As I produce deliverables in my class, I get to review my peers' work and tell them what I think or ask questions for clarification. The scenario we are working on has already dealt with a series of breaches and it is our job to secure the business. For the subheading "Information Storage," many in my class listed SQL. I thought this was interesting. In getting ready for DEFCON 20, I found several talks regarding SQL:
SQL Injection to MIPS Overflows: Rooting SOHO Routers
ZACHARY CUTLIP SECURITY RESEARCHER, TACTICAL NETWORK SOLUTIONS
Three easy steps to world domination:
1. Pwn a bunch of SOHO routers
2. ???
3. Profit
I can help you with Step 1. In this talk, I'll describe several 0-day vulnerabilities in Netgear wireless routers. I'll show you how to exploit an unexposed buffer overflow using nothing but a SQL injection and your bare hands. Additionally, I'll show how to use the same SQL injection to extract arbitrary files from the file systems of the wifi routers. This presentation guides the audience through the vulnerability discovery and exploitation process, concluding with a live demonstration. In the course of describing several vulnerabilities, I present effective investigation and exploitation techniques of interest to anyone analyzing SOHO routers and other embedded devices.
Zachar Cutlip is a security researcher with Tactical Network Solutions, in Columbia, MD. At TNS, Zach develops exploitation techniques targeting embedded systems and network infrastructure. Since 2003, Zach has worked either directly for or with the National Security Agency in various capacities. Before becoming a slacker, he spent six years in the US Air Force, parting ways at the rank of Captain. Zach holds an undergraduate degree from Texas A&M University and a master's degree from Johns Hopkins University.
Twitter:@zcutlip
New Techniuqes in SQLi Obfuscation: SQL never before used in SQLi
NICK GALBREATH
SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source cod, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities. This talk will iterate through the dark corners of SQL for use in new obfuscated attacks, and show why they are problematic for regular-expression based WAFs. This will point the way for new directions in SQLi research for both offense and defense.
Nick Galbreath is a director of engineering at Etsy, overseeing groups handling fraud, security, authentication and internal tools. Over the last 18 years, Nick has held leadership positions in a number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market, and has consulted for many more. He is the author of "Cryptography for Internal and Database Applications" (Wiley), and was awarded a number of patents in the area of social netowrking. He holds a master's degree in mathematics from Boston University.
Twitter: @ngalbreath
http://client9.com
https://github.com/client9
SQL ReInjector - Automated Exfiltrated Data Identification
JASON A. NOVAK ASSISTANT DIRECTOR, DIGITAL FORENSICS; STROZ FRIEDBERG, LLC
ANDREA (DREA) LONDON DIGITAL FORENSIC EXAMINER; STROZ FRIEDBERG, LLC
In 2011, SQL injections became front page news as ever more high profile companies were victims of automated SQL injection attacks. Responders spent countless hours looking at values in log files like "0x31303235343830303536" trying to figure out what was being exfiltrated by whom. Incident response costs skyrocketed while the cost of attacking fell.
This presentation will debut SQL ReInjector, a tool for the rapid assessment of logs from SQL injection attacks to determine what data was exfiltrated.
When responding to an SQL injection attack, responders have to determine what was exfiltrated by manually parsing the web server logs from the victimized host. This is a time consuming process that requires a significant amount of a responder’s time. Moreover, manual replay of the SQL injection does not account for system level discrepancies in how queries are executed by the system – running SQL against a SQL server directly doesn’t account for the behavior of any intermediary systems – e.g. any application layer logic or nuances in how the web application and database server interact.
SQL ReInjector uses the log files from the machine that has been subject to a SQL injection attack to replay the attack against the server (or a virtualized forensic image thereof) and captures the data returned by the SQL injection web site requests, reducing the amount of time responders have to spend looking at web server logs and allows for responders to recreate the data exfiltrated through a SQL injection attack.
This text will be used for the web site and printed materials. In a nutshell, what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use these paragraphs to tell people how technical the talk is, what tools will be used, what materials to read in advance to get the most out of your presentation. This abstract is the primary way people will be drawn to your session. Presentations that are submitted without abstracts (eg that have only ppt or white papers attached or only point to a URL) will not be considered.
Jason A. Novak is an Assistant Director of Digital Forensics in Stroz Friedberg's Chicago office. At Stroz Friedberg, Mr. Novak has been lead examiner in a wide range of cases involving digital forensics, incident response, application testing, source code analysis, and data analytics, and has developed numerous tools to expedite the firm's analysis and response capabilities. The proprietary tools developed by Mr. Novak have included: an anti-money laundering data analytics platform and tools to process electronically stored information to respond to forensic and electronic discovery requests. As a co-writer of the Google Street View report, Mr. Novak analyzed the source code to gstumbler, the WiFi device geolocation application used by Google as part of the Street View project, and documented its structure and functionality in a publicly released report; Mr. Novak has responded to inquiries about the report from domestic and foreign regulators.
