Database (in)Security – GhostShell hackers release Govt Records – is Ryu the Answer?


The Hacktivist group GhostShell released 1.6 million records that it claimed were lifted from government (and some corporate) sites including the Pentagon, NASA, European Space Agency and the Federal Reserve.

A quick look at the files and you can see right away that the website data breach was most likely caused by SQL injection. The data dump is separated into numerous parts, but several start with the complete Database structure pulled from individual websites.

A mix-match combination of communications, individual project statuses, business communications, space rocket information, directory data dumps and user accounts and records are included.

With most of these systems from major government entities the question becomes, if these sites aren’t protected against remote hacker SQL injection type attacks, what chance does smaller businesses and corporations that have a fraction of the security budget?

Obviously SQL security is a major concern for companies. What is needed is a new security module to place in front of application servers to protect databases from external attacks, or more secure database programs.

I have been reading a lot about Trustifier’s Ryu recently and it seems that they are on the right track. Most Intrusion Detection Systems and Web Application Firewall (WAF) security programs are signature based. They are looking for patterns or common attack strings. But someone utilizing advanced or uncommon SQL queries can bypass even the best WAF.

Trustifier’s uses a unique approach with Ryu. Incoming commands are analyzed in a secure environment before they are allowed to execute. A complex mathematical engine determines if the command is a legitimate command or one that has possible security risks.

Early testing has shown that it is very good at stopping SQL based attacks, surpassing many of the top WAFs currently on the market.

The manufacturer also claims that the cloud based Ryu solution is effective against many other common internet threats including:


I am spoken with Trustifier and am still going over some of the technical material provided on Ryu, but at an early glance it looks VERY good. Hopefully we will take a much closer look at it very soon.

Check it out!

Security Onion Article Featured in Hakin9 Magazine

The latest Hakin9 Exploiting Software issue is out!

This month’s issue features my article on “Easy Network Security Monitoring with Security Onion“:

Hackers and the malware that they create are getting much better at evading anti-virus programs and firewalls. So how do you detect or even defend against these advanced threats? Intrusion Detection Systems monitor and analyze your network traffic for malicious threats. The problem is that they can be very difficult to configure and time consuming to install. Some take hours, days or even weeks to setup properly. The Security Onion IDS and Network Security Monitoring system changes all of that. Do you have 10 minutes? That is about how long it takes to setup and configure Security Onion – a Linux Security Distribution based on the Ubuntu (Xubuntu 10.04 actually) operating system.

And Craig Wright continues his series on creating shell code with this month’s article, “Understanding conditionals in shellcode“:

This article is going to follow from previous articles as well as going into some of the fundamentals that you will need in order to understand the shellcode creation process. In this article, we are looking at extending our knowledge of assembly and shellcoding. This is a precursor to the actual injection and hooking process to follow. You will investigate how you can determine code loops, the uses of loops as well as acting as an introduction into how you can reverse engineer assembly or shellcode into a higher level language and even pseudo-code, all of which forms an essential component of creating and executing one’s own exploit successfully. By gaining a deep understanding just how code works and to know where to find the fundamentals shellcode programming language we hope to take the reader from a novice to being able to create and deploy their own shellcode and exploits.

Also in this issue:

  • Creating a Fake Wi-Fi Hotspot to Capture Connected Users Information
  • Accurate Time Synchronization with NTP. Hardening your Cisco IOS Device
  • Penetration Testing Methodology in Japanese Company

Check it out!

Hakin9: Computer Security Testing with the Social Engineering Toolkit

The February issue of the Hakin9 Exploiting Software magazine is out!

Included in this issue is an article I wrote on the Social Engineering Toolkit (SET):

Using the Social Engineering Toolkit to Test Network Security

Hackers using Social Engineering attacks are getting much better at their craft, and people are making it very easy for them. A Social Engineer will use information gathered about a person, place or business in specially crafted attacks that play on people’s thoughts, beliefs or emotions.

Social engineers are Hackers that focus in on using personal information mixed with human reactions, emotions or fear to trick you into opening an infected file or visiting a malicious website. Social engineering attacks are one of the top techniques used against networks today.

Why spend days, weeks or even months trying to penetrate layers of network security when you can just trick a user into running a file that allows you full access to their machine and bypasses most anti-viruses, firewalls and many intrusion detection systems?

Daniel will explain some of the techniques used by attackers and he will show you how they could get full control of your computer and most importantly, how to stop them.

Also in this issue is:

  • Beyond Automated Tools and Frameworks: the shellcode injection process
  • Tabnapping Attack: Hijacking Browser Tabs
  • The Power Of Exploitation Tools
  • Hardening of Java Applications against AOP exploits
  • Enterprise Vulnerability Management

I really enjoyed Craig Wright’s article, “Beyond Automated Tools and Frameworks: the shellcode injection process“. This is a series of articles that delves into creating your own shellcodes and exploits.

Hakin9 Exploiting Software February 2012 – Check it out!


The Benefits of Network Security Monitoring (NSM)

Advanced threats are specifically made to bypass firewalls and intrusion detection systems, effectively killing defense in depth. So how do you battle these threats? Network Security Monitoring.

Several commercial and open source tools exist for Network Security Monitoring (NSM), so you will need to look around and find the one that works best for your needs. But nowadays you need a tool that records all the traffic coming in and out of your network and analyzes it for suspicious patterns or behaviors.

Security Onion is a great option for small to medium businesses (even home users) that need the power of NSM, but can’t afford a commercial solution. Security Onion comes pre-configured with a ton of intrusion and network security monitoring tools.

But for any NSM solution, you want one that:

  • Records all your traffic
  • Analyzes for suspicious behavior and patterns and warns you when they are detected
  • Provides complete packet captures
  • Provides an easy way to view and analyze captured packets
  • Keeps complete logs of all intrusions and suspicious behavior
  • Keeps a log of all websites visited, DNS lookups, ftp sessions, even chat and mail sessions.

Security Onion can do all of that and more. Plus you can have multiple sensors in multiple locations and have them all report back to a single Security Onion Install.

Why would you want multiple sensors? For any NSM install, you want to have a view of your network traffic at different locations in case the worst happens and you get compromised. You can place a sensor between your incoming data pipe and your main firewall. You can also place one between your firewall and Lan. That way you can see what was hitting your edge firewall and what made it through.

You can also place a sensor between the Lan switch and a single high priority machine. This way you can tell exactly what data was transferred to and from this machine in case of a breach. You need to analyze your network and see where the best places would be to institute monitoring.

Intruders will get in, it is just a fact of life now. The NSA came to this conclusion about network security in 2010.  Debora Plunkett, NSA’s director of the U.S. Information Assurance Directorate said, “There’s no such thing as ‘secure’ any more.  The most sophisticated adversaries are going to go unnoticed on our networks.  We have to build our systems on the assumption that adversaries will get in.  We have to, again, assume that all the components of our system are not safe, and make sure we’re adjusting accordingly.”

But you can monitor and hopefully catch them before the worse happens. Or in the event the worse happens, you will have a full forensics trail to follow to make sure that it doesn’t happen again.