security – Page 7

Tag: security (page 7 of 7)

The state of the art in interface spoofing

Jeff Atwood has a great series of screen shots describing how malware distributors spoof user interfaces to convince users to install their software. The more operating system and browser vendors do to prevent people from inadvertently installing software they don’t want, the more the malware distributors do to entice people to override the security measures that are in place to help install software that can only harm them.

This is just one of many arms race scenarios that plague the digital world. As DRM improves, people come up with better ways to crack the DRM. As Blizzard comes up ways to keep people from artificially inflating their arena ranking in World of Warcraft, players come up with newer and better ways to game the system. And as antivirus and anti-fishing software gets better, criminals figure out better ways to enlist the user in circumventing that software.

What I’m trying to figure out is where it ends. How much freedom must computer users volunteer to give up in order to be able to use the Web relatively safely?

Mass SQL injection update

April 28, 2008 / Rafe / 0 Comments

Looks like the misreporting of the mass SQL injection attack continues. The exploit is associated with MS SQL Server, not IIS or ASP. It’s confusing because most people run the full Microsoft stack, but the exploit will work against any site that does not prevent SQL injection and uses MS SQL as its database. (This misreporting was most recently seen at the Mass Attack FAQ at hackademix.net and Wired: Compiler.

Also it’s worth noting that the best solution to this problem (noted in the comments on yesterday’s post by Simon Willison) is to use prepared statements to generate database statements rather than building them using string concatenation.

If you’re a PHP developer using MySQL, that means using mysqli. For most other languages, that means simply not misusing your database library. For example, with JDBC (Java’s generic database access library), you can build SQL statements with string concatenation, but it’s just as easy to use prepared statements. There’s a good explanation of how to use prepared statements to avoid SQL injection attacks in ASP.NET at Scott Guthrie’s blog.

I think these days most people are pretty good about using prepared statements for inserts and updates, but they still get lazy and use string concatenation when building WHERE clauses, especially in cases where expressions are added to the SQL query dynamically. When doing so, the key is to go through the process in two steps. Building the statement dynamically but still leaving the placeholders in the query so that a prepared statement can be used and the parameters of the statement can be bound to it properly. It’s a bit more work, but it’s essential for security.

Mass SQL Injection attack

April 27, 2008 / Rafe / 4 Comments

I’ve been reading up on the mass SQL injection attack launched against servers running IIS and MS SQL Server last week. That article is a bit out of date, as the problem turned out not to be a security hole in IIS but rather security holes in the Web applications themselves. The script that compromised the sites was clever enough to probe for forms that didn’t prevent SQL injection, and injected SQL specifically designed to work with MS SQL.

The article linked to also says that the attacks were first reported on April 17, but I found an incident report from April 13 describing the attack.

The end goal of these attacks is to infect client PCs with malware. The attacks appends database fields with markup that includes JavaScript from a third party domain, and then when any page that displays the field is viewed by a user, the JavaScript is downloaded and executed, any unpatched client PCs will be infected by the malware.

IIS.net has a post that explains exactly how the attack works. The script finds a form on the site that does not properly escape user input and injects SQL that finds all of the text columns in the database and appends the HTML that loads the malware to each of them. You can read more about it here. The main innovation in this attack is the cleverly written SQL injected that’s ejected. A similar attack could be launched against any application that does not protect against SQL injection. MySQL is somewhat protected in that most sites are running MySQL 4.x, which doesn’t provide support for stored procedures.

There are several takeaways from these attacks:

The only common vector in these attacks is MS SQL Server. Any application that does not prevent SQL injection could be the vector. So a Java application running on Solaris or a PHP application running on Linux could also be affected if they store their data in MS SQL.
You should minimize the privileges granted to the database user that the Web application uses. If your application uses the “root” or “sa” account, give up now. Just using grant all is the wrong idea for a production account. Figure out which privileges the account must have for your application to work properly, and grant only those.
If you’re writing Web applications and you’re not sanitizing user input, you need to go back to the drawing board. I’m beginning to think that languages like PHP and libraries like J2EE should sanitize all input by default and force programmers to go out of their way to access the original input. In other words, in PHP, $_REQUEST should contain escaped data by default. Many programmers don’t know what they’re doing, and in the case of attacks like this one, it’s end users who get hurt, not just the people who wrote the compromised application.
Just visiting Web sites you trust isn’t enough to keep you safe. Keeping your PC patched up and running security software is essential to preventing your PC from being compromised. It just keeps getting more dangerous.
Replication and backup are two different things. When this attack was run, all of the bad information inserted by the attack was almost certainly copied to the replication server immediately. Taking a snapshot of your data frequently is perhaps more important than replication. (Those of us who have run an errant update or delete statement and wiped out a ton of data, only to see the results replicated immediately already know about the dangers of relying on replication.)

