Home use Wireless Routers – Are they safe?

Home use Wireless Routers – Are they safe?

One of the most common questions I am asked regarding home use wireless routers is "What is the risk if someone uses my Internet connection?" The answer below highlights the concerns, some of which are critical.Is it just free internet they are after or is something else at work here?

It’s not just free internet they are after. There are many other goals to using someone else’s connection. They are;

1) Hijacked connection
Someone using your internet connection can use that connection to attack another computer. A hacker who tries to attack a target, particularly a secure target, will never use his own Internet connection because secure targets always log all activities. While it is true that hacker can spoof his connection details and mask his location, it’s easier and less risky to use someone else connection. That way the hijacked connection will be logged and will potentially get the blame for the attack, keeping the true attacker anonymous.

2) Attack the host computer or another computer on the same network
Despite the ever decreasing cost to buying a new computer, most computers being used in homes these days are still on old versions of operating systems such as Windows95/98, and moreover they have no active anti-virus protection (some even have anti-virus software installed but it was not active because the trial version was over and/or it was never even activated by the user). This is mildly surprising given the date of this writing being October 2007. This is significant due to the fact that the older operating systems are very easy to penetrate.

Once penetrated via the wireless connection, the hacker can install simple software, known as a Trojan horse, that will automatically transmit to the hacker personal information such as passwords, internet history etc… This information would allow the hacker to log in to your bank account or even connect to your office using your VPN and do an incredible amount of damage.

This is a common approach as it provides good results for hackers with minimal risk.
3) Hijacked computer - the Zombie
This differs from #1 above in that a hijacked connection can be used at that specific time for an attack. A computer that has been compromised and turned into a Zombie can be used repeatedly at the will of the hacker. This accomplished in the same was as above through the installation of software through the wireless connection. The software allows the hacker to remotely activate a coordinated attack from an army of Zombies. This then involved your computer in a criminal offense (alarmed yet?)

4) Data Stash or Data Store
There are many hackers who have lots of stolen (or otherwise illegal) data that they need to hide. They can easily use a victims machine to store the information on. They techniques that they use are masked so well that only forensic computer tools can detect what has happened. The files will not be visible to the user and the disk space will also not show as used – it’s very hard to know when this has happened.

5) Bandwidth
There are some hackers who will use your connection to download or upload very large amounts of data. These files can be many Gigabytes in size and can cause additional billing for some someone’s internet connection.
6) Privacy Violations
Imagine a hacker activating your microphone and just listening in on conversations in your house. They can access the camera in the same way if your computer has one. If a corporate attack is underway, a home-based privacy attack can provide good inputs to support a corporate attack. A CEO or CIO might be good targets for a home based privacy attack.

How can we protect ourselves?
The level of protection required will vary from person to person depending on what activities one engages in. The protections to implement are as follows;

1) Configure your Operating System Firewall (most operating systems have one included) to have some level of protection. There are also many commercially available options that can replace or supplement the one built into the Operating System. They are not overly complex to configure and there are many manuals and step by step guides available either with the software or free over the Internet.

2) Install up-to-date anti-virus software, ideally one that also provides anti-hacking protection. It’s advisable that one also learn how to use the software effectively as most anti-viruses have many protections that you need to know how to work with. There are many good tools out there, but as of this writing I use Kaspersky on my computers.

3) When your computer is not in use, shut-down your router or internet connection.

4) If you need to store any critical information such as bank account details, private keys or something similar, store it on secure media such as a secure USB drive that keeps the information encrypted and can't be retrieved by hacker.

5) Use the encryption and other security features provided within the Router itself. The hardware units that provide the wireless service come complete with documentation that outlines how to configure the security features. It may takes a little while to understand how to set it up and then how to configure the legitimate computers to have access but it’s a worthwhile exercise.

Identity theft and Social Engineering

Identity theft - The Application of Social Engineering

Identity theft occurs when someone represents themselves as you and then enters into one or more transactions on your behalf. They can open a bank account, apply for a credit card, apply for a passport or other government ID, and they can even steal your house – selling it while you live there. The consequences of identity theft to someone’s life can be enormous and very arduous to undo.

