SQL injection in web apps is sooooo old. It still exists everywhere and security companies are still making good moolah by capturing 'crown jewels' by exploiting this - However, I'm not sure that SQL injection testing for non web based applications/scenarios has caught on. Are they even worth trying ? For example: I'd really like to test the logic for the following (for starters) at some point in life :
1. Cell phones - IMEI registration. Attempt to SQL inject the backend during registration and/or normal communication - would that work ? Before I even say "Only one way to find out.." I should really read up on cell phones to test the theory..
2. Magstripes on cards - change data in the magstripe of ID cards , hotel access cards, credit cards, debit cards etc - to SQL inject the backend - Hmmm.. my name/cardnumber/PIN is now ' OR 1=1 -- ? Something like little bobby tables.
3. Checks - Change the account number on checks to SQL inject the backend. I'm almost certain this would fail because of the MICR E13b restrictions of characters.. ah well..
Ah well..I would need to get back into security consulting at some point if I want to test this out in a legal way..
I have no idea who reads my blog, if anyone. But there are at least 250 who regularly tune in, and drop right back out again throughout the day and the globe. I hope beyond all reasonable hope that some of you are wise old CISOs with a keen interest in helping the wider community, or at least me.
You may remember this article where I pulled apart a recent vendor survey. Always satisfying, and no-one really has much sympathy for vendors, I should know, I've worked for them for years, and it really does take its toll. Anyway, I guess I got all my vitriol out... and got a reply from their marketing manager. I did this last year with another blogger, and spent several hours apologising and putting the record straight, so this time I just kind of whimpered and ran away.
However, this marketing manager, who I will call David, because that's his name, was very kind, very pleasant and quite persistent in getting my help. The result was that I said I'd help out if we could make the PCI survey a bit more focused, less vendor-y and more like something I could shove up on my blog.
Here it is - please read and fill in, it will help us sort out exactly what IS going on with PCI right now. And if it's statistically insignificant, we'll have another go.
Upon joining you’ll have the following logo of the CISA letters I made displayed in your profile.
July 2008 – A quick update on the CISA group. We now have over 1300 members in the group!
The group is still only intended for CISAs, as each application is viewed, please also ensure you have your relevant CISA certification & experience detailed in your profile.
ISIS Lab is organizing NYU-Poly’s 5th annual Cyber Security Awareness Week (CSAW) where students can compete and win prizes in a variety of information security challenges. There will be door prizes, raffles for participating, and bonus prizes for undergrad and high school participants. Qualified finalists will receive a travel scholarship to attend the awards ceremony in New York City.
Our website with descriptions of the contests as well as winning entries from previous years is located here: http://isis.poly.edu/csaw
Also to note: many of the makers and hardware hackers in this crowd will be happy to know that we have a new embedded systems challenge this year. Check it out!
Of all the things that happened this weekend, I didn’t expect this! I registered but I probably wouldn’t have played if Tom Brennan hadn’t frantically raced up to me at about 6:30 on Friday to tell me that I had to =). Thanks Tom!
I’ll talk about some of the challenges I went through, but if you’re really interested in these kinds of things you should compete in one of the capture the flag competitions that I developed for these upcoming events:
NYU-Poly’s Cyber Security Awareness Week – A yearly event for students that our lab puts on. Compete in 7 different information security competitions for prizes! If you win, we’ll pay for you to come to NYC and collect your prize!
OWASP AppSec NYC – A 2-day web application security conference taking place downtown this September. There will be a web capture the flag contest, also with prizes. Everyone is welcome to play and challenges will be accessible to beginners and experts alike!
Now about HOPE/Packetwars CTF…
(many details are witheld as I’m unsure whether they reuse contest images for other events)
All the challenges were time-limited and you could only play them solo. This was awesome and is something I’m considering for the CTF’s that I run (OWASP and CSAW). I wouldn’t have played CTF if I knew I was going to miss 3 days of my life but 30 minutes was easy to give up.
The CTF was split into 3 rounds where the first round was a qualifier. The objective was to find all the hosts in your network and enumerate their services. It sounds simple but some services were specifically tuned to throw off nmap and pf and tcpwrappers were playing tricks on you. Still think it’s easy? Try building new tools (who really carries around more than just nmap?), figuring out how pf/tcpwrapper are protecting the services, bypassing that protection, and then scribbling down everything you know on a 3×5 index card (yep, an index card) in 30 minutes!
