Network Box Advises Organizations to Check Software & Install Security Patches

According to a security advisory from Network Box, in light of a constant rise in SQL Injection attacks in which hackers insert malware into software to exploit vulnerability in an application, it is imperative that organizations examine their software for security flaws and make sure that their patches are in place.

Security specialists at Network Box state that it is extremely difficult to prevent SQL Injection attacks at the entry point since they emanate from within authentic software. They further say, while detection of intrusions to prevent them could halt several exploits, these systems are only capable of providing limited defense to private, internal software.

Simon Heron, Internet Security Analyst at Network Box, stated - the firm's intrusion detection system could spot known exploits for SQL Injections, with worm-specific and software-specific protection modules. However, he added that many organizations employed closed or private applications that couldn't be defended likewise; therefore, it was necessary that they ensured their applications were secure, as reported by SCMagazine on July 22, 2009.

Citing an instance to explain the above necessity, Network Box's researchers said a server has an active news search software, say 'news.cgi,' which employs only one parameter 'id' for recovering a news item from a specific data source. This software is authentic and the source of the data is used to obey the software's instructions.

A hacker exploiting a certain bug in the software manages to alter the 'id' so that he can instruct the software to do something different. Thus, if an attacker were to inject 'id=XX;truncate%20table%news' into the 'id,' a software which doesn't authenticate or defend itself would draw a comparison between the 'id' and 'XX' and subsequently run the instruction that would erase the news item completely.

Hence, the security company through its advisory suggested organizations to adopt three chief techniques for blocking such attacks. Along with checking for updated software patches, organizations should utilize 'parameterized' SQL statements and place clear parameters within SQL commands; authenticate all parameter ids; as well as employ 'escape' parameters prior to making inclusion into the statement.

Related article: Notorious Russian ISP RBN Hacked Bank of India Website

» SPAMfighter News - 8/10/2009