HOWTO defend databases from SQL attacks with GreenSQL
UPDATE: as if to underscore the importance of this tool and approach, yesterday a story hit about a SQL Injection attack infecting over 132,000 systems in short order. Net-Security have the full details on this attack, including how it probes the host via JavaScript to check for known vulnerabilities, how it exploits them, and how it ultimately downloads a back-door trojan to get the game going. It’s really amazing to see how complicated and professional these things have gotten, and just adds to the reasoning that we have to step up to the plate and learn how to better defend against them.
I’ve been privy to some log dumps showing real, and successful, SQL attacks on some MSSQL servers before, and they weren’t pretty. Of course a SQL injection attack has little to do with the database (well, as long as it’s still SQL based at least (nod to CouchDB and MongoDB)), and more with the code that calls it, and how that code deals with sanitizing inputs. For this reason MySQL is just as vulnerable, after all, bad code is bad code. While a client of mine opted for a firewall ‘module’ they had to buy an additional licence for, that set them back many thousands of dollars, I knew there had to be cheaper/better ways to address this kind of vulnerability. One way of course is to fix the code, but with legacy sites that no one has touched for years, this may be impractcal (I didn’t say this, I only heard it), and the other idea is to proxy the SQL and ‘clean’ it before it hits the database. The advantage of this approach is that it protects against known attacks, as well as unknown attacks, since it limits so much of what an attack is allowed to accomplish when trying to get its’ foot in the door. This approach is what the folks over at GreenSQL have done, and it’s very impressive. They sum things up nice and sweet with, “GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.” (more…)
EFF’s SSD (Surveillance Self-Defense) Project
EFF has a page covering what they call The SSD Project (Surveillance Self-Defense) which they provide, “…to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it.“ This is important stuff, and what I wish others would know, so I’m posting links to the source in the hope it will get more exposure and results in the search engines of the Internet. I will contact EFF and see if we can formulate a better method to disseminate and distribute this text, allowing for updates and annotations going forward. Also, I aggregate news that cover these kind of issues over on Left to chance, take a look, then follow @lefttochance and @eff on Twitter to stay informed, and consider joining the LinkedIn EFF Group I run to join in the conversation. In other words, get involved and …
Know your rights!
Day one, Obama calls for open government
Obama, keeping it real, as promised!
UPDATE: the memo is already posted on the whitehouse.gov site for anyone to review! How refreshing!
During this, his first day in office, President Obama called for open government, and issued a memorandum which spells out to approach the Freedom of Information Act (FOIA) “with a clear presumption: in the face of doubt, openness prevails.” This presumption of openness is in direct contrast with limits the Bush administration put in place, a fact driven home by the last line of the memo:
Sec. 6. Revocation. Executive Order 13233 of November 1, 2001, is revoked..
Now we’re talking! More of the memo reads:
All agencies should adopt a presumption in favor of disclosure, in order to renew their commitment to the principles embodied in FOIA, and to usher in a new era of open Government. The presumption of disclosure should be applied to all decisions involving FOIA. The presumption of disclosure also means that agencies should take affirmative steps to make information public. They should not wait for specific requests from the public. All agencies should use modern technology to inform citizens about what is known and done by their Government. Disclosure should be timely.
But wait, there’s more… (more…)
Security researcher Dan Kaminsky
Dan Kaminsky is a 7 year veteran of Black Hat and Defcon in Vegas, and he was pretty much a fixture when I was there last year. His performance during Friday nights’ TCP/IP drinking game was hilarious, and his talk the next morning even more so. This year he’s presenting info on the under addressed issues dealing with Web 2.0 and its inherint in-security. “He’s looking at design bugs, which he cautions are not the same as pure vulnerabilities: “The system is doing exactly what it was built to do… People expect it to authenticate silently, and have a port open for everyone. But they don’t expect the bad guy to use it to do something malicious.” He worries about DNS rebinding, an example of a design flaw that can have serious consequences if manipulated nefariously. “I’m working on code that, if you come to my Website, I get to treat your browser as a VPN concentrator and browse your corporate network — with whatever magic IPsec credentials your machine has, incidentally.” Hmmm…interesting stuff for sure, and not something most web designers are thinking of as the write some more javascript to make a button draggable on the client’s homepage. I go to Defcon to hear thoughts and ideas like his, to learn from some very smart people that make me think in ways I never have before. I found a nice example on his site from a talk at Black Hat he did last year, taking a look at different ideas on how to rethink patterns in order to recognize data flows. He shows how different files, music, data and even written documents give up their internal stucture when viewed using DotPlots to visualize patterns within. Seeing how we can recognize patterns better than a string of HEX makes sense, but he presents very interesting/thought provoking examples. Very cool stuff, see ya tomorrow in Vegas.