Links for April 14

April 14, 2008 / Rafe / 0 Comments

Datawocky: The story behind Google’s crawler upgrade. How Google is crawling data accessible only through forms.
Ars Technica: Red light camera monkey business may be a national trend. More on short yellow lights designed to result in red light camera tickets.
Wide Awake Developers: Amazon Blows Away Objections. How Amazon is expanding the capabilities of its cloud computing offerings.
O’Reilly Radar: Is Google App Engine a Lock-in Play? – The single biggest question for people deploying to GAE.
Steve Vinoski: Bob Ippolito on Erlang :: ’s Blog – Add it to the list of stuff I need to read more about.
Making Light: Could lead to goose-stepping. Mindless authoritarianism makes me sad.

Links for April 9

April 9, 2008 / Rafe / 3 Comments

Stephen O’Grady: Clouds Rolling In: The Google App Engine Q&A. Great rundown.
Bruce Schneier: The Feeling and Reality of Security. Understanding the differences and how to manage them is the key to successful security policy.
FP Passport: The Olympic torch’s mysterious companions. The torch escorts are members of a paramilitary group sponsored by the Chinese government. Their comrades are in Tibet suppressing dissent by force right now. I’m glad the Olympics are going to be in China because it has served to remind the world of the brutality of the Chinese regime.
Continuing Intermittent Incoherency: App Engine: Most Of The Stuff I Want, None Of The Stuff I Don’t. Another take on Google App Engine.

Links for April 8

April 8, 2008 / Rafe / 0 Comments

gourmet.com: Betting the Farm. Great article on agriculture policy and how one family farm in South Dakota is bucking the trend of cashing in on ethanol money and government subsidies.
Rogers Cadenhead: Washington Post Wins Another Phony Pulitzer. I loved the Washington Post article about the violinist planted in the DC subway, but Rogers argues that it’s more reality TV than news reporting.
Ian Kallen: The WordPress Security Cancer. Outdated WordPress installations are being exploited to distribute spam. If you run it, be sure to keep your installation up to date.
Dave Winer: Early notes on GoogleApps (Scripting News). I have my own thoughts on this but I haven’t gotten around to posting them.
Ars Technica: Gmail being throttled, blocked by some anti-spam vendors. Now that Google’s CAPTCHA has been cracked, spammers are using bots to sign up for accounts and sending spam through Gmail.
Freedom to Tinker: Phorm’s Harms Extend Beyond Privacy. Smart take on the many ways the Phorm Internet snooping scheme was hostile to users.
2008 NFL Mock Draft Database. I’m a sucker for mock drafts, and this site lists them all.
FP Passport: The Colbert bump is real. Democratic Congressmen who take their lumps in “Better Know a District” are rewarded with a big jump in contributions.

Links for April 7

April 7, 2008 / Rafe / 0 Comments

Scott Horton: Worst. President. Ever. What interests me most about the list is that every President other than Bush (43) who could be described as the worst ever was a single termer. Bush’s main competition, Millard Fillmore, was not elected in the first place (he took over for Zachary Taylor, who died after 16 months in office) and did not receive his party’s nomination when his term expired. With Bush, we’ve had two terms and the Republican nominee wants to continue all of his worst policies.
Bruce Schneier: The Liquid Bomb. Some details of the liquid bomb plot are revealed. Could the plan have actually worked? Based on an extremely interesting stream of comments, I’d say that the particular plans hatched by the would-be terrorists could not have worked in a million years (they didn’t even test the explosives they planned to use), but that the general plan could have potentially worked (maybe) in the hands of terrorist masterminds.
The College Board has eliminated one of the advanced placement tests for Computer Science. There are two exams, and the more difficult of the two is to be discontinued. Unsurprisingly, Wikipedia has a lengthy article that describes the composition of both exams.

Links for March 25

March 25, 2008 / Rafe / 2 Comments

Los Angeles Times: The Kareem Abdul-Jabbar Blog. One of your more erudite former athletes.
Bruce Schneier: The Security Mindset. I envy it, but it’s not how my mind works.
The American Prospect: The Obama Doctrine. An attempt to discern Barack Obama’s general philosophy on foreign policy.
Jim Henley: Henley Everywhere 2008alt. When you were as right as he was, you get to gloat a little.
O’Reilly Radar: Paging systems and Conference Bridges for startups & small teamsr. Useful strategy for responding to outages.

Links for March 12th

March 13, 2008 / Rafe / 1 Comment

Jon Udell interviews Ward Cunningham about how the Eclipse portal exposes its innter workings by way of reports on test results, and the advantages the resulting transparency provides. Really, really interesting stuff.
Bruce Schneier discusses a report on the lack of security in implantable medical devices that provide remote access.
Wired Compiler links to Prism, a Firefox add-on that makes it easy to treat Web sites like standalone desktop applications. It provides a lightweight approach to creating apps like Mailplane.
The Morning News: Six-Word Reviews of 763 SXSW MP3s by Paul Ford. This is insane, and I mean that in the best possible way.
Postalicious is the WordPress plugin I used to produce this post.

Bruce Schneier runs an open wireless network

January 16, 2008 / Rafe / 3 Comments

Bruce Schneier explains why he runs an open wireless network. I leave mine open as well, so it’s nice to know I’m in good company.

rc3.org

Strong opinions, weakly held