SQL injection

SQL Injection

Introduction

What is SQL?

SQL stands for Structured Query Language. In the most basic sense it is a computer language that is used to retrieve, manage, and communicate information within a database. It became a coding standard in 1986 and since then has become very prevalent and widely used.[1]

What is SQL Injection?

SQL injection is a cyber attack method where malicious SQL code is inserted into a web form to gain access to resources, applications or databases. "The attacker's hastile data can trick the interpreter into executing unintended commands or accessing unauthorized data."[2] These attacks are designed to do things like stealing information from companies or orgainizations that include personal information or login credentials of users, credit card numbers, social security numbers, ect. 

Prevention

SQL Injections is one of the many vulnerabilities that computer systems, servers, and web sites face on the World Wide Web. Fortunately, SQL injection is mostly preventable and it is an easy vulnerability to apply some pretty thorough defenses against. SQL injection is considered the number one critical web application security flaw as determeined by the OWASP top ten list.[3]

XKCD's "Exploits of a Mom" on SQL injection

This link  talks about the several ways a company can protect itself through software and codes. 

Law Repercussions for Organizations

Because the consequences of a successful attack are so harmful to clients or users and becasue SQL injection attacks are thought to generally be preventable by taking the proper security measures, in terms of lawsuits, SQL injection attacks can be very costly to an organiztion. A recent example can be seen in a five million dollar lawsuit against the popular professional social networking website LInkedIn. This lawsuit claims that LinkedIn did not take proper precautions or measures to prevent a SQL injection attack occuring within thier database systems. The lawsuit claims that the personal information of millions of users was leaked as the result of an attack. LinkedIn denied that any personal information was ever compromised however. [3]

Law Repercussions for Perpetrators

SQL injection is considered a felony in most jurisdictions, and even an attempted or non-malicious exploration of a database through injection methods is considered highly illegal and costly to the accused.[4] In fact, in a recent case, an individual was sentenced to 41 months in prison and a $73,000 fine after they merely pointing out that they had gained access to AT&T customer emails through SQL injection. 

Punishments can also be very severe. In 2010, hacker Alber Gonzales recieved a 20-year prison sentence after he was accused of stealing the credit card nubmers of 130 million individuals and causing an estimated $200 million in damages.[5] One of the attack methods Gonzales allegedly used was SQL injection. This was the most severe puhishments in cyber crime in US history and it established a new standard for the priority goverments will place on cyber security breaches and reprimands in the future. 

Sources

[1] http://en.wikipedia.org/wiki/SQL_injection#cite_note-2

[2] http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html

[3] http://nakedsecurity.sophos.com/2012/06/21/linkedin-slapped-with-5-million-class-action-suit-over-leaked-passwords/

[4] http://www.techdirt.com/articles/20130929/15371724695/dojs-insane-argument-against-weev-hes-felon-because-he-broke-rules-we-made-up.shtml

[5] http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=224200531&queryText=gonzales+sentencing