Jul
22
Yeah! If you were wondering why I wanted to know who discovered SQL injections, it was to nominate a "Pwnie for Mass 0wnage". And it was accepted:
-
SQL injection in more than 500,000 web sites
Discovered by: Rain Forest Puppy back in 1998
SQL injection attacks are not new, but this year we saw an upsurge
in the number of automated attacks
against vulnerable websites. Reportedly more than half a million
websites were compromised.
Although I see they went all conservative on the numbers (500k, *psccht*). ShadowServer has nearly 500k from the nihaorr1.com injection alone. Anyone with contacts please correct them.
Posted by Dominic White
Jul
19
Schneier once proposed a vulnerability life cycle in a Crypto-Gram newsletter. He was wrong. During the time of writing my thesis, there were several important pieces of research no-one had put together to come up with a 'more correct' vulnerability life cycle. Given some recent discussions between Symantec and Verizon, I thought I would provide this is a more accessible format that a previous presentation I did on the subject, so that I could refer to it later.
The benefits of having an understanding of the life cycle, is that it provides a model to 'predict' the behaviour of various role players (e.g. bad guys, vendors and administrators) and understand how that behaviour impact on important parts of the risk management equations such as vulnerability, threat and impact. This is an important building block of any threat model.
The detail after the jump.
Continue reading "Vulnerability Life Cycle"
Posted by Dominic White
Last modified on 2008-07-19 23:04
Jul
18
Some older versions of SELinux and OpenSSH compiled to support it allow you to log in with an arbitrarily chosen SELinux role. You'll need a valid account, and some fairly undefined conditions, but the attack is:
ssh --l<username>:/<chosen role> <host>Haven't seen a (potential) stuff up like that since the MIT Kerberos telnet daemon flaw (which was significantly worse). I'd like to think that people who've gone to the effort of setting up SELinux also patch regularly. Source, milw0rm.
I am interested in this because it is dreadfully simple, has some weird implications for how SSH and SELinux interact, and there is scant information about this. Maybe a few more eyes can uncover something.
Disclaimer: I haven't tested this. The author only tested it on a limited subset and it didn't work on up-to-date distros.
Update: Explained my motivations and authority (or lack there of) of the exploit thanks to foobar's comments.
Posted by Dominic White
Last modified on 2008-07-21 08:27
Jul
15
I never remember how to do this, so for my own personal blog-memory:
rsync --partial --progress --rsh="ssh -p <remote ssh port>" <from file> <partially downloaded file>
- The --rsh parameter can contain all of your normal ssh command line-fu such as keys, options, ports etc. (Who runs public ssh on port 22 these days anyway?)
- The <from> and <to> follow the normal SCP format of <username>@<hostname>:<filename> or just <filename> for the local copy.
Posted by Dominic White
Jul
15
Rain Forest Puppy (rfp) in a merry Christmas of an article entitled "NT Web Technology Vulnerabilities", published in Phrack Magazine, Volume 8, Issue 54 on December 25th, 1998. He didn't actually call it SQL injection yet, that honour either goes to SANS or Chip Andrews in 2001. Source, Litchfield.
Here's the beginning of his summary, from the section entitled "ODBC and MS SQL server 6.5":
- WHAT'S THE PROBLEM? MS SQL server allows batch commands.
- WHAT'S THAT MEAN? I can do something like:
SELECT * FROM table WHERE x=1 SELECT * FROM table WHERE y=5
Exactly like that, and it'll work. It will return two record sets, with each set containing the results of the individual SELECT.
- WHAT'S THAT REALLY MEAN? People can possibly piggyback SQL commands into your statements. Let's say you have:
SELECT * FROM table WHERE x=%%criteria from webpage user%%
Now, what if %%criteria from webpage user%% was equal to:
SELECT * FROM sysobjects
It would translate to:
SELECT * FROM table WHERE x=1 SELECT * FROM sysobjects
Posted by Dominic White
Last modified on 2008-07-15 09:53
Jul
14
It's official, I'm going to Black Hat and Defcon this year. I'm very excited. A *huge* thank you to the SensePost guys who are sorting me out only proper. Make sure you go, to, their, training. We've also pulled together a fairly decent Deloitte contingent.
I'll be there from the 29th of July to the 11th of August if all goes off according to plan. Give me a shout if you want to meet up, or if you have invitations to sexy parties.
Posted by Dominic White
Last modified on 2008-07-15 07:59
Jul
14
If you've decided you want to make better coffee, here are my tips for the changes that will yield the biggest results. These aren't comprehensive, just some quick tips for quickly making better coffee.
- Don't use instant, use proper Arabica grounds.
- Espresso is the best, then French press, then percolator. A Moka Express or Brikka are quick ways to get into espresso.
- Use hot milk. This makes a big difference in taste, 30-40s in the microwave should do it. A French Press can be used with hot milk to make decent froth for cappuccino too.
- Grind your own beans. A grinder is cheap, and freshly grinding your own beans just before you make a cup makes a subtle increase in flavour. Remember to store your beans in an airtight container in a cool dry place (not the fridge).