Twitter: @strozfriedberg
http://www.strozfriedberg.com
Andrea (Drea) London is a Digital Forensic Examiner in Stroz Friedberg's Dallas office. At Stroz Friedberg, Ms. London acquires and examines digital evidence from laptops, desktops and mobile phones in support of legal proceedings, criminal matters, and/or corporate investigations. Additionally she is responsible for implementing large-scale, end-to-end electronic discovery for both civil and criminal litigation. Ms. London previously held positions at Arsenal Security Group and IBM’s Internet Security Systems Emergency Response Team. At Arsenal, Ms. London was an integral part of the company’s immediate response team for worldwide cyber security incidents. During this time she completed and has maintained certification as a Payment Application Qualified Security Assessor (PA QSA), Payment Card Industry (PCI QSA), and PCI Forensic Investigators (PFI), one of the first appointed by the PCI Council. At IBM, she acted as an official Quality Incident Response Assessor (QIRA) reporting PCI breaches to major card brands. Prior to her work for IBM, Ms. London was with the Air Force Office of Special Investigations (AFOSI), where she was one of two Airmen chosen for special duty assignment at the Defense Cyber Crime Center, and where she was tasked with testing and evaluating forensic software and hardware for the Center.
Rapid Blind SQL Injection Exploitation with BBQSQL
BEN TOEWS SECURITY CONSULTANT, NEOHAPSIS
SCOTT BEHRENS SECURITY CONSULTANT, NEOHAPSIS
Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don't you have to write something custom. This is time-consuming and tedious. This talk will be introducing a new tool called BBQSQL that attempts to address these concerns. This talk will start with a brief discussion of SQL Injection and Blind SQL Injection. It will then segue into a discussion of how BBQSQL can be useful in exploiting these vulnerabilities. This talk will cover how features like evented concurrency and character frequency based searching can greatly improve the performance of a SQL Injection tool. This talk should leave you with enough knowledge to begin using BBQSQL to simplify and speed up your application pentests.
Ben Toews is a Security Consultant at Neohapsis where he specializes in application and network pentesting. Previously, Ben has worked as a sysadmin and as a developer. Ben has spoken at Thotcon 0x03 and has been published in HITB Magazine. Ben has a BS in Information Assurance and Security Engineering from DePaul University.
Twitter: @mastahyeti
http://btoe.ws
Scott Behrens is currently employed as a Security Consultant at Neohapsis and an Adjunct Professor at DePaul University. Before Neohapsis, Scott Behrens was an Open Systems Architect for a financial consulting firm, as well as a Network Administrator at Argonne National Laboratories. Scott Behrens’ expertise lies in software security assessment, network penetration testing, social engineering, security architecture, and security research. Scott is also the co-developer of NeoPI, a framework to aid in the detection of obfuscated malware. Scott has also presented at Chicago B-sides and has published numerous articles in various security outlets. Scott Behrens has a Master’s of Science in Network Security from DePaul University.
Twitter: @HelloArbit
http://www.scottbehrens.com
*******************************
This got me thinking. That's a lot of talks on one topic! If the class is to find a way to harden our scenario's security, is SQL the answer?
Since it is relatively new to me, I reference one of my favorites sites: w3 schools. Don't know about SQL yourself? Here ya go: Introduction to SQL.
This got me thinking really hard. When considering a solution to some potential problems, we have to able to consider the insecurities of our solution. We can try to be as secure as possible, but there is no way to prevent a determined attacker unless we stay one step ahead of the game.
Talks like the one I mentioned above help keep us aware of vulnerabilities we may not have been aware of. It also proves the importance of due diligence in the world of Cybersecurity. As attackers evolve, so must the defenders. Failure to do so, no matter what system you have, could result in catastrophe. In my other course regarding Business Continuity and Disaster Recovery, the main cost is usually financial and the loss of consumer confidence. Both could cause the demise of an organization.
In regards to the regular person though, security is all the more important. After all, identity theft can take a long time to resolve. If you access this blog, then you are accessing the World Wide Web. Check your security, update your security software, secure your WiFi router, do not answer those silly questions on FaceBook, do what is necessary to protect yourself. Most importantly, as you learn about security measures, tell people. Education is the best way to keep things secure.
No comments:
Post a Comment