I started off the first challenge without realizing that we were being graded partially based on how fast we handed in our answers. I ended up in 7th place and just barely qualified for round 2 because of that! I don’t think anyone else got more information than me, but they all handed it in faster. Oops!
The Packetwars guys hinted that the later rounds would be based on the first, so Friday night I researched a few things about OpenBSD, ssh, dig, and tcpwrapper that might (did) help me out the next day.
That worked great, because round two was a .NET web application (a shopping cart) running on Windows. They gave us no direction and just told us to find the hidden codes inside it in 1 hour. “Awesome,” I said, “my day job is spent doing web security testing, I am going to blow everyone out of the water on this one”… The freakin’ app had Fortify Defender (a Web Application Firewall) in front of it and it caught every code injection, SQL injection, and session manipulation attack I tried! I figured they must be asking us to look for logic bugs, leaking credentials in the comments (gasp!) or something else lame like that. 2 clicks later, I used WebScarab’s “Fragments” tab to find the administrative credentials. Go me for thinking like a CTF developer!
So now I’m hard at work on the admin interface trying to steal money from other users and trying to buy things with my ill-gotten funds, reading other user’s shopping carts, and locking out my competitors. I tried to violate every single item in their security model. Some of it worked, most of it didn’t, but I couldn’t find those codes! In my last act of desperation, I started fuzzing every variable I could find with Burp Intruder. Time ended up running out and I never found anything, but luckily no one else did either.
After the second round was over they explained that all they wanted us to do was XSS the front page o_0. WHAT!? Who was there to XSS!? Ourselves!? Sheesh, I really overthought that one. I blame Erik for only teaching me how to 0wn the living daylights out of web apps (no cursing on the blog ). When they started looking through packet logs, they unanimously decided I won that round.
Round 3 was back to OpenBSD and was very similar to Round 1. The objective was to gain access to as many of 3 machines you could and to maintain that access. We had 2 hours. Since this one was a little longer and a little deeper, my explanations are abridged.
Problem #0 – There was a firewall between me and the targets and it wasn’t making it easy to even find the hosts. This resulted in lots of panicked mashing on keys and liberal use of the command history but I got around it soon enough. Bigger problems followed.
Problem #1 – All 3 machines were recent versions of OpenBSD (3.9+) which meant no scalp exploit and no sshutup-theo exploit.
Problem #2 – All 3 machines were running on Sparc which meant that, even if they were vulnerable to CORE’s mbuf exploit or mod_ssl’s SSLVerify_CRL() vulnerability, there was no chance I’d ever get working shellcode, especially not in 2 hours without a test platform.
So I gave up on ever getting remote code execution. How familiar that it was down to misconfigured services and weak passwords! Some services were still messing with nmap, but that wasn’t a problem since I had amap and a few protocols memorized for netcat. One or two services were tcpwrapped and played the same tricks as before, but I couldn’t seem to find the correct IP to authenticate with and those services remained inaccessible to me throughout the round. I used DirBuster to attempt to identify usernames on host 1, used dig to do a zone transfer out of host 2, and used the [previously unknown] DNS name for host 3 to talk to its FTP server. The FTP had a 15 second delay before displaying a USER prompt, so brute forcing it was impossible. The only other service I had to brute force was SSH, so what the heck, I went after it. I used 6 py_sshbrute threads to brute force the passwords for “root” and “hacme” (their domains were *.hacme.com) with john’s password.lst. It was right about this time that someone with Nessus managed to crash the SMTP, POP3, and HTTP daemons on a few of the hosts. SMTP and POP never came back up AFAIK (note to CTF developers: always have a console on your vuln box during the contest!).
It was now about an hour into the round and, as I was flailing about trying random attack after random attack, I took detailed notes on my index cards about what I had done so far and why. I didn’t think anyone else was going to get a shell on any of the boxes unless they got incredibly lucky and I thought the index cards would determine who won. Another 45 minutes went by and I discovered a few more things but nothing that gave me a shell. I spent my last 15 minutes writing down an epic 0wn strategy I could have tried had we been given more time.
Time ran out, no one got any shells, and they used the cards to determine the winner combined with weightings from Round 2. It pays off to carefully listen to and follow the rules .
After they announced the winner we all sat around in a circle and discussed the challenges. One of the guys from the Packetwars team actually told me, “We were running an old, almost 2 years old, version of OpenBSD with remotely exploitable services!” I’m sorry guys, no one is dropping fresh exploits or giving you big-endian shellcode for your CTF . One guy also fessed up to running Nessus and bringing down said services heh.
