I was checking out some of the videos on our friend Vivek’s excellent security resource – Security Tube.net – again today and found an exceptional video on pentesting high security SQL systems. The video features Joe McCray’s (an awesome speaker by the way) presentation, “Big Bang Theory – Pentesting High Security Environments” at the 2012 Hacktivity Conference.
This is hands down one of the best presentations I have seen on both SQL injection and how much computer security… well… sucks!
Joe explains that many companies that are creating a web application presence on the web (or already have one) have two options, to write secure code, or write average or even unsecure code and just put a web application firewall and IDS in front of it to protect it.
In his presentation, he shows how SQL injection can still be done on a website protected by an IDS, and it does not even throw any alarms. He then shows similar techniques on a site using a web application firewall.
Joe was able to pull database information and even password hashes from a system, while the IDS system showed no SQL injection attempts at all.
None – Zero….
He then explains that these security systems are set to look for certain signatures, or attacks. Many are configured to stop low level attacks (ankle biter attacks he called them), but let more sophisticated attacks straight through. Joe also explains that commercial IDS systems many times “borrow” signatures from open source IDS programs. So hackers practice on open source ones, and if their attacks don’t trigger anything on them, the chances that they are picked up by a commercial product are very low.
Lastly, Joe shows the config file of a Web Application Firewall program and shows stunning settings that are set by default. These include IP ranges excluded from being scanned, old attacks being blocked – but newer technologies aren’t even filtered and how Outlook Web Access isn’t monitored at all…
The solution – People!
Get and maintain the people who know how to setup, test and configure these security features to protect your network!
Exceptional video, I highly recommend that you and your security team check this out. Then explain what he is saying to your boss! 🙂