Posted by Dominic White
Jul
14
After 4 years I have finally decided to change my theme. It is very Mac OSX oriented, but I just like it so much. I've also removed a Gig of spam block logs from the DB, so it should be a bit snappier. Finally, I figured out why Google hates me, I somehow didn't run a DB upgrade script on the last blog upgrade, and a ton of links weren't working. They are now.
Posted by Dominic White
Last modified on 2008-07-17 21:30
Jul
8
This will be fun to watch. Dan Kaminsky has sort-of published not-so-sekret ways to break DNS. Patches have been released to make things more random. "Full" disclosure at BlackHat.
From ISC:
"The method used makes it harder to spoof answers to a
resolver by expanding the range of UDP ports from which queries are
sent, thereby increasing the variability of parameters in outgoing
queries."
I laughed with mirth and glee at the Emergent Chaos comment:
"DJBdns is in fact not affected as DJB had already implemented port randomness even though he didn't know it was an issue."
This means *all* DNS (except DJBdns) is vulnerable, many vendor patches to follow. Although, DNSSEC is the *right* answer.
Posted by Dominic White
Jun
30
The South African Police Services have released the crime stats for the last financial year. I still need to wrap my head around the numbers, as many of the categories don't seem discreet, or intuitive. However, I think the executive summary contains some good insight into the 'threat landscape'. It also backs up several of my 'gut feel' assertions about crime in SA. However, as Russell points, there may be an independence issue, as the report is "written by the guys whose job is on the line", and I haven't found any information on how the stats were independently verified. I've culled some sections from the executive summary and given them my own headings, formatting and order. Whatever your take on crime in SA, these stats are a good read, and certainly more likely to be accurate, even with bias, than the eight year old drivel on Wikipedia.
Continue reading "SA Crime Stats 2008"
Posted by Dominic White
Last modified on 2008-07-01 08:13
Jun
25
Microsoft has released a security advisory detailing three ways to respond to the SQL injection attacks. This advisory doesn't covery a patch, just three tools:
- HP Scrawlr is a light weight version of HP's WebInspect that will look for SQL injection flaws. I love that they used the Bobby Tables XKCD comic.
- A new version of UrlScan (3.0 beta) the IIS version of mod_security.
- A source code analyser which will identify SQL injection vulns, although it currently only works for ASP and not ASP.NET.
That's pretty awesome, although, as always, these should be used to aid clue, not replace it.
Posted by Dominic White
Jun
22
We had our
second Johannesburg GeekDinner yesterday. We're keeping it small until we build a dedicated team/community, so it was more of a GeekLunch. Unfortunately, I missed
Yusuf's talk, on why CSS is rubbish, due to a mistimed afternoon nap, but
Tristan's on per-user app DBs for scalability was certainly an interesting challenge to the status quo, and his knowledge certainly carried him through
his last minute volunteering. I did some live demoing of 0wning a browser with
XSS Proxy. We got some serious geek all over the place, which was great, and I think this will grow into something good. Shehnaaz's hand made (from scratch) pizza's were amazing, and she was a gracious host along with Yusuf. The
next one has been planned, but we're keeping it invite only until we have it more stable, thanks to
nVent for volunteering.
Posted by Dominic White
Last modified on 2008-06-22 20:22
Jun
6
Over the last few weeks, we have seen a set of incredibly
uncomplicated and simple attacks effectively compromise several hundred
South African web pages, and several million internationally. Many of
the South African sites compromised were important; including major
media organisations, several government institutions, large mining
houses and even one information security company, who still have not
removed the pie from their face. The intention of the attacks was to
use the compromised web pages to infect visitors with a variety of
malware, but most commonly, a trojan which attempts to steal as many
passwords as it can, including specific references to some internet
banking sites.
The response to the incident from both consumers and the affected
companies seems to indicate that when it comes to the web in South
Africa, nobody cares.
Continue reading "Major SA websites hacked by China - nobody cares about the Web"
Posted by Dominic White
Last modified on 2008-06-06 09:44
Jun
6
The guys over at the Mail & Guardian invited me to write for their TechLeader group blog, it is available
here. I will be reposting content here after it goes live there. The audience is more technical and less security and the writing will attempt to reflect that.
Posted by Dominic White
Last modified on 2008-06-07 01:33
Jun
2
I've been ranting about the SQL injections for a while now. While infecting your visitors with malicious software semi-silently generally doesn't put the pressure on the right people (i.e. the externality lies on the infected user not the infecting business), having your organisation blacklisted by Google shifts that externality. Here are the screenshots of Google warning me that the South African Broadcasting Company (SABC) may harm my computer. Check it yourself by googling 'sabc'. At the time of writing, the SABC had fixed the page.
Continue reading "SABC Blacklisted by Google"
Posted by Dominic White
Last modified on 2008-06-04 08:36
Barry Irwin
SensePost
Schneier on Security: Speed Cameras Record Every Car