Identity thieves rely on basic values that are part of the fabric of society – honesty, common sense and the desire to help one another.

Different Social Engineering (synonymous with manipulation) techniques work differently with different people. Chinese philosophy identifies 5 different types of personalities, and each type makes decisions based on different criteria. For example there are some people that very cold and sharp and make fact based decisions. Social Engineering for these people will involve explicit deals that they can't refuse. Another example is the compassionate personality, people who love to help other. Social Engineering for these people will involve a heart-breaking story which will make them give the thief what they seek.

Each personality is susceptible to different approaches. You can develop a custom Social Engineering technique for each type of personality.

Tools

Thieves will use Phone, Email, SMS (text messages), paper Mail and even direct contact to accomplish their task which is getting critical information from you. All types of Social Engineering are directed to the same goal and that is manipulating you into sharing sensitive information with the thief. The most common way of running a Social Engineering attack is by phone or email.

Common attack scenario

Someone contacts you by phone in order to get some data from you. They may introduce themselves as “Rob, calling from the Visa security department”. They will alert you to a $2500 transaction on your account from a location in Thailand and will ask you if you initiated this transaction. This immediately alarms you and puts you off balance wanting to make the problem go away and to assure your good standing with Visa. So when “Rob” asks you to confirm a few details such as your Visa account Number and expiry date so he can cancel the transaction, you will be only too happy to oblige.

Now you have equipped the thief with all the information he needs to run up real charges on your card, or worse he can use that information as leverage to commit an even bigger crime such as empty your bank account or steal your house. The people committing these crimes have no conscience and will gladly take anything and everything they can from anyone.

The same types of information gathering ploys are at work over other communication mediums such as Email and SMS.

Dumpster Diving

Dumpster diving is when the thief takes a less over approach and literally digs through your garbage looking to gather data that way. Pre-approved credit applications from your bank are a great example something valuable for an identity thief to take from your garbage. They can accumulate a fair amount of information from a few pieces of discarded mail.

Prevention

1. Everyone should own a shredder and should use it with any discarded mail, especially anything of a financial nature.
2. Be wary! There is no free lunch. No one will give you anything for free. No one can profit by giving anything away. When you receive email, paper mail or a phone call with a free offer, delete shred or terminate the conversation as appropriate.
3. If you own property, call the lawyer that worked on the transaction for you and ask him if you have Identity Theft Insurance for your property. It is also commonly referred to as Title Insurance. If you have it, ask him to send you a copy and verify it’s content. If you do not have title Insurance then by all means get it immediately. It is not comparatively expensive and should only be a one-time fee. In the event that someone steals title to your house and sells it without your knowledge or consent, you can get your money back. It is common today for a lawyer working on the purchase of a house to require the buyer purchasing the house to get Title Insurance as condition of the deal.
4. Treat Email as the most unreliable communication possible! You can get Emails from a thief that appear to be from someone you know. Email is very easily altered. Banks and other financial institutions will never ask you to send them sensitive information using Email. If you get Email that asks you to send your information or click on a link to login to your account, this is likely fraud.
5. In the event that a Bank, a government agency or any other service provider calls you regarding a problem and asks you to identify yourself, stop the conversation. Ask the person for his name and department and tell them that you are going to call the company and ask for them. Use the phone number that being published on their website or printed directly on your credit card. Do not trust the phone number that they may offer to provide you.
6. Your system administrator (either at work or your provider at home) will never ask you to divulge your password. Usually when a thief contacts you and asks you to change your password, he will try to put pressure on you so you will not think and will oblige him. Once you offer you password they can obviously do damage.
7. In North America people tend to trust each other unless they are alerted to something amiss. Be more suspect of information requests and don't be afraid to ask questions and challenge people (politely of course J). If you see someone that you don't know that working in your office (electrician, cable guy, etc). ask your office manager who he is or if you are the manager try to find out who he is and who gave him the permission to work in the office.
8. Free software and hardware are common way to for thieves to gain your identity details. They perhaps will send you a CD with free software or provide you a free USB key with great options on it. Once you use it a spy program (Trojan horse) will likely be installed on your machine and it will:
• Send the thief all your passwords, personal files, browser history and all the information you like to be protected.
• Install a key logger that will send the thief everything you type on your keyboard which is another venue to trap passwords
• He can also then use your computer as a penetration point to more computers on your network or anywhere on the web
• He could also remotely install software on your machine that will make your computer a “zombie”. A zombie is a totally controlled soldier unit that acts as part of a big army that when commanded by the attacker, can participate in attacks on targets inside or outside your company (which is a criminal offense that you now have been an unwitting part of).