All in all, I had a fun time and I would absolutely play in Packetwars CTFs in the future. Even though nothing was as epic-ly hacked as I wanted it to be, the time limits and varied challenges kept me from getting too frustrated. I was able to take away a lot of little techniques that I’ll be able to integrate into my own CTFs in the future. Thanks everyone!
If you made it this far, let me reiterate: play in the CTFs that I run! OWASP AppSec NYC CTF and CSAW CTF are both coming up in September.
On another note, I wasn’t the only one who won it big this weekend. Former ISIS member, Michael Aiello got a video interview on CNET news about his RFID-blocking apparel! Check out the video, he is wearing one of our shirts from HOPEÂ 6 .
“Michael Aiello, president of DIFRwear, demonstrates at Last HOPE how easy it is to swipe the data off someone’s RFID-enabled credit card, building access badge, or passport from a few feet away. DIFRwear sells wallets and cases to protect cards from data thieves.”
With Information Centric Security, you create a virtual container, wrapper or 'universe' for the data and the business rules. You no longer care if some of the infrastructure has been compromised as you may still be able to keep data secure even if it has been copied or vMotion'ed off to some other place outside your control.
I've been wasting a bunch of time on MyYearbook.com, a MTWWTOSNS (massively time-wasting web-two-oh social-networking site.) If you'd like to descend into madness with me, click here join join for my personal gain: Be Ryan's Friend
Several interesting aspects to this one, for security people. First, the are many sociological aspects. For example, what happens if you tell people they can't post naked pics? Second, there is a play money currency, which drives everyone's behavior. Finally, they are getting phished left and right from within the site.
And the staff there appears to be so woefully unprepared to deal with it. When I saw the phishing, I thought I might mail their abuse contact info (only email address I found published), and see if they needed info, if I could put them in touch with a takedown group, etc. I got bounces from gmail. Um, your abuse email at your own domain depends on gmail?
The site is absolutely begging for someone to start using XSS. The game model they have basically demands it. For example, your popularity depends on profile views. And I can post a pretty wide range of HTML to someone in about 20 different ways. I haven't tried to see if I can find any XSS. Mostly because I don't trust myself not to abuse it.
But my favorite thing about MyYearbook that I just realized, while sitting in JFK coming back from HOPE. This site is teaching millions of people how to do simple HTML. And nearly half of these people are below average intelligence.
Although it has been very quiet on this blog for quite a while, lots of activities in the background have been keeping me busy. During the last six months I have been working on my new pet project DAVIX that relates to my interest in security data mining and visualization. But let me start at the beginning.
While playing around with visualization I found that there are lots of tools on the net but getting them to run can cause quite some headaches. So I thought that it would be cool to have an environment where all those tools are available ready to use. As time went by, the idea of a Linux live CD system materialized in my mind. Between Christmas and New Year, while watching 24C3 live streams in the background, I started playing around with SLAX, a modularized Slackware based live CD system. I found it very useful to my purpose and decided to start with it as base for the visualization live CD.
Since I knew that Raffael Marty was writing his book Applied Security Visualization, I contacted him in January 2008 and told him about my project and asked which tools should be included on the CD. Raffy was hooked by the idea from the get go and he asked me bluntly if I would do the CD for his book. Of course I agreed immediately. To get jump started with adding visualization tools, Raffy provided me with the chapter 9 of his books, which contains a list of visualization tools and instructions on how to get them running. At around the same time I got selected into the technical review board for Raffy’s book and I alternately reviewed chapters from Raffy’s awesome book and built the CD.
Since the live CD project was nameless at the time, I thought about an appropriate name for it. After toying with a couple of ideas I came up with the name DAVIX as a short form of Data Analysis and Visualization Linux®. I also liked the reference to the biblical figure David who fought against the giant Goliath. In terms of our project it means that with the “small” live system DAVIX you fight the gigantic heaps of log files and network captures.
DAVIX currently integrates about 180 software packages that contribute to about 40 high level tools for capturing, processing and visualizing data. The project is now in its final rounds of building and testing and will officially release during Greg Conti’s Blackhat and DEFCON talks. For all of you who want first hand experience with DAVIX, Raffy and I invite you to our DAVIX Visualization Workshop at DEFCON 16. The session will be held on Sunday, August 10th 2008 at 2 PM to 4 PM.
). When they started looking through packet logs, they unanimously decided I won that round.
. One guy also fessed up to running Nessus and bringing down said services heh.
