Database (in)Security – GhostShell hackers release Govt Records – is Ryu the Answer?

Ghostshell

The Hacktivist group GhostShell released 1.6 million records that it claimed were lifted from government (and some corporate) sites including the Pentagon, NASA, European Space Agency and the Federal Reserve.

A quick look at the files and you can see right away that the website data breach was most likely caused by SQL injection. The data dump is separated into numerous parts, but several start with the complete Database structure pulled from individual websites.

A mix-match combination of communications, individual project statuses, business communications, space rocket information, directory data dumps and user accounts and records are included.

With most of these systems from major government entities the question becomes, if these sites aren’t protected against remote hacker SQL injection type attacks, what chance does smaller businesses and corporations that have a fraction of the security budget?

Obviously SQL security is a major concern for companies. What is needed is a new security module to place in front of application servers to protect databases from external attacks, or more secure database programs.

I have been reading a lot about Trustifier’s Ryu recently and it seems that they are on the right track. Most Intrusion Detection Systems and Web Application Firewall (WAF) security programs are signature based. They are looking for patterns or common attack strings. But someone utilizing advanced or uncommon SQL queries can bypass even the best WAF.

Trustifier’s uses a unique approach with Ryu. Incoming commands are analyzed in a secure environment before they are allowed to execute. A complex mathematical engine determines if the command is a legitimate command or one that has possible security risks.

Early testing has shown that it is very good at stopping SQL based attacks, surpassing many of the top WAFs currently on the market.

The manufacturer also claims that the cloud based Ryu solution is effective against many other common internet threats including:

Ryu

I am spoken with Trustifier and am still going over some of the technical material provided on Ryu, but at an early glance it looks VERY good. Hopefully we will take a much closer look at it very soon.

Check it out!

Advertisements

Pentesting High Security Environments

I was checking out some of the videos on our friend Vivek’s excellent security resource – Security Tube.net – again today and found an exceptional video on pentesting high security SQL systems. The video features Joe McCray’s (an awesome speaker by the way) presentation, “Big Bang Theory – Pentesting High Security Environments” at the 2012 Hacktivity Conference.

This is hands down one of the best presentations I have seen on both SQL injection and how much computer security… well… sucks!

Joe explains that many companies that are creating a web application presence on the web (or already have one) have two options, to write secure code, or write average or even unsecure code and just put a web application firewall and IDS in front of it to protect it.

In his presentation, he shows how SQL injection can still be done on a website protected by an IDS, and it does not even throw any alarms. He then shows similar techniques on a site using a web application firewall.

Joe was able to pull database information and even password hashes from a system, while the IDS system showed no SQL injection attempts at all.

None – Zero….

He then explains that these security systems are set to look for certain signatures, or attacks. Many are configured to stop low level attacks (ankle biter attacks he called them), but let more sophisticated attacks straight through. Joe also explains that commercial IDS systems many times “borrow” signatures from open source IDS programs. So hackers practice on open source ones, and if their attacks don’t trigger anything on them, the chances that they are picked up by a commercial product are very low.

Lastly, Joe shows the config file of a Web Application Firewall program and shows stunning settings that are set by default. These include IP ranges excluded from being scanned, old attacks being blocked – but newer technologies aren’t even filtered and how Outlook Web Access isn’t monitored at all…

The solution – People!

Get and maintain the people who know how to setup, test and configure these security features to protect your network!

Exceptional video, I highly recommend that you and your security team check this out. Then explain what he is saying to your boss!  🙂

Book Review: “Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide”

You may have layers of security, popularly known as “Defense in Depth”, but are your security features setup properly? Are their configuration errors that a vulnerability scan will not find?

What information is being broadcast by your computers, company, or employees, that don’t show up in a software scan?

Many companies think that if they just run a vulnerability scan and it passes that they are good, but is this an accurate test of your network security?

Even if you have a secured environment how could you test this using the actual techniques that a hacker would use to see if your security is up to the challenge?

Enter “Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide” the latest book by Lee Allen and Packt Publishing.

From preparing the scope of a pentest, to learning the tools of pentesting, to installing and running a full mock pentest on a virtual lab, this book truly is the ultimate security guide!

Here is a quick overview of the main topics:

Reconnaissance

Learn about DNS data siphoning techniques, Shodan, and the Google Hacking Data Base. The chapter also covers numerous tools that can help with recovering network, computer, and user information. And sometimes even user documents.

Enumeration

This section includes a very good tutorial on Nmap scanning including using decoys and zombie hosts in your scans, and a look at gathering pertinent information from SNMP.

Exploitation

Exploitation covers installing Kioptrics (a purposefully vulnerable Linux install) and running attacks against it from the Backtrack system. In this chapter the user learns how to retrieve service information from the target system. Then searching the Exploit-DB database (online and in Backtrack) to find exploits against it, and once an exploit is found, compiling and using it in Backtrack.

This chapter then covers transferring data to and from the system and cracking passwords, and finally exploiting the machine with the Metasploit Framework.

Web App Exploitation

Covers creating a virtual lab by installing Kioptrics level 3, pfSense (firewall), HAProxy (load Balancer) and Irongeek’s Mutillidae (contains the OWASP top 10). The author covers detecting Load Balancers and WAP firewall and scanning with the Web Application Attack and Audit Framework (w3af). You also learn how to use WebScarab to record and analyze your pentest and are introduced to Mantra, the pentester’s Plug-In toolkit.

Client Side attacks

Client side attacks are covered including Buffer Overflows, fuzzing, using David Kennedy’s (ReL1K) Fast Track and the Social Engineering Toolkit.

Post Exploitation

This chapter explains data and service enumeration on the target system. This includes which files to try to recover, which logs to analyze, what processes and networking details to view on both Linux and Windows systems. And finally using the exploited machine to scan or gain access to other hosts via pivoting.

Conclusion

The book also covers bypassing firewalls, avoiding detection, data collection tools and reporting.

Okay, after you have learned all of this excellent information, what are you going to do with it? Why not put it to the test with the last two chapters where you build a full testing lab and then run through a mock penetration test using the lab and all the skills that you have learned from the book.

This book is packed full of excellent training and tutorials. The author masterfully walks you through each section with step by step instructions, including screenshots.  It is easy to read and follow, for novice and expert alike. If you are new to pentesting or want to learn more about it, then this is the book for you.

I highly recommend this book.