Trojans can be integrated into any software, even cool screen savers, games, etc. and they can do enormous damage.

Everything you have read here is from my personal experience as an IT security consultant. Feel free to use this information however you like, passing it on to other as you wish. The more people that know how to defend against Identity theft the harder it will be for the thieves to find victims. Be alert and when in doubt in this realm it’s always best to err on the side of caution.

what you need to expect from your USB drive???

Many companies provide USB drives that provide some kind of security. Below is a list of what you need to expect from your USB drive...

• Hardware encryption for sensitive files
• Internet Authentication
• keeping your Private keys secure
• 100% mobility (can use the USB on any computer)
• Secure surfing from any computer
• Passwords Manager (no need to type the passwords again and again), that will protect you against key loggers
• Remember the username and passwords (after first login)
• Protect against Phishing (will log you automatically only if the site matches the original signature to prevent Phishing)
• Data can be shared between USB’s (in case that you have few employees)
• Allow backup all the USB data in a secure way (in case of lost USB)
• Privacy Internet surfing (Will prevent MITM attack and session hijack, Uses known DNS servers (if your DNS server or hosts file is poisoned, Using a secured tunnel from your machine to the supplier servers)

The prices range of these products is between $70-$200 per USB key.

Cyber Security – Past, Present and Future

When one takes a penetrating look at the components of computer crime it reveals itself to be the same as any other crime. There's an attacker and a victim, and the attacker requires the same three components to be successful – Motive, Opportunity and Means (MOM).

In recent history computer crime was less prevalent as the elements of MOM were few. Naturally the ever-present profit has always been around, but punitive revenge attacks such as denial of service, and malicious random attacks such as viruses created out of ego, are relatively new Motives. Means and Opportunity have also greatly increased as both computer knowledge and computer access have increased.

Years ago, few enough people knew how to operate a computer and even if they did there was little value in attacking them. Most companies that might have been the target of an attack were not even connected to the internet. Now that the internet is all but ubiquitous the Means and Opportunity are vastly increased.

As we have evolved, computers have become more user-friendly, and many more people have started to use them which added more MOM's (easier access using the internet, money transactions all over the web, on line gaming sites, web-based banking etc…)

Looking at IT security history, the bad guys were always far more sophisticated than the people who tried to stop them, if they were even aware of the threat, and the term security was only applicable in the physical world. Even if companies could conceive of IT security it was almost impossible to achieve it because the lack of security professionals and the lack of security protection tools in the marketplace.

Today it's a different story. MOM is more powerful than ever. Even the uninitiated can download powerful intrusion tools and can find free written guides to penetrating systems. Millions of pages of instruction available to anyone interested in reading it – massively accessible Means. In few minutes you can hack a bank account and steal someone's life savings because there are still many financial institutions that are not protecting their clients and their systems with any sophistication – for some this presents irresistible Opportunity! So we see the stage is set today - powerful Motive, perfect Opportunity and the best Means.

Today the vulnerability in the electronic space can be reduced. There are many products and strategies that can be deployed. There are many robust tools out there that log attacks and prevent them in real-time. These tools and strategies can provide security for a committed company. As long as the defense is treated as an ongoing process and not an end-state the battle can be well-waged.

