greetings programs

’ or 1=1;--

Mon, 16 Mar 2009 10:15:26 +0000

On the 11th of December 2008 I posted on the topic of a forthcoming book that I have been involved with. Well, the book has now gone to production and should be hitting the shelves in May of 2009. The book is called "SQL Injection Attacks and Defense", from Syngress.

The author list is as follows (in alphabetical order):
• Justin Clarke - Director Gotham Digital Science Ltd.
• Dave Hartley - Me!
• Joe Hemler - Gotham Digital Science Ltd
• Alexander Kornbrust - CEO of Red Database Security
• Rodrigo Marcos - author of TAOF
• Haroon Meer - Technical Director at Sensepost
• Gary Oleary-Steele - author of Automagic SQL Injector
• Alberto Revelli - author of sqlninja
• Marco Slaviero - primary author of Squeeza
• Dafydd Stuttard - author of Burp Suite and the WAHH

A well respected and knowledgeable bunch, even if I do say so myself! It was a long hard slog, with lots of hours given to the project from all, so I hope you enjoy the fruits of our labour.

SQL Injection Attacks and Defense

Thu, 11 Dec 2008 14:04:45 +0000

As you may or may not know, I am currently helping to write a book on the subject of SQL injection (SQli). I will be contributing two chapters to the book.

Chapter 1 -- What is SQL Injection?
Chapter 3 -- Reviewing Code for SQL Injection.

I have almost finished writing Chapter One and have yet to start Chapter Three. My deadline for submission is the end of January, so imagine my surprise when I learned that the book is now available to order! I better hurry up and finish my chapters then ;)

The description of the book is currently fantasy and wildly inaccurate, also my bio and the bio's for the rest of the team are not yet up. We are currently working with Syngress (the publisher) to get this sorted. The book cover is also going to be *hopefully* a lot cooler than what they have put up at the moment, but I suppose we should finish the book before worrying about the graphics.

FOSS v COTS

Tue, 21 Oct 2008 14:39:07 +0100

Recently I was asked my opinion on an age old argument, FOSS v COTS, this has reared it’s head again as apparently an increasing number of financial services organisations are looking at deploying Free Open Source Software (FOSS) as an alternative to traditional proprietary and closed source software solutions.

One good example of this move, according to financial technology researchers Finextra, is the transatlantic exchange Nyse Euronext who migrated their electronic trading infrastructure to the Linux operating system under a deal with open source vendor Red Hat in May of this year, citing a combination of improved speed, cost, reliability and functionality as a reason for the move.

The most well known examples of FOSS are the Linux operating system, Apache web server and the mySQL database server. An example of the closed source alternatives to the afore mentioned FOSS would be the Windows operating system, Internet Information Server (IIS) and the Microsoft SQL server (MSSQL). All of the software mentioned (both closed and open source) has suffered from exploitable security vulnerabilities over the years.

Any search engine query will turn up articles examining the computer security dangers of closed source versus open source software. One of the most popular arguments is that FOSS allows many people to scrutinize the code in order to identify vulnerabilities. This allows security researchers and programmers to responsibly disclose the presence of the issue to the group responsible for the development of the project so that they can resolve the issue. However, an attacker could also discover a security issue and then potentially exploit the vulnerability. The fact is, that just because FOSS is publicly available for scrutiny, does not mean that the public will actually spend the time and effort contributing to the project or examining the code, it also does not mean that those that do, are sufficiently skilled in performing source code reviews or capable of identifying potential security vulnerabilities.

The reality is that a move to FOSS does not automatically result in a more secure IT infrastructure and does not expose the systems or the organisation to any more or less risk than a system that relies solely on a closed source and proprietary solution. In order to truly ascertain the risk exposure of any system it is recommended that a formal risk assessment should be performed by a reputable and qualified security consultancy as well as a technical security audit of the systems. The chosen consultancy should then be able to provide a report against any identified security issues and deviations that result in non-conformities to industry best practices with an assessment of their impact and a proposal for mitigation or technical remedy. The consultancy should be able to assist in securing FOSS, closed source and hybrid systems.