All your data are belong to Microsoft
In another scary move, Microsoft is behind a recent patent for an “advertising framework” that appears to be little more than an adware application on steriods. Coupled with another patent that aims to use “context data” from your hard drive to show you advertisements and “apportion and credit advertising revenue” to ad suppliers in real time. … The application, filed in 2006, describes a multi-faceted, robust ad-delivering system that lives on a “user computer, whether it’s part of the OS, an application or integrated within applications.” “Applications, tools, or utilities may use an application program interface to report context data tags such as key words or other information that may be used to target advertisements,” says the filing. “The advertising framework may host several components for receiving and processing the context data, refining the data, requesting advertisements from an advertising supplier, for receiving and forwarding advertisements to a display client for presentation, and for providing data back to the advertising supplier.” The adware framework would leave almost no data untouched in its quest to sell you stuff. It would inspect “user document files, user e-mail files, user music files, downloaded podcasts, computer settings, computer status messages (e.g., a low memory status or low printer ink),” and more.” If that’s not bad enough, read on… (more…)
Somebody set up us the bomb
In this day and age security is often OVER emphasised in the guise of erroring on the side of caution (cue to pictures of shoeless passengers muddling through security checkpoints). I know people will say ‘better safe than sorry’, but when things like this happen, it makes you question if any of this is making us any safer. “iPod prompts airport scare in Ottawa – A suspicious package found in an aircraft washroom on a flight from Chicago on Tuesday afternoon brought out Ottawa police canine and bomb-disposal units. [...] The plane landed safely and was isolated away from the terminal. Passengers were taken off the plane and questioned by police while experts investigated the ‘package.’ Police issued a statement Tuesday evening saying the suspicious package ‘has been identified as an electronic device commonly known as an iPod.’ ” That’s the brief overview, but the story gets much better since the suspect was a World Of Warcraft player who was on his way to meet a friend he had met in the game, but never in person; a facet that only servered to magnify his supicious behavior. I don’t want to spoil any of it, so for the full story you need to read the full/detailed forum post post from the ’suspect’ — which I’ve mirrored below. Enjoy.
Boycott the RIAA in March
Since I support this idea I’m reposting it from Gizmodo.com. “Alright, we’ve been following the RIAA’s increasingly frequent affronts to privacy and free speech lately, and it’s about time we stopped merely bitching and moaning and did something about it. The RIAA has the power to shift public policy and to alter the direction of technology and the Internet for one reason and one reason alone: it’s totally loaded. Without their millions of dollars to throw at lawyers, the RIAA is toothless. They get their money from us, the consumers, and if we don’t like the way they’re behaving, we can let them know with our wallets. With that in mind, Gizmodo is declaring the month of March Boycott the RIAA month. We want to get the word out to as many people as humanly possible that we can all send a message by refusing to buy any album put out by an RIAA label. Am I saying you should start pirating music? Not at all. You can continue to support the artists you enjoy and respect in a number of ways.”