Another new aspect is that as our laws regarding cyber crime evolve, more and more computer crimes are being sent to court and attackers are being sent to prison. Computer crime is being prosecuted just like physical crime so that when attackers try to attack a virtual target and they will have the same chances to be caught and punished as criminals committing crimes in the physical world. Eventually only the most skilled attackers will escape prosecution, the same as in the physical world.

Having had a brief look at yesterday and at today, let's now examine what we expect for tomorrow.

So can we conclude that if companies can apply their focus and attention to providing ongoing modern IT security then most of the attackers can be easily kept unemployed? Unfortunately we cannot. As attackers are blocked from attacking one way they will seek another. As in the past attackers attacked networks and hosts until it became too difficult so they switched their focus to attacking applications which were more vulnerable than hosts.

Being blocked at the application level now, attackers are now preying on the end users directly. This can easily bypass most of the company's IT security protocols and processes. In the last few years we see new attack patterns like XSS, Phishing and other client side attacks which take advantage of the fact that most users know nothing about IT security or their role in keeping things secure.

It was noted above that a bank with weak protection could be compromised in a few minutes. A bank where IT security is current and advanced, can be much more difficult to compromise through a direct system attack. A much easier way to attack a bank account in a protected institution would be to trick a user into providing all of their login and other access details. This is the goal of most Phishing emails we see on a daily basis. These emails often ask for some sort of verification – in fact most of these emails are dressed up as security checks! In reality the user is redirected to a cloned website where the login data is captured and later used to compromise the account.

The same technique can be used for stealing security data details from employees. Phishing emails, phony phone inquiries and other social engineering techniques can be easily used to get confidential data that can later be used to penetrate corporate systems for any nefarious purpose. Shockingly the best way to get someone's security details such as a login ID and password combination is to just ask them for it! J

So while the electronic battle is being waged in the corporate world and the defense of systems is getting better every day, individuals are still very much at risk. Root causes are older operating systems at home (most users are still running Windows 95/98) no anti-virus protection, and the general view of the computer as a home appliance. Unlike a refrigerator which might run 10 or even 20 years, a computer cannot be used for the same length of time, and also you don't store your life savings in the refrigerator (except in movies and some crazy people).

People need to increase their security education and awareness and to form new habits while breaking old ones (e.g. stop writing passwords on post-its and sticking them to the monitor). The more we know the more we can protect ourselves from the bad guys.

Web Application Firewall

Many web developers and system administrators don't know what is it Web Application Firewall and how to use it.
Web Application Firewall can protect the application and the server from standard web attacks and from very complex attacks (depend the configuration you provide).
Mod_Security is an open source Web Application Firewall that do the work very good (it saved me more then once). it can be customised easily and provide impressive protection and reporting. one of it's features is to monitor uploaded files and to inspect them before they hit your application. you can use PHP script to inspect the file being uploaded using the $argv array.
you can use the Linux file command to inspect the file. it will return the real file type (if *.exe file being uploaded as *.gif file, than the file function will catch it).

Core Rules Content
1. HTTP protection - detecting violations of the HTTP protocol and a locally defined usage policy.
2. Common Web Attacks Protection - detecting common web application security attack.
3. Automation detection - Detecting bots, crawlers, scanners and other surface malicious activity.
4. Trojan Protection - Detecting access to Trojans horses.
5. Errors Hiding – Disguising error messages sent by the server

Some of the issues addressed are:

* SQL Injection
* Cross-Site Scripting (XSS)
* OS Command execution
* Remote code inclusion
* LDAP Injection
* SSI Injection
* Information leak
* Buffer overflows
* File disclosure

for more information please visit: http://www.modsecurity.org/projects/rules/index.html

URL Scan is the free answer of Microsoft servers users. i can't say that it is impressive, but it can prevent many web attacks.

what i am tyring to say is... if you have a web application then you must have a Web Application Firewall !!!

