w to validate user input. But there’s a lo t o f slo ppy co de o ut there, which hackers are all to o eager to explo it. IBM identif ies SQL injectio n as the f astest gro wing security threat, with o ver half a millio n attack attempts reco rded each day.A. Wittmann, “The Fastest-Gro wing Security Threat,” Info rmatio nWeek, No vember 9, 2009. So me vulnerable systems started lif e as quickly develo ped pro o f s o f co ncepts, and pro grammers never went back to add the needed co de to validate input and blo ck these explo its. Other Web sites may have been designed by po o rly trained develo pers who have mo ved o n to o ther pro jects, by staf f that have since lef t the f irm, o r where develo pment was o utso urced to ano ther f irm. As such, many f irms do n’t even kno w if they suf f er f ro m this vulnerability. SQL injectio n and o ther applicatio n weaknesses are particularly pro blematic because there’s no t a co mmercial so f tware patch o r easily deplo yed piece o f security so f tware that can pro tect a f irm. Instead, f irms have to meticulo usly examine the integrity o f their Web sites to see if they are vulnerable.While so me to o ls exist to auto mate testing, this is by no means as easy a f ix as installing a co mmercial so f tware patch o r virus pro tectio n so f tware. How SQL Injection Works Fo r tho se who want to get into so me o f the geekier details o f a SQL injectio n attack, co nsider a Web site that executes the co de belo w to verif y that an entered user ID is in a database table o f usernames. The co de executed by the Web site might lo o k so mething like this: "SELECT * FROM users WHERE userName = '" + userID + "';" The statement abo ve tells the database to SELECT (f ind and return) all co lumns (that’s what the “*” means) f ro m a table named users where the database’s userName f ield equals the text yo u just entered in the userID f ield. If the Web site’s visito r entered smith, that text is added to the statement abo ve, and it’s executed as: "SELECT * FROM users WHERE userName = 'smith';" No pro blem. But no w imagine a hacker gets sneaky and instead o f just typing smith, into the Web site’s userID f ield, they also add so me additio nal SQL co de like this: smith'; DROP TABLE users; DELETE * FROM users WHERE 't' = 't If the pro gramming statement abo ve is entered into the user ID, the Web site adds this co de to its o wn pro gramming to create a statement that is executed as: SELECT * FROM users WHERE userName = 'smith'; DELETE * FROM users WHERE 't' = 't'; The semico lo ns separate SQL statements. That seco nd statement says delete all data in the users table f o r reco rds where ‘t’ = ‘t’ (this last part, ‘t’ = ‘t,’ is alw...
View Full Document

This document was uploaded on 01/31/2014.

Ask a homework question - tutors are online