FBI lost 160 laptops in last 44 months
A new report tells us that the FBI has lost 160 laptops in the last 44 months! “Perhaps most troubling,” says the report, “the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information. Such information may include case information, personal identifying information, or classified information on FBI operations.” Laptops can also contain goodies like the software that the FBI uses to make its identification badges, a copy of which was installed on a laptop stolen from the Boston Field Office in July 2002.“ If the FBI doesn’t keep records of what’s installed on their laptops, how can we expect or trust the private sector to secure customer data? Think about all the websites that have your name/address/etc, and then think of their employees taking their laptops home that may/may not have hooks in to ’secret’ data…
TJX Companies data breach reveals credit card data
Ah, nothing new, just another big corporation leaking credit card and issuers personal data. “The TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad. The company does not know the extent of the breach, which was first discovered in December 2006. However, hackers may have made off with credit and debit information from transactions in the United States, Canada and Puerto Rico in 2003 as well as transactions between May and December 2006, according to a company statement. [...] In the end, the hack may affect a wide range of credit card companies and thousands of consumers in America and in countries like the United Kingdom and Ireland, experts say.” I fail to understand how this could have been happening since 2003 — and then again for half of this past year! We need more detail, but again, how could this go on for so long? Why is this happening? It’s always the weakest link in the chain, but we need to know what it is so it can be plugged (so a new breach can appear later). A losing battle? Me thinks online payment and CC only transactions are only making things worse thanks to security that is bought by a company, instead of developed and understood in house. Seems like a good time to check back in with our friendly updated list, A Chronology of Data Breaches, which has already been updated with this recent fun.
Personal info more likely to be stolen from the Government than hacked
More Private Data Is Burgled From Government Than Hacked While the news aims to spread fear that ‘hackers’ are going to steal your identity, numbers show that they really should be fearful of our government. “America’s universities admit that, in the first half of 2006, they let a million Social Security numbers slip through their fingers. Accountants, banks and brokerages have proven themselves to be half as competent at protecting your critical data, conceding to more than 1.9 million lost SSNs. And the health care industry fares even worse: 2.4 million. But the King of Data Giveaways, with over 40 million Social Security numbers stolen in just six months, is your government… local, state and federal. The raw data from Privacy Rights Clearinghouse’s latest report bears me out.” I remember seeing that list sometime last year, but that it’s still out there, and being added to regularly, is proof that this is going to continue to get worse before it gets any better. Time for the government to take things a bit more seriously in terms of security.
‘Do not email’ registries for children
In July, two states will open up an ‘opt-out’ list to prohibit sending commercial email to children’s email addresses which are registered. ”New state laws in Michigan and Utah will prohibit sending commercial email to children’s email addresses which are registered with the states’ new ‘Do not email’ lists. Officials in both states have confirmed that their new registry web pages for parents — websites where parents and guardians can soon make their kids’ email addresses off limits to email marketers — will be activated this month. Michigan’s registry is scheduled to be available July 1 at Michigan.gov, and Utah’s website will debut its registry a few weeks later. These are the first states to start their own ‘Do not email’ registries. Nationally, the option of starting a national “Do not email” list was explored following the signing of the federal Can-Spam act in 2003, but such a list was deemed impractical and never materialized. … Michigan’s Darnoi is confident that his state’s child registry will survive initial criticism. The registry even has the endorsement of the state’s chapter of the American Civil Liberties Union.” It’s certainly a new reality for parents these days, how to control access to the unregulated internet. While this kind of protection is a good start, teaching them to be cautious by default is the long term solution. Time to create some more email aliases..
Rating the risks
An interesting survey of 332 IT “executives” and managers by Forrester Research shows their concerns with outgoing email and IM data. Their take:
- 25% of outbound E-mails contain content that poses a legal, financial, or regulatory risk36% of companies employ staff to read or analyze outbound E-mail
47% intend to deploy technology for monitoring Web mail or IM traffic
70% are concerned about the use of Web-based E-mail to expose confidential data
77% say preventing intellectual-property and trade-secret leaks is their top E-mail concern
This is something that has long been terribly lax if you ask me. Think about all the web based email sent from a work computer, along with simple instant messaging, but then think on to people taking laptops home and the proliferation of USB ‘thumb-drives’ now hitting 2 Gig. These are the next real concerns, but locking down networking should be the first. Don’t get me wrong, I’m all for personal privacy, but if it’s going to pose a risk to a company they should not allow it. Those comments above about staff reading and monitoring email and IM should be a wake up call; DON’T USE YOUR WORK EMAIL FOR NON WORK STUFF! My solution is to only use SSL for my connection to my home email server, along with TLS encrypted Jabber IM communication. Not that I have anything to hide…
Please verify your account
Got another PayPay phishing email today, my filters caught it no problem, so now let’s pollute their database of username and passwords. Here’s the direct link to the
Phishfighting page that will flood the phisher’s site with bogus usernames and passwords. If you’re using Firefox I recommend center clicking on the link 5 times (or more) and leave those tabs open for a day (or more). Have fun.