Undefeatable Password

You and Your Password

You might have heard the term “Strong Password” and may have wondered what it meant. Strong implies that it is more difficult to compromise and making it a stronger password is fairly easy to do. First we would like to lay out a few background facts and then we will show you an easy way to create a strong password.

Facts:

• People are the weakest link in the security chain, and the easiest way to get a user's login details is by asking him/her for it (see our related article on Social Engineering to see how this is done).
  
• Breaking Alpha Numeric (numbers and letters only) passwords will only take few minutes for a skilled hacker, even if it is up to 14 characters long.
  
• Most passwords are combination of a name plus few numbers and 8 characters long (jack1234).
• Most people will write down their passwords and store them in an obvious place like under the keyboard or pasted to the monitor.

Strong Passwords

The real goal here is to make a password that is not only strong but one that is easy enough for you to remember without writing it down.

We recommend creating a password with two distinct parts: part one is the password’s first 3 characters combined with the last 3 characters, and part two is the characters between those two sections.
Part one can be a constant and part 2 will need to change every time you change your password. We recommend password changed every 30-60 days – I know this sounds tedious but reassembling your credit ratings and trying to recover your stolen house are far more troublesome!

Part One

Part one contains the first and the last characters of the password and we recommend that it contain symbols and/or special characters and/or numbers. By using the special characters you are making a Brute Force attack a much more challenging exercise for a hacker. A Brute Force attack is when someone uses software to attempt every possible combination until one works. For every character you add to the sample set the job gets much larger for the attacker. Eventually if enough different characters/symbols are used it becomes impossible to use Brute Force unless they have few months to wait for the password.

A key concept of part one is to build it in a way that you will remember it.
For example: !@# )(* seems rather random but its actually (looking at the keyboard) 123 and 098. You can now see that you can leverage extra symbols in a meaningful way that is meaningful only to you.

Part Two

Part two needs to have at least 8 characters using lower and uppercase letters and also numbers (same rules as you typically use now when renewing your passwords).
For example: Lior1234

So my Strong Password could be:!@#Lior1234)(*

Remember the goal of using as broad a symbol set as possible and still making it easy for you to remember.

File Intrusion

Threat description: An intruder file is introduced into the hosted web site through an invasive file submission. This threat can be executed very simply through a short HTML form (3lines!). This is a less common but highly impacting attack. Any file of any type can be introduced in this fashion, and unless you have takes specific measures to prevent this specific type of an attack, your web site can be easily breached.

This threat is a multistage attack, with each subsequent step driving the attack further into the web site.

Stage 1: upload the intruder file via the short form

Stage 2: activate the file

Stage 3: retrieve any stolen data (password, client files etc…)

Threat impact if not remedied: Depending on the file type uploaded different impacts can be felt. The file types can range from executables delivering viruses or destroying data through to simple text files with scripts that can further compromise security through password discovery. The damages of this type of an intrusion are limited only by the intentions and creativity of the attacker.

Countermeasure approach: The countermeasures for this type of attack cannot be effectively deployed at the network or host layer. Firewalls and host intrusion detection tools cannot detect this type of an attack as the channel for the attack is a legitimate channel for data flow into the application. The file would flow right through the open ports on the firewall and would march right past host intrusion detection software. The only way to use these tools to protect you would be the blunt approach of screening out all uploaded data and/or files. This would likely constrain the application in question. However if the below described approach is taken then these tools can play a small part in the ongoing remediation.

Instead the countermeasure must be deployed at the application level. This threat is remedied by building a filter on uploaded data. Many websites have pages that allow for data to be legitimately uploaded, so files must be screened. The filter has a predefined sequence of steps is takes to assess the data. The filter will vary by the application and environment it is protecting. It can assess a variety of things from the file source (legitimate server?) though to the content.

