BEAST – Jupiter Broadcasting

SQL Injections | TechSNAP 40

chris — Thu, 12 Jan 2012 18:53:27 +0000

We’ll explain how SQL Injections work, plus cover tools you can use to passively discover details about everyone connected to your network.

And Adobe blames some researches for THEIR security mistakes, we’ll explain.

All that and more, on this week’s episode of TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

Show Notes:

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Zero day Adobe Reader vulnerability uses to target defense contractors

An extremely targeted attack was carried out against major players in the defense industry using a previously unknown zero-day vulnerability in Adobe Reader
Only 20 or so machines were targeted, spread across a number of different companies
Specially crafted .PDF files that exploited the vulnerability to execute code on the victim’s machine were sent to a very specific list of email addresses, rather than the typical spam of phishing style attack. This was likely meant to prevent the zero day vulnerability from being discovered so it could continue to be used
The payload of the exploit was the Sykipot Trojan
From analysis of the exploit , it appears to be based on previous research and a proof of concept released by Felipe Andreas Manzano in 2009
Adobe made a point of reminding security researchers that their publicly disclosed proof of concepts are often used as free R&D by cyber criminals. TechSNAP would like to remind Adobe that the point of publicly disclosing the research is free R&D to help/force Adobe to patch the vulnerabilities
The vulnerability was apparently reported to Adobe by Lockheed Martin after they discovered they had been compromised
Adobe announced the vulnerability on December 6th, and released the patch on January 10th
Previous TechSNAP Coverage
CVE Announcement

New version of the P0f network finger printing tool

The tool passively analyzes incoming network transmissions and determines the operating system and other information about the remote machine with a fairly high degree of accuracy
The feature of note with the newly rewritten version is that it can detect many types of forgery, alerting you when the remote machine is who what it claims to be
The tool also features the ability to analyze some application layer protocols such as HTTP
One of the features I the ability to detect user agent forging (spam bots pretending to be running firefox or MSIE)
It is also able to detect some other aspects of the connection, such as NAT, load balancing, PPPoE (common for DSL), VPNs, Transparent and other irregular Proxies, and even tor
This tool could be very useful for fraud screening purposes, ecommerce sites can detect when the user is attempting to mask their identity and flag the orders for additional investigation
This tool could also be used as part of a firewall or man-in-the-middle attack, to detect technologies such as VPNs and block them, in an effort to have users connect without the additional security so they can be spied upon

Verizon Business Consulting analyzes second wave attacks against RSA customers

Typical attacks using email spear-phishing to attempt to place trojans and keyloggers on machines of SecurID users
The objective is to log the username, password and the temporary PIN generated by the SecurID Token
Once a small number of these PINs are obtained, the attackers may be able to successfully clone the SecureID Token to generate valid PINs at will, allowing them to compromise the targets easily
The unconfirmed list of companies who have been targeted includes: Lockheed Martin, Northrop Grumman, The International Monetary Fund, and L–3 Communications
RSA continues to claim that the security of the SecurID tokens has not been compromised, but after being subjected to much pressure by customers, has agreed to replace the tokens of any customers who request it

Feedback:

Q: (EBeyer) You talk about it a lot on the show, and it is one of the most common security vulnerabilities on the web, but what is SQL Injection?

A: An SQL Injection attack is caused by careless coding during the construction of an application that uses an SQL database. Through some fault or other, the attacker is able to “inject” code in to the SQL statement.

The most classic example of this comes from this very poor example of a login script:

SELECT * FROM users WHERE username = ‘$username’ AND password = ‘$password’

During normal operations, which would work as expected. However, if someone were to attempt to login with a username of say, “allan’ –” the executed SQL query would be:

SELECT * FROM users WHERE username = ‘allan’ –‘ AND password = ‘$password’

Where – is the SQL comment indicator, causing the rest of the query to be ignored. This would allow someone to login as any user without knowing the users password

A further example, they could use the username “‘; DROP TABLE users; –”

Causing the resultant SQL query to be:

SELECT * FROM users WHERE username = ‘’; DROP TABLE users; –’ AND password = ‘$password’

Which would find 0 users, then delete the entire users database table.

That is why it is important to ‘sanitize inputs’. What this means is that you must remove or escape characters with special meanings, so that they are not interpreted. Each programming language provides ways to do this, but amateurs and sloppy coders often forget or miss cases where input from the user is executed without being sanitized.
PHP for example, provides a number of methods of sanitizing the input , including the mysql_escape_string() function which attempts to escape any meta characters, but does not consider the character set. It has been deprecated and should be replaced by mysql_real_escape_string() which requires an active connection to the MySQL database (required anyway if you are going to run a query), and takes the character set, database settings and server configuration in to consideration. You can also use Prepared Statements , where the SQL query is defined with the variables, and then those variables are replaced at execution time, where they are escaped properly.

Round-Up:

The post SQL Injections | TechSNAP 40 first appeared on Jupiter Broadcasting.

Ultimate File Server | TechSNAP 25

chris — Thu, 29 Sep 2011 18:35:26 +0000

Coming up on this week’s on TechSNAP…

Have you ever been curious how hackers pull off massive security breaches? This week we’ve got the details on a breach that exposed private data of 35 millions customers.

Plus MySQL.com spreads custom malware tailored just for your system, and the details are amazing!