UPDATE: yep, after leaving it there all day while I was out I return to see the link throwing a 503 – server unavailable. Sweet. Don’t let that stop you, there are plenty more: here’s a fake eBay one, and a fake PayPay one. Also, I’m flattered that PhishFighting has a quote of mine “After a good defense we need a good offense – fak3r.com” in the left column on the front page.
I’d rather be phishing…
It seems that the phishing site I referred to earlier is now dead (request timed out!) Yah, very cool, now how about another one to keep the ball rolling? Go ahead and try out this one: this one, YAPPS (yet another pay-pal scam). Feel free to open a bunch of tabs on that URL; I’ll throw up a new one once it goes down. This would be a good application for that ‘flash mod’ type of ideal; get a phish-fighting email list, send out a URL like this and have 100s of folks hit it at once. It’d be more like a (more coordinated) 419 attack.
New phisher site to fight!
I just got another PayPal phishing email, as always they include a link to ‘login’ to ‘PayPal’ to verify something or another in an effort to learn your username and password. Of course MailScanner tagged the bogus URL within the HTML, and SpamAssasin (this time Razor2) found that it was spam from content *and* a DCC (distributed checksum clearinghouse) list, so I really couldn’t accidentally fall for the scam, but after a good defense we need a good offense; it’s time to fight back. I currently have 6 Firefox tabs open on PhishFighting.com to pollute the phishers database with phony usernames and passwords. The goal, as I’ve stated before is to flood the phishers database making it unusable, and possibly saving some who have fallen for it by putting so much *noise* around legit data that they’re not used. Want to help? Open a new browser window, and center click on this PhishFighting.com link that already has the bogus URL link that already has the bogus URL information listed. Looking at the totals on my other window I’m over 300 phony usernames and passwords, and I plan to leave it running all day.
Hi, I'm fak3r and I've been online for over 15 years, blogging for 10. I work with open source software, various hardware and whatever else that I can hack on. I enjoy learning by doing, painting infrequently and listening to more music than the law allows. Feel free to follow me and comment on my thoughts and ideas; we're all in it together kid.
School spies on student, busts him for…eating candy
Prototype of the school's proposed catcam 3000
Today fak3r from fak3r.com and Matt from Obtuseview.com are working together to bring you a multi-perspective piece on internet security. Rarely are team-ups like this seen except in the pages of “Marvel Team-Ups” or “a very Special Episodes of Diff’rnt Strokes.”
So the Pennsylvania school using webcams on district provided laptops to spy on its students story just gets more and more bizarre. The parents of one of kids is (rightfully) suing the school, “…alleging the district unlawfully used its ability to access a webcam remotely on their son’s district-issued laptop computer [...] it watched him through his laptop’s webcam while he was at home and unaware he was being observed” This is apparently proven when the school “caught” the student engaging in “improper behavior” in his home, via a webcam image. Meanwhile the school claims it had the ability to observe images via the webcam, but that it would only be used if the laptop were reported to be lost stolen or missing, and even then “…the district would first have to request access from its technology and security department and receive authorization.” Additionally, the school claims this monitoring was all part of an agreement defining “acceptable-use” that the family had to sign to allow the student to take the laptop home, which also states that the family was required to buy insurance for the borrowed laptop. So far, so ridiculous, but then it starts getting sillier… (more…)
Feb 23, 2010 | Categories: commentary, geek, news, privacy | Tags: aclu, eavesdropping, eff, high school, keylogger, laptop, laptops, online privacy, privacy, students, webcam | View Comments