THE SECURITY COMMUNITY is divided about the recent arrest of a security researcher who hacked into the website for the elections division of a county in Florida. The question is whether he deserved to be arrested as a criminal hacker, or was rather doing a public service by exposing a vulnerability that gave anyone access to the credentials of the site’s administrator.
Not in question, however, is the sophistication of his attack. It’s unanimous that the SQL injection method he used to expose the credentials—the security community pronounces it both as “ess-que-el” or “sequel”—is one of the most basic and oldest tricks hackers use to get into websites and the contents of backend databases connected to those sites. Those databases can contain Social Security and credit card numbers, health records, or a host of other sensitive data, including log-in credentials for website administrators and others that can give a hacker access to other parts of a network beyond databases.
The attacks exploit a vulnerability or vulnerabilities in web applications that communicate with backend servers where the databases are stored. SQL stands for Structured Query Language and refers to a programming language used to add data to an SQL database or retrieve or manipulate that data. SQL injection vulnerabilities are among the most common vulnerabilities around and have consistently appeared at the top ofvulnerability lists for years. The computer security firm Imperva calls it the “most pernicious vulnerability in human computer history” and says that between 2005 and 2011, SQL attacks accounted for 83 percent of data breachesduring that period.
Here’s how the attack works. When you visit a website, you communicate with an SQL database when you type your credentials into the log-in form, conduct a web site search or submit other kinds of data to the site.
An SQL attack occurs when hackers type SQL query code into that web form, and the web application that processes this input doesn’t properly check and validate it, thereby allowing the attacker to command the database to spill its data. Different commands get different results, and often an attacker will try variations to see what a database will spill. An attacker, for example, can send one type of SQL command to display the entire contents of a database in his or her browser, or use other commands to display parts of a database or give them the ability to add, modify or delete the contents of the database.
Take, for example, an e-commerce search form. A user can ask the site to return a list of Samsung TVs selling at a particular price. If the site has an SQL vulnerability, however, an attacker can insert a specially crafted string of code in the search box that might instead produce a list of all products in the database or, depending on the contents of the database, the email addresses and credit card numbers of anyone who purchased Samsung TVs.
An SQL attack was responsible for the 2011 hack of security firm HB Gary Federal, which allowed members of Anonymous to steal passwords for the company’s corporate email accounts and dump more than 60,000 emails online.
SQL injection was also the attack vector in the recent hack of Chinese toy company VTE, in which the personal information of some 4.8 million parents and 200,000 children were stolen from the company’s site.
And it was the method that hacker Albert Gonzalez and his cohorts used in 2007 to hack 7-Eleven, Hannaford Brothers, Heartland Payment Systems and other companies to access millions of debit and credit card numbers.
There have even been suggestions that the Mossack Fonseca—the Panamanian law firm that was the source of the recent massive Panama Papers leak—had a SQL injection vulnerability on its web site, though it’s not known if this is how the whistleblower who leaked the documents to media outlets obtained them.
Usually, if someone uncovers and exposes an SQL injection vulnerability but doesn’t actually use it to take or access data, they won’t be arrested. It’s treated like any other white hat security disclosure. But in the recent case involving David Levin, who exposed the vulnerability in the Lee County state elections’ web site in Florida, Levin took his penetration test a little far. He stole usernames and passwords as proof that he could get into the site’s database, then took information about the vulnerability to the candidate running against Lee County’s current elections supervisor. He then made a campaign video with the candidate, exposing the vulnerabilities in the site that the candidate’s political opponent oversees.
Levin now faces three felony counts of unauthorized computer access and appeared to admit his mistake on Twitter last week.
— David Levin (@realDavidLevin) 9. Mai 2016