If you’ve never heard of an SQL injection, don’t worry; it’s a term that only really entered the public consciousness in the last few years. Describing a way for hackers and other criminals to steal data, an SQL injection basically makes let’s malicious people inject bad code into a website’s database and then they can tamper with the website, such as by sending customer details to somebody outside a company.
Known for the ease with which they’re deployed, SQL injections are something no modern company should ever fall for – it’s a bit like unlocking a car door with a coat hanger – yet British telecoms firm TalkTalk lost 157,000 customer records to the attack in November of last year. Just a few weeks later, the technique took a sinister turn when the details of 6.4 million minors were exposed by an SQL injection on VTech, an electronic toy manufacturer.
But why is this kind of attack possible at all?
One of the reasons why personal computers update so often is to fix or ‘patch’ possible security vulnerabilities. For that reason, even unused and unloved pieces of software need to be kept fully up to date; otherwise, they can be exploited by hackers and malware like Trojans.
The above is the same reason why major companies succumb to SQL injections. They’re running old software, they haven’t employed an expert to search for security problems in their code, or they’re using solutions that contain web application vulnerabilities and there’s nothing they can do about it in-house.
In every case, however, there’s a relatively straightforward solution. It’s just a question of manpower and money. It’s easy to forgive a start-up company for not having the capital to hire a security expert but companies like VTech and TalkTalk, which have millions of customers between them, don’t really have much of an excuse.
SQL injections are the second most common security vulnerability for sites using the WordPress platform, only behind cross site scripting. If you’re able to avoid XSS and SQL injection vulnerabilities, you’ve eliminated 65% of risks. The risk comes from the fact that plugins “talk” to databases behind the scenes and, without the appropriate data filter in a website’s code, attackers can slip through undetected. This process of filtering and “cleaning” data is known as sanitizing (for database input) and escaping (for outputs).
The WordPress ecosystem is secure but security varies greatly across individual sites, given that the platform allows for custom CSS, XML and SQL. Therefore, stopping SQL injections on
WordPress involves getting acquainted with a site’s code.
The availability of web application firewalls (WAFs) and WordPress security plugins can alleviate at least some of the concerns associated with running an online service by filtering out nefarious traffic. This kind of solution uses heuristic analysis to examine connections for malicious intent. WAFs also operate outside applications, meaning that they don’t require code re-writes or complex integration procedures to function. The uptake of security solutions is a decision individual to each company, however. However, some WAFs hosted in the cloud are available even to individual bloggers.
The concern is that many brands evidently don’t place a premium on keeping their customers’ details safe. It’s a bit of a cynical point but there are some frightening statistics around the scale and regularity of attacks out there (SQL injection and otherwise), with Yahoo alone losing an incredible half a billion records in 2014.
With increasing affordability, WAFs and similar applications stand as the primary defense against SQL injections but regulators and governments also need to take steps to ensure that companies comply with a basic security standard, possibly scaled according to their size and income. The issue at present is that only failsafes such as monetary fines exist, rather than groundwork for protecting users against online criminals. The continued sanctity of customer details requires a sea-change in attitudes towards database security that is unlikely to be achieved naturally.