On top of all that, we’ll share our insights are setting up the ultimate network file server!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

South Korea’s SK Telecom hacked, detailed forensics released

Between July 18th and 25th, SK Telecom’s systems were compromised, and all of their customer records (35 million customers) were compromised. The records included a wealth of information, including username, password, national ID number, name, address, mobile phone number and email address.
The attack was classified as an Advanced Persistent Threat, the attackers compromised 60 computers at SK Telecom in total, biding their time until they could compromise the database. Data was exchanged between the compromised computers at SK Telecom, and a server at a Taiwanese publishing company that had been compromised by the attackers at an earlier date.
The attack was very sophisticated, specifically targeted, and also seems to indicate a degree of knowledge about the the target. The well organized attackers managed to compromise the software updates server of another company (ESTsoft) who’s software (ALTools) was used by SK Telecom, then piggyback a trojan in to the secure systems that way. Only computers from SK Telecom received the malicious update.
The attackers send the compromised data through a number of way points before receiving it, masking the trail and the identities of the attackers. A similar pattern was seen with the RSA APT attack, the attackers uploaded the stolen data to a compromised web server, and once they had removed the data from there, destroyed the server and broke the trail back to them selves.
Proper code signing, or GPG signing could have prevented this
Original BBC Article about the attack

Mac OS X Lion may expose your hashed password

The Directory Services command allows users to search for data about other users on the machine. This is the intended function.
The problem is that the search results for the current user also include sensitive information, such as the users’ password hash. You are authorized to view this information, because you are the current user.
However, any application running as that user, could also gain that information, and send it back to an attacker.
Using the hash, an attacker could perform an offline brute force attack against the password. These attacks have gotten more common and less time consuming with the advent of better parallel computing, cloud computing and high performance GPGPUs.
My bitcoin mining rig could easily be converting to a password hash cracking rig, especially now that the current value of bitcoin is sagging. If there were a big enough market for cracking hashed passwords, there are now a huge number of highly specialized machines devoted to bitcoin that could be easily switched over.
The tool can also allow the current user to overwrite their own password hash with a new one, without the need to provide the current plain text password. This means that rather than spend time cracking the password, the attacker could just change the current users password, and then take over the account that way.
These attacks would require some kind of exploit that allowed the attack to perform the required actions, however we have seen a number of flash, java and general browsers exploits that could allow this.
The current recommended work around is to chmod the dscl command such that it can only be used by root
Additional Article

MySQL.com compromised, visitors subject to drive by infection

The MySQL.com front page was compromised and had malicious code injected in to it.
The code (usually an iframe) caused a java exploit to be executed against the visitor. The exploit required no interaction or confirmation from the user. This type of attack is know as a ‘drive by infection’, because the user does not have to take any action to become infected.
Two different trojans were detected being sent to users, Troj/WndRed-C and Troj/Agent-TNV
Because of the nature of the iframe attack, and the redirect chain the attackers could have easily varied the payload, or selected different payloads based on the platform the user was visiting the site on.
There are reports of Russian hackers offering to sell admin access to mysql.com for $3000
Detailed Analysis with malicious source code, video of the infection process
Article about previous compromise
When the previous compromise was reported, it was also reported that MySQL.com was subject to a XSS (Cross Site Scripting) attack, where content from another site could be injected in to the MySQL site, subverting the browsers usual ‘Same Origin’ policy. This vulnerability, if not repaired, could have been the source of this latest attack.

Feedback:

Continuing our Home Server Segment – This week we are covering file servers.
Some possible solutions:

Roll Your Own (UNIX)
Linux or FreeBSD Based
Install Samba for SMB Server (allow windows and other OS machines to see your shared files)
Setup FTP (unencrypted unless you do FTPS (ftp over ssl), high speed, doesn’t play well with NAT, not recommended)
Configure SSH (provides SCP and SFTP) (encrypted, slightly higher cpu usage, recommended for Internet access)
Install rsync (originally designed to keep mirrors of source code and websites up to date, allows you to transfer only the differences between files, rather than the entire file) (although it is recommended you do rsync over SSH not via the native protocol)
Configure NFS (default UNIX file sharing system)
Build your own iSCSI targets (allows you to mount a remote disk as if it were local, popular in virtualization as it removes a layer of abstraction. required for virtual machines that can be transferred from one host to another.
Roll Your Own (Windows)
Windows provides built in support for SMB
Install Filezilla Server for FTP/FTPs (Alternative: CyberDuck)
There are some NFS alternatives for windows, but not are not free
There is an rsync client for windows, or you could use cygwin, same goes for SSH. Similar tools like robocopy and synctoy
FreeNAS
FreeBSD Based. Provides: SMB, NFS, FTP, SFTP/SCP, iSCSI (and more)
Supports ZFS
Chris’ Previous Coverage of FreeNAS:
FreeNAS, IN DEPTH
FreeNAS Vs. HP MediaSmart WHS
FreeNAS vs Drobo

Round Up:

Bitcoin Blaster:

Merged Mining – What is it?
Bitcoin version 0.4.0 released
Bitcoin rigs make excellent food dehydrators
Bitcoin Market cap this week: $34,861,283 USD

The post Ultimate File Server | TechSNAP 25 first appeared on Jupiter Broadcasting.