A Guide to SQL Injections

What exactly is SQL Injection and how does it affect you?

Over the past 24 hours, the techie media has been alive with talk of what is being dubbed ‘the biggest data breach ever’, affecting nearly a billion passwords and half as many email addresses.

This news largely stems from the Milwaukee-based Hold Security, whose ‘You Have Been Hacked!’ post revealed details of the breach. It has emerged that the scam was coordinated by a Russian cyber gang, which Hold Security have named ‘CyberVor’.

‘CyberVor’ has stolen personal details, such as usenames and passwords, from an estimated 420,000 websites worldwide, using SQL injections and botnets.

You may be wondering: What on Earth is a SQL injection and how can I protect myself from a CyberVor-esque attack? We’ve put together an SQL injection survival pack below to give you a helping hand. But first…

What exactly is SQL injection?

SQL injection is an approach to hacking, in which a hacker makes use of glitches in a website’s design whereby user-provided data isn’t properly sanitised and is used directly in a database query.

In cases like this, an attacker can replace the valid input with input that contains code that the database will recognise and act upon. It depends on how the software handles the response from the database, but the hacker could end up with access to all the private information in that database.

How can you safeguard your website from SQL attacks?

This can get pretty technical, as the attacks target the deepest level of your database: the coding. A knowledge of coding is handy in the first line of defense for your technology. As always, though, your attack resistance needs to be set up from the get-go.

The Open Web Application Security Project, or OWASP, work to improve security software visibility, helping global organizations “make informed decisions about true software security risks”. They recommend two ways in which you can reduce the risk of SQL attacks…

Parameterize queries using bound, typed parameters

Parameterized queries separate the query and data through the use of placeholders known as “bound” parameters.

Careful use of parameterized stored procedures

Most forms of SQL injection can be swerved with the use of parameterized stored procedures. When combined with parameterized bound parameters, you can reduce the risk of SQL attacks dramatically.

For a techie low-down about SQL injections and the avoidance of security breaches within your own databases you can head to owasp.org.

Struggle to speak techie? Think you’ve been hacked?

From what we can gather, the worst you can expect from the Russian data breach is a few spoofed emails, which are sent from a false email address. These can contain malicious information, and hence you must never open links which you are unsure of. Running a simple Malware scan on messages which you are unsure of could protect your computer from a virus or infection. Then, adopt the following online data security best practices…

Wrap your site in cotton wool…

There are plenty of ways you can protect your data, just in case your details have been leaked as the result of a SQL attack…

Make regular password changes

This may seem overly simple, but it can be a great safety jacket to slip onto your website, saving you from attacks. The more hilarious, individual and personal your password is, the harder it will be for potential hackers to break through. Remember to include letters, numbers and symbols, when creating your password: Lord of the Rings fans could for example pick Y0U5h4LLn0tPAS5 (although it’s best not to use that exact one as it is now public property!) Make sure your password varies site-to-site, or you become easy-pickings for hackers.

Do the verification two-step

Where possible, try and set up a two-tier access process! Sending a verification code to your phone when you try to access your site from a new device can put up a hacker-smashing blockade. It may be an annoying process, but it won’t be half as annoying as recovering breached info – remember that!

Ride the update wave

Ensuring your software is the latest is essential in information safeguarding. holes in software are updated and resolved with every update, don’t leave your site open to a breach which could’ve been avoided with a simple update, it’s like leaving your gates unlocked to the hungry public with a buffet on display, with only a rickety fence barring their way.

Pay attention to your emails

Mark any messages that you think are spam. This helps your provider identify where spam mail is coming from, and also allows you to see and bounce-back messages which could indicate that you’re spamming others unawares.
If you have an concerns about SQL Injections, contact the WestHost support team.