SQL Injections | TechSNAP 40

Posted on: January 12, 2012

Posted in: Featured, TechSNAP, Video

Comment on This Video

Share This Video

Embed This Video

SQL Injections | TechSNAP 40

We’ll explain how SQL Injections work, plus cover tools you can use to passively discover details about everyone connected to your network.

And Adobe blames some researches for THEIR security mistakes, we’ll explain.

All that and more, on this week’s episode of TechSNAP!

   

Direct Download Links:

   

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

 

   
Subscribe via RSS and iTunes:

Show Notes:

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Zero day Adobe Reader vulnerability uses to target defense contractors

  • An extremely targeted attack was carried out against major players in the defense industry using a previously unknown zero-day vulnerability in Adobe Reader
  • Only 20 or so machines were targeted, spread across a number of different companies
  • Specially crafted .PDF files that exploited the vulnerability to execute code on the victim’s machine were sent to a very specific list of email addresses, rather than the typical spam of phishing style attack. This was likely meant to prevent the zero day vulnerability from being discovered so it could continue to be used
  • The payload of the exploit was the Sykipot Trojan
  • From analysis of the exploit , it appears to be based on previous research and a proof of concept released by Felipe Andreas Manzano in 2009
  • Adobe made a point of reminding security researchers that their publicly disclosed proof of concepts are often used as free R&D by cyber criminals. TechSNAP would like to remind Adobe that the point of publicly disclosing the research is free R&D to help/force Adobe to patch the vulnerabilities
  • The vulnerability was apparently reported to Adobe by Lockheed Martin after they discovered they had been compromised
  • Adobe announced the vulnerability on December 6th, and released the patch on January 10th
  • Previous TechSNAP Coverage
  • CVE Announcement

New version of the P0f network finger printing tool

  • The tool passively analyzes incoming network transmissions and determines the operating system and other information about the remote machine with a fairly high degree of accuracy
  • The feature of note with the newly rewritten version is that it can detect many types of forgery, alerting you when the remote machine is who what it claims to be
  • The tool also features the ability to analyze some application layer protocols such as HTTP
  • One of the features I the ability to detect user agent forging (spam bots pretending to be running firefox or MSIE)
  • It is also able to detect some other aspects of the connection, such as NAT, load balancing, PPPoE (common for DSL), VPNs, Transparent and other irregular Proxies, and even tor
  • This tool could be very useful for fraud screening purposes, ecommerce sites can detect when the user is attempting to mask their identity and flag the orders for additional investigation
  • This tool could also be used as part of a firewall or man-in-the-middle attack, to detect technologies such as VPNs and block them, in an effort to have users connect without the additional security so they can be spied upon

Verizon Business Consulting analyzes second wave attacks against RSA customers

  • Typical attacks using email spear-phishing to attempt to place trojans and keyloggers on machines of SecurID users
  • The objective is to log the username, password and the temporary PIN generated by the SecurID Token
  • Once a small number of these PINs are obtained, the attackers may be able to successfully clone the SecureID Token to generate valid PINs at will, allowing them to compromise the targets easily
  • The unconfirmed list of companies who have been targeted includes: Lockheed Martin, Northrop Grumman, The International Monetary Fund, and L–3 Communications
  • RSA continues to claim that the security of the SecurID tokens has not been compromised, but after being subjected to much pressure by customers, has agreed to replace the tokens of any customers who request it

Feedback:

Q: (EBeyer) You talk about it a lot on the show, and it is one of the most common security vulnerabilities on the web, but what is SQL Injection?

A: An SQL Injection attack is caused by careless coding during the construction of an application that uses an SQL database. Through some fault or other, the attacker is able to “inject” code in to the SQL statement.

The most classic example of this comes from this very poor example of a login script:

SELECT * FROM users WHERE username = ‘$username’ AND password = ‘$password’

During normal operations, which would work as expected. However, if someone were to attempt to login with a username of say, “allan’ –” the executed SQL query would be:

SELECT * FROM users WHERE username = ‘allan’ –‘ AND password = ‘$password’

Where – is the SQL comment indicator, causing the rest of the query to be ignored. This would allow someone to login as any user without knowing the users password

A further example, they could use the username “‘; DROP TABLE users; –”

Causing the resultant SQL query to be:

SELECT * FROM users WHERE username = ‘’; DROP TABLE users; –’ AND password = ‘$password’

Which would find 0 users, then delete the entire users database table.

That is why it is important to ‘sanitize inputs’. What this means is that you must remove or escape characters with special meanings, so that they are not interpreted. Each programming language provides ways to do this, but amateurs and sloppy coders often forget or miss cases where input from the user is executed without being sanitized.
PHP for example, provides a number of methods of sanitizing the input , including the mysql_escape_string() function which attempts to escape any meta characters, but does not consider the character set. It has been deprecated and should be replaced by mysql_real_escape_string() which requires an active connection to the MySQL database (required anyway if you are going to run a query), and takes the character set, database settings and server configuration in to consideration. You can also use Prepared Statements , where the SQL query is defined with the variables, and then those variables are replaced at execution time, where they are escaped properly.

Round-Up:

Question? Comments? Contact us here!