As expressed the filters will vary greatly by application but a simple example of the sequence could be;

File acceptance steps:
Step 1) Server source of file inspected – valid server? yes/no

Step 2) Page source is inspected – valid page for file upload? – yes/no

Etc…

Once the file itself is accepted a secondary validation phase can be executed to validate the file type and content;

Content acceptance steps

Step 8) File type acceptable – valid file type? Yes/no

Step 9) File content check – safe content? Yes/no

Etc…

This sequence is one designed to look for reasons to reject the data. Each step is logged and capable of an alert so that immediate severe threats can be addressed, and the logs can later be inspected to ensure no legitimate data is being rejected. The logs are also a useful data source to learn about any ongoing or continued attacks. Tip: If you see a repeated attack from a consistent IP then the firewall can be made more useful by adding the IP address to the blocked traffic list that can be enforced by the firewall.

Lior Izik CEH

Application Performance Attacks

Threat description: Applications can be attacked from many sides. One type of attack focuses its impact on driving application service levels down. The attack tries to overwhelm the server with activity so as to impact application performance even to the point of bringing the web service down. Distributed Denial of Service (DDOS) attacks have historically been the most well know attacks in this category. DDOS attacks harness the power of many “hijacked” computers to flood a site with multiple requests for pages or other server services in a coordinated effort to drown the server. With the advent of smarter firewalls and other monitoring tools the occurrence of successful DDOS attacks on prepared servers has dramatically decreased. Any over-active, suspicious activity from a specific IP address, or set of IP addresses, trigger a screening process that filter traffic from those IP addresses keeping it from ever affecting server services.

Through our efforts to assist customers in securing their web-based applications we have discovered a new breed of Application Performance attack. These attacks now being directed at servers are much more insidious. The principles are the same as a DDOS attack but instead of overloading the server at once with a huge level of traffic, the traffic is distributed throughout the day on an ongoing basis. If IP spoofing is used then a smaller number of computers can be used in the attacks as the spoofed IP addresses appear to be from many different sources, allowing one computer to provide a high level of attack traffic. The time of day distribution and IP address spoofing prevents any one IP address from triggering any automated alerts. The traffic is modeled after the same patterns of legitimate traffic and is centered during the hours that typically provide the peak levels of volume. Increasing traffic in the middle of the night is avoided as it makes the traffic obvious to any active monitoring. Large numbers of computers are still used for this type of an attack but the goal is not to crash the server, but instead to drive traffic levels way up.

Threat impact if not remedied: This causes increased costs for network bandwidth, hard disk space (logging), CPU cycles and even resource time spent trying to diagnose the slowed performance of the server. In addition to the increase in variable costs, these attacks significantly affect performance. If this type of attack goes undetected and the increased traffic is mistaken for legitimate traffic then the possibility exists that an organization might even resize their infrastructure to accommodate the perceived increased interest through the bogus increase in traffic levels.

Service levels delivered by the application can clearly be affected through the slowed performance and potential down-time resulting from the attacks. For commercial sites that rely on transactional revenue this can obviously impact that revenue, and depending on the duration of down-time can even be ruinous to their business. On the web, competition is only a click away.

Countermeasure approach: The countermeasures for this type of attack is multifaceted. There are commercial tools that can easily detect and prevent IP spoofing readily available on the market today. We can review your specific infrastructure and recommend an IP spoofing detection strategy or toolset. Some firewall products offer it as a feature and some Operating systems even offer a measure of IP Spoofing detection.

However the more complex task is to identify unwanted traffic and to eliminate it. The concept is to build a filter application that is called wherever the application itself is called. The filter application is predicated on IP spoofing being in place and functioning correctly. The application has a staged verification process that first logs all requests on the server for later reference. Secondly the filter evaluates the IP source address against a list of blocked addresses. Thirdly if the IP address passes the blocked list the traffic level is measured to see if it over a predefined threshold of acceptable levels. These thresholds are parameter and rule driven and are established by the business to ensure that they do not block legitimate traffic. Measures such as requests per minute, per hour or per day can be used separately or together. The logged requests are the source for the frequency measures. There is a process we have employed to stage an address into the blocked list so that legitimate users do not get accidentally blocked.