CERN website defaced

Tue, 21 Oct 2008 14:30:25 +0100

CERN's (European Organization for Nuclear Research) website was recently defaced by Greek hackers. It is believed that the hackers managed to exploit a vulnerability in the Content Management System (CMS) for the web site. A CMS is a computer application used to create, edit, manage, and publish content to a website, without having to have an in-depth understanding of or ability to code in HTML. CERN have stated that they were very alarmed and worried about the attack as it may have been possible for the hackers to use the web server as a stepping stone to interconnected networks, specifically the computer control system for the vast detector a component of the Large Hadron Collider (LHC), the machine that is going to provide the answer to the universe and show us some god particles.

CERN made the hackers job very easy. CERN make publicly available a lot of web content, including wikis. A wiki is a collection of web pages designed to enable anyone who accesses it to contribute or modify content. Wikis are often used to create collaborative websites and to power community websites. A number of CERN wiki's that are dedicated to helping the development of CERN projects (including the CMS) are available to the public online (if you know where to look).

There is a wealth of information that can be gleaned from these sites, such as bugs within various project applications, support calls that contain information with regards to IP addressing, network issues, versions of software in use etc. This information is invaluable to an attacker looking to better profile a target for potential exploitable vulnerabilities. This information can be found using a few customised google searches. There is no business justification for this information to be publically available, it should be on an internal intranet and/or protected through adequate access control. A lot of organizations unwittingly expose similar amounts of information about themselves, through information leakage, this is not just an issue that effects CERN.

The press have made a headline story out of the web sites defacement. Defacing a web site is a very noisy and noticeable action and is usually performed by 'script kiddies' to score points and respect amongst other hacker groups. More serious and motivated attackers do not want to draw attention to there actions. It is perfectly feasible that a more sophisticated and skilled attacker may have previously exploited the CERN systems to gain access and compromise the interconnected systems. Without knowing exactly how CERN infrastructure is configured and deployed, this is purely speculative, however I have seen this situation many times. Without being subject to a full incident response assessment and forensic examination, CERN may never know if there systems have been previously exploited or if hackers currently have a back door into their systems.

The CERN website was compromised by the use of a web application attack. Web applications and their supporting infrastructure and environments use diverse technologies and can contain a significant amount of bespoke and customised code. The very nature of their feature rich design and their ability to collate, process and disseminate information over the Internet or from within an Intranet makes them a popular target for attack. Also, since the network security technology market has matured and there are fewer opportunities to breach information systems through network based vulnerabilities; hackers are increasingly switching their focus to attempting to compromise applications.

The CERN could have avoided this situation if they had contracted an independent security consultancy to assess their systems before they were exposed to the Internet. Many organisations trust their application providers and developers to have implemented effective application security. Although many developers use standard frameworks and take application security seriously, their primary aim is functionality and delivering a working application. There is no substitute for an independent assessment from an organisation that is focused on security and experienced in assessing risk.

T2 08 .fi

Sun, 19 Oct 2008 13:31:21 +0100

I attended T2 in Helsinki Finland, it rocked! Seriously. I’d like to thank Tommi and Jussi for being hospitable as always and to express my gratitude for the large amounts of salmiakki that they *forced* me to drink.

A Day in the Life of a Hacker (Adam Laurie) was a brilliant talk, it was the right level of techy hacker l33tness and humour. Great for hotel phun and games, and free pr0n ;)

Now you see it, Now you don’t - Obfuscation for fun and profit! and Solving the T2'08 Challenge (Nishad Herath) were two very technical and interesting l33t talks, Nishad is an excellent presenter and a very skilled guy. Some of his insights and predictions for malware and custom trojan code evolutions are very worrying. Especially as I would regard him as one of the best reverse engineers I know and he doesn’t believe there is a solution to some of the issues raised!

Definitely a con that is worth checking out in 2009. Finland is a great place and the con is a very personal, small and friendly affair, a breath of fresh air compared to the more commercial options ;)