InfoSec News

Hacking group Lulz Security claimed it had hacked and defaced the web site of the Atlanta chapter of InfraGard, an organization affiliated to the U.S. Federal Bureau of Investigation, and leaked its user base.
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Many of the recent high profile attacks follow a similar pattern. First, a web application is compromissed using SQL injection. Next, the attacker dumps the database using the SQL injection vulnerability.
Once the attacker has a hold of the database, the attacker will search it for passwords. In some cases, the password was not hashed, and in other cases, the hash was brute forced. The attacker then used the password to try and breach other accounts.
I will try to write up a few diaries discussing steps to defend against the basic weaknesses exploited by these attacks:

SQL Injection


Unhashed or weak passwords

Password reuse.

In this first pst, we will take a look at SQL injection.
The Tool: Havij
A few times before, I showed some of the attacks we see agains the ISC website. One notable change over the last couple years is an increase in SQL injection attacks. In the past, remote file inclusion attacks dominated. But now, SQL injection attacks have increased substantially, in particular attacks using the attack tool Havij .NET CLR 2.0.50727) Havij

The attack method is pretty straight forward. Havij injects a SELECT UNION statement and keeps adding additional fields to the union query to work out how many columns are required. Each statement selects static random hex strings to make it easy to identify them in the response.

GET /diary.html?storyid=999999.9+UNION+ALL+SELECT+
0x31303235343830303536%2C0x31303235343830303536--

Again a technique used by other tools as well.
Defense
Of course the best defense is to avoid SQL injection vulnerabilities in the first place. Did I mention yet that you should use prepared statements whenever possible? That and decent input validation will pretty much eliminate the problem.
Now I also know, that you probably got plenty of legacy applications and applications you didn't code. In these cases, you need a quick fix. You could for example block the Havij user agent at your Intrustion Protection System or your web application firewall. A little mod_rewrite rule may work too. I find another decent string to detect the tool (and other SQL injection tools) is %27+UNION+ALL+SELECT . This string shouldn't have a huge false positive rate.
We covered SQL Injection a few times before:
http://isc.sans.org/tag.html?tag=SQL%20Injection



------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Commissioned by Roger Enright
CSO (blog)
There is much confusion swirling around who and what the Cyber Security Forum Initiative (CSFI) is and is not. As a volunteer to the group, let me take this opportunity to explain what I know of CSFI and ...

 

Prominent iPhone Hacker Blames Vendors' Buggy Code for Security Breaches
eWeek
Miller's keynote, entitled “Why the Bad Guys are Winning the InfoSec War,” will use the recent security breaches at PBS.org, RSA Security and HBGary Federal as examples, Miller told eWEEK. Miller analyzed recent events and determined that the common ...

 
Internet Storm Center Infocon Status