Tip: When creating filter applications you must ensure you do not accidentally prevent search engine robots from accessing your site. The robots come at varying intervals and sometime may trigger your filter to block them. The way around this is to also create a “ok to submit” list in the same way as you have a blocked address list and ensure the robots are properly referenced on this list.

Tip #2: As a rule consider all HTTP request to be suspect as they are easily forged. Look deeper for legitimate data.

Tip #3: Treat your web application as the mission critical application it is. Read the logs and spend the appropriate amount of time managing and maintaining your application.

Lior Izik - CEH, GWAS

SQL Injections – The full story

Threat description: SQL injection is a well known threat. Typically either the URL or a screen input form can be used to deliver the unwelcome SQL commands. This is an attack that is easy to execute and does not require significant technical skills to perform. The approach is essentially to use a valid input method where the application is expecting some legitimate SQL commands, and to instead substitute your own malicious SQL commands. These commands can be used to steal data, destroy data or just to disrupt database operations.

Threat impact if not remedied: SQL injection can be range from purely destructive scripts (drop tables, drop the entire database, alter database content) through to the theft of critical data. Given the current climate of mandatory disclosure of compromised data, this can be extremely destructive to a companies reputation and future revenue flow. This is a very serious vulnerability.

Countermeasure approach: There are a number of steps required to prevent SQL injection. Input validation is the most common approach and can prevent a significant amount of compromise. However there are key steps that need to be taken “under the covers” during the development of the application. The legitimate accounts used to interrogate or update the database cannot be and should not be “over-privileged”. There are also a number of other techniques that can be used during development to prevent these attacks or at the very least reduce the severity and impact of them. An example would be to remove the delete privilege from the application account and instead use a deletion flag built into the database to indicate if a record is to be deleted or otherwise excluded from other application processes (e.g. reporting). Limiting the number of rows that can be acted upon at any one time is another remediation technique we have used. All of the preventative measures obviously require both planning and more development cycles than if they are not built in. However the impact of a SQL injection breach is so significant that the comparative cost of prevention is really quite small and should be considered as a mandatory overhead for all Web Application development efforts.

The different steps we advocate for preventative measures against SQL injection are as follows;

Step 1) protect the database environment – be stingy with permissions and privileges
create accounts with minimum permission for the application to use – drive access permissions right down to the field level within a given table within a give database
use multiple users for differing functions so that you don’t have to use an over-privileged account for any database interaction

Step 2) use the code to protect the data – optimize your SQL for secure interactions
compartmentalize your SQL execution – if you execute all your SQL in an object oriented fashion and import only the results into your application you will have better control over your database
use single quotes for all value insertions, do not use variables for content substitution without encasing them in single quotes (see ‘C’ below for a follow-up to this guideline)
use input validation on all fields to restrict the input of any special SQL characters that allow you to escape from the desired function (e.g. single quotes or semi-colons) and begin new SQL statements – limit it to alphanumeric only where appropriate. E.G - This prevents someone from using a close quote and then inserting their own SQL in a data input field
use limit statements in all queries to ensure the minimal number of rows are acted upon for that interaction
for inputs that expect an integer – inspect the input prior to execution to ensure that only integers are entered (you can even establish a range of acceptable integers if appropriate)
in conjunction with restricting privileges and permission you can also design your code to never delete rows but instead deploy a deletion flag on the record to indicate if a record is to be deleted or otherwise excluded from other application processes (e.g. reporting). The added benefit of this is that you can never lose critical data as a result of either a deliberate or even an accidental deletion.
prevent errors from being presented in your production environment. Error messages are necessary during development and have much useful information contained within them. Presenting them in a production environment can allow an attacker even after a failed attack to be presented with key information embedded within an error message that can be used a future exploit.

Tip: Audit everything - all suspicious SQL statements, the IP address of the attacker, method used, the variables used within the transaction, date and time of attack, and the refer page that sourced SQL.

Lior Izik - CEH, GWAS