shawnbass.com - Security blog

Lots of SQL injection flying around the internet...Are you performing input field validation?

shawn@shawnbass.com — Tue, 29 Apr 2008 21:56:57 GMT

For those not familiar with SQL injection, it's in it's simplest form a method of injection a SQL statement into a database server by way of hiding it in a web parameter. There's a more detailed explanation here.

Anyway, I wanted to throw together a quick blog entry on this because SQL injection is a very common issue that affects a large number of public websites. Most of the webmasters are not even aware that their web site exposes them to SQL injection. Recently, there's been a flurry of activity and news on the Internet about a large amount of SQL injection attacks that are being used to spread malware.

This particular form of SQL injection appears to have been done by a bot and it also appears that most of the sites were targetted by their page rank in search engines. Hah! Sometimes it pays to be the little guy. Anyway, there's various mentions on the Internet on how to know if you've been compromised so I'm not going to go into that. What I would like to bring up is that this is NOT a Microsoft problem per se. It's a problem with poorly written web applications, which one could possibly attribute to Microsoft for making development so easy but I don't think that helps the situation. Microsoft did publically acknowledge this issue here and stated that it's not a particular vulnerability with IIS or SQL (which is actually true). However, what they don't state is that this is a developer education issue and people need to start taking responsibility for teaching their developers safe coding practices.

For those interested in learning more about SQL injection, check out the links I posted above. Also check out some of the SQL injection toolkits located here.

Finally, for information on how to combat SQL injection, here's a few things that may help:

Scott Guthrie on Guarding Against SQL Injection

MSDN Patterns & Practices on How-To Protect Against SQL Injection in ASP.NET

One final thing: While most of this article talks about things from a Microsoft ASP/SQL point of view, SQL injection is not exclusive to Microsoft products and can occur on a variety of web and SQL platforms. Things just tend to get a bit more sensationalized when dealing with MS products.

Whole Disk Encryption ineffective?

shawn@shawnbass.com — Tue, 26 Feb 2008 15:48:11 GMT

There's a lot of buzz in the security industry right now after a paper was published by some researchers from Princeton University that demonstrates how whole disk encryption systems can be completely thwarted by obtaining the encryption keys from a laptop's RAM. How is this possible? Well, when an Operating System is in sleep mode the decryption keys are stored in memory to allow the operating system to boot back up and continue accessing the encrypted disk. In addition, different RAM chips decay their memory contents at different rates when power has been removed from the RAM chips. Cooling the RAM chips can slow that decay rate upwards of 10 minutes by using a simply air duster can turned upside down. Once the RAM chips are cooled, their contents can be dumped by booting to a USB disk with memory extraction tools, or if you're unable to change the boot order, the chips can be removed and transferred to another system where the contents of the RAM chips can be extracted. Once the contents of RAM is extracted, code can be run to retrieve the encryption keys which can then be used to decrypt data off the disk. Scary eh?

The original paper by the Priceton researchers can be found here.

There's also coverage of the issue by the SANS ISC here (including a video that demos the issue) and here (provides guidance for known whole disk encryption software).

Currently known affected products are Microsoft Bitlocker, Apple's FileVault, and TrueCrypt. At the second ISC link, there's information that PGP WDE and Utimaco SafeGuard are also vulnerable. No news yet from CheckPoint PointSec. However, one would assume that almost all whole disk encryption vendors would be vulnerable to this.

How do you safeguard against it? Power down your system instead of sleeping or hibernating.

HD Moore begins first steps to make iPhone a powerful hacking platform

shawn@shawnbass.com — Wed, 26 Sep 2007 13:21:41 GMT

HD Moore's Metasploit is an invaluable free tool that's used by many to perform penetration testing of their systems. Recently, HD blogged about buying an iPhone and beginning the process of porting pieces of the Metasploit platform to the iPhone. What does this mean? It means a portable handheld pentesting platform! Perhaps HD should get a copyright on iSploit now

Read the entire blog entry here. Good times ahead!

DefCon 15: Day 1 Wrap-up

shawn@shawnbass.com — Fri, 10 Aug 2007 02:43:17 GMT

DefCon 15 Day 1 reviewMore...

Just returned from DefCon 15 - As usual it was a great conference

shawn@shawnbass.com — Mon, 06 Aug 2007 18:52:49 GMT

While I've still not caught up (READ: recovered) from the 3 day conference in Las Vegas, I can definitely say that I'm glad I went. I don't have all of my thoughts organized yet on the sessions that I attended, but over the coming days I'll be blogging on a DefCon 15 wrap up where I'll cover my perspective on the sessions that I attended...and those that I walked out of Stay tuned.

Google Adsense vulnerable to CSRF (Stealing your Adsense account)

shawn@shawnbass.com — Thu, 05 Apr 2007 19:24:59 GMT

I came across this blog post on Jungsonn Studio's blog the other day where they demonstrate how Google Adsense is vulnerable to a type of cross-site scripting attack that when the suspect javascript code is executed and you visit your Adsense account in another browser tab, they are able to switch your Adsense account over to them. Pretty interesting find, and it really makes you think about all the times that you authenticate into a variety of different sites within different browser tabs all the while having done lots of surfing of other pages (of which you don't know that you can trust). It's definitely something that all of the bloggers out there that use Google Adsense should be thinking about when they pop into their account from a browser tab

Shawn

Microsoft releases out of band patch (MS07-017) for Animated Cursor vulnerability

shawn@shawnbass.com — Tue, 03 Apr 2007 20:37:17 GMT

MS07-017 is a re-release of an earlier patch against a vulnerability in Animated Cursors. Apparently when the code was created for the first fix, the rest of the code wasn't audited and another vulnerability was recently found. The patch can be found on Microsoft's website over here

This vulnerability affects all versions of Windows from 2000 through Vista, so you'll definitely want to patch this one. Also, there's at least 4-5 public exploits available for this one. You can be certain that it's being exploited in the wild.

Shawn

The Metasploit Project has officially released version 3.0 of the Framwork

shawn@shawnbass.com — Tue, 27 Mar 2007 16:50:37 GMT

The Metasploit Project has just officially released version 3.0 of the framework on their website. 3.0 is a complete rewrite of the framwork and is written in Ruby. It currently contains 177 exploits, 104 payloads, 17 encoders, and 3 nop modules. It is a fantastic tool for penetration testing, and best of all -- it's completely free.

Read their blog entry on the new of the 3.0 release here

And get yourself a copy of Metasploit 3.0 over here

Enjoy!

Shawn