Four members of the "Xbox Underground" hacker ring have been charged with conspiracy to commit computer fraud and theft of intellectual property valued at more than US$100 million from Microsoft, the U.S. Army, and several gaming software companies,
ZDNet reports. The U.S. Department of Justice alleges that between January 2011 and March 2014, the four men hacked into computer systems to steal software and data related to Microsoft's Xbox One gaming console and Xbox Live gaming platform, pre-release copies of popular games, and military software for training helicopter pilots. Two of the four men have pleaded guilty and face up to five years in prison.
Network attacks continue to increase in frequency and impact. Home Depot and Apple are the latest major companies to fall victim. Typically such attacks intrude on network infrastructure by analyzing the organization's environment and collecting information to exploit open ports or vulnerabilities — these incidents also may include unauthorized access to the organization's resources. This may be a passive attack in cases where the purpose is only to learn and gather information from the system, rather than to alter or disable system resources. An active attack occurs when the perpetrator accesses and alters, disables, or destroys resources or data from outside or inside the organization.
The Structured Query Language injection (SQLi) attack depicted in this case is just one type of network attack. Phishing, watering hole, spoofing, denial of service, man in the middle, and botnet are among other types of attacks. All these attacks are invasive and dangerous — like a virtual thief stealing or altering the most valuable information from a person's wallet or purse.
What can auditors learn from this case to help prevent and detect similar incidents in the future? No doubt both Microsoft and the U.S. Army have significant, advanced expertise and resources dealing with such instances, yet they too fell victim. The subject of network attacks and various ways to prevent or mitigate them is vast and complex, but here are a few observations and suggestions that may help auditors address the risks from this type of attack.
SQLi attacks are one of the most common mechanisms used to attack data-driven applications that large public- and private-sector organizations rely on. Research from IBM's X-Force team reports that one-fourth of the breaches in the first half of 2013 can be attributed to this type of attack. SQLi exploits one or more security vulnerabilities in an application's software, typically by inserting malicious SQL statements into an entry field such as a login ID or password field for execution. In essence, SQLi works because these kinds of fields allow SQL statements to pass through and query the database directly, thereby making the database contents available to the attacker.
SQLi prevention and mitigation is complex. Most IT security experts agree that updating an enterprise software development life cycle and all of the related software to prevent these attacks is very costly, and it can take years to achieve a return on investment. Web application and database code reviews, the most thorough approach, are relatively expensive and only produce findings to remedy the attacks, not directly stop them. That is because developers need to prioritize the findings, then spend the necessary time to make the changes and remove insecure sections of code. Until the findings are fixed, the software remains vulnerable. Such an automated review or assessment also might have an operational impact and cause a denial of service or create problems with the Web application if performed in a production environment.
Lower cost alternatives are available. Here are three steps that auditors can perform to help their organization more cost-effectively secure websites and Web applications from SQLi attacks:
- Perform a thorough audit of the organization's websites and Web applications to analyze the present state of security against SQLi and other hacking vulnerabilities. This ought to include both off-the-shelf and custom applications — the latter typically being the more vulnerable as they often do not go through the same rigorous testing and quality assurance processes. Increasingly, organizations are resorting to the use of automated and heuristic Web vulnerability scanners that "crawl" their entire website and automatically check for vulnerabilities to SQLi attacks. For example, the scanner will indicate which URLs and scripts are vulnerable to SQL injection so that code can be fixed immediately.
- Ensure that best practices are used and assessed to design, code, control, and monitor Web applications and all other components of the organization's IT infrastructure. These include:
- Creating and enforcing secure coding guidelines for software developed in-house that requires SQL to be constructed using parameterized queries that differentiate code from data to prevent SQLi attacks.
- Using strong input validation controls to ensure that inputs are sanitized before querying the database.
- Instituting filtering and monitoring tools at the Web application and database levels, including database activity monitoring to help block attacks and detect attack behavior.
- Addressing poor patching and configuration of databases.
- Limiting database privileges, especially avoiding "carte blanche" scenarios that are particularly vulnerable to hacking.
- Perform regular Web security audits after each change and addition to the organization's Web components. This usually consists of two steps: 1) launching an automated scan, and 2) depending on the results and the website's complexity, conducting a manual assessment that informs the further pre-configuration of additional automated scanning. The point here is that launching an automated Web security scan with typical "out of the box" settings may lead to false positives, waste of time, and frustration. A manual assessment process will create knowledge about the target website to help determine whether the website was appropriately crawled by the automated black box scanner. If the scanner is unable to crawl some parts or parameters of the website, the whole "securing the website" point is invalidated. The manual assessment can help better configure the automated scanner. Of course, manual auditing is an appropriate technique, but it should be done in the context of a risk assessment and overall audit planning exercise to target resources, particularly because it demands a high level of expertise, an ability to keep track of considerable volumes of computer code, and knowledge of all the latest tricks of the hacker's trade.
There is a great deal more information available about this topic, so if readers would like to be further informed, please leave a comment below.