how to hack a web site written in ASP. For example a web page let you input a date and access a database to retrieve your billing history. In order to do that the web page will need to construct a SQL statement to pass to the database. The SQL statement could be like this
Select BillingDate, Amount, Description From BillingTable Where UserName= ‘YourUserName’ and Date= ‘InputDate’
The web page could construct the SQL statement by concatenating
Select BillingDate, Amount, Description From BillingTable Where UserName= ‘You’ and Date=’ with the date you input and then concatenating a single quote
In that case if the hacker knows that your database has a table called Users and there is LoginName and Password field. He can pass this as the input date.
4/20/2008′ union select ‘ ’ , ‘ ’, LoginName + ‘ ’ + Password from User - -
The two dashes at the end tell SQL server to ignore the last single quote concatenated to the statement. Essentially the statement constructed not only display the billing history but also display all users login.
Of course a hacker can only do this if the web site doesn’t do validity check on the date input. If that is the case this security hole is in fact open up the entire database to the hacker because it can use it to query your system tables and discover your database structure.
Wednesday, December 8, 2010
Thursday, December 2, 2010
SQL Injection
SQL is a language that is used to query, operate, and administer database systems such as Microsoft SQL Server, Oracle, or MySQL. The general use of SQL is consistent across all database systems that support it; however, there are intricacies that are particular to each system.
Database systems are commonly used to provide backend functionality to many types of web applications. In support of web applications, user-supplied data is often used to dynamically build SQL statements that interact directly with a database. A SQL injection attack is an attack that is aimed at subverting the original intent of the application by submitting attacker-supplied SQL statements directly to the backend database. Depending on the web application, and how it processes the attacker-supplied data prior to building a SQL statement, a successful SQL injection attack can have far-reaching implications. The possible security ramifications range from authentication bypass to information disclosure to enabling the distribution of malicious code to application users.
This whitepaper will describe SQL injection attacks, how they are performed, and precautions that should be taken inside applications or networks to reduce risks that are associated with SQL injection attacks.
The string of two dash characters (--) that appears in the crafted input is very important; it indicates to the database server that the remaining characters in the SQL statement are a comment and should be ignored. This capability is one of the most important tools that is available to an attacker and without it, it would be difficult to ensure that the malicious SQL statements were syntactically correct.
Although the crafted field, which is the username field in the previous example, must be tailored to the vulnerable application, a large set of documented strings that are readily available on the Internet have proven successful at enabling SQL injection attacks. The previous example may be simplistic, but it illustrates the effectiveness of SQL injection attack techniques.
One example of the Blind SQL Injection technique is the introduction of a delay as part of a malicious SQL statement. Depending on the database software in use, an attacker could build a SQL statement that is designed to cause a database server to perform a time-consuming action. With the MySQL database software, it may be possible to craft a SQL statement using the sleep() function. For example, incorporating sleep(10) into a malicious query will create a 10-second delay. An attacker could induce a recognizable delay on database servers that do not contain the sleep() function by executing an operating system command or time-consuming sub-query or attempting to establish an outbound HTTP connection. Should the time-consuming SQL statement be executed, the web application may take noticeably longer to respond than is typical. This method allows attackers to determine whether their SQL statements are being executed with some level of certainty.
Second Order SQL Injection attacks involve user-submitted data that is first stored in the database, then retrieved and used as part of a vulnerable SQL statement. This class of vulnerability is more difficult to locate and exploit, but Second Order SQL Injection attacks justify data validation prior to the execution of all SQL statements in an application, as well as the comprehensive use of parameterized queries.
Database systems are commonly used to provide backend functionality to many types of web applications. In support of web applications, user-supplied data is often used to dynamically build SQL statements that interact directly with a database. A SQL injection attack is an attack that is aimed at subverting the original intent of the application by submitting attacker-supplied SQL statements directly to the backend database. Depending on the web application, and how it processes the attacker-supplied data prior to building a SQL statement, a successful SQL injection attack can have far-reaching implications. The possible security ramifications range from authentication bypass to information disclosure to enabling the distribution of malicious code to application users.
This whitepaper will describe SQL injection attacks, how they are performed, and precautions that should be taken inside applications or networks to reduce risks that are associated with SQL injection attacks.
SQL Injection Explained
A SQL injection attack involves the alteration of SQL statements that are used within a web application through the use of attacker-supplied data. Insufficient input validation and improper construction of SQL statements in web applications can expose them to SQL injection attacks.Ramifications of Successful SQL Injection Attacks
Although the effects of a successful SQL injection attack vary based on the targeted application and how that application processes user-supplied data, SQL injection can generally be used to perform the following types of attacks:- Authentication Bypass: This attack allows an attacker to log on to an application, potentially with administrative privileges, without supplying a valid username and password.
- Information Disclosure: This attack allows an attacker to obtain, either directly of indirectly, sensitive information that is contained in a database.
- Compromised Data Integrity: This attack involves the alteration of the contents of a database. An attacker could use this attack to deface a web page or more likely to insert malicious content into otherwise innocuous web pages. This technique has been demonstrated via the attacks that are described in Mass exploits with SQL Injection at the SANS Internet Storm Center.
- Compromised Availability of Data: This attack allows an attacker to delete information with the intent to cause harm or delete log or audit information that is contained in a database.
- Remote Command Execution: Performing command execution through a database can allow an attacker to compromise the host operating system. These attacks often leverage an existing, predefined stored procedure for host operating system command execution. The most recognized variety of this attack uses the xp_cmdshell stored procedure that is common to Microsoft SQL Server installations or leverages the ability to create an external procedure call on Oracle databases.
An Example of SQL Injection for Authentication Bypass
One of the many possible uses for SQL injection involves bypassing an application login process. The following example illustrates the general operation of a SQL injection attack. The following HTML form solicits login information from an application user. Although this example uses an HTTP POST request, an attacker could also use HTML forms that utilize the HTTP GET method. <form action="/cgi-bin/login" method=post>
Username: <input type=text name=username>
Password: <input type=password name=password>
<input type=submit value=Login>
When a user enters his or her information into this form and clicks Login, the browser submits a string to the web server that contains the user's credentials. This string appears in the body of the HTTP or HTTPS POST request as:username=submittedUser&password=submittedPassword
An application with a vulnerable login process may accept the submitted information and use it as part of the following SQL statement, which locates a user profile that contains the submitted username and password:select * from Users where (username = 'submittedUser' and password = 'submittedPassword');
Unless an application uses strict input validation, it may be vulnerable to a SQL injection attack. For example, if an application accepts and processes user-supplied data without any validation, an attacker could submit a maliciously crafted username and password. Consider the following string sent by an attacker:username=admin%27%29+--+&password=+
Once this string is received and URL-decoded, the application will attempt to build a SQL statement using a username of admin') -- and a password that consists of a single space. Placing these items into the previous SQL statement yields:select * from Users where (username = 'admin') -- and password = ' ');
As the previous example demonstrates, the attacker-crafted username changes the logic of the SQL statement to effectively remove the password check. In the above example, an attacker could successfully log in to the application using the admin account without knowledge of the password to that account. The string of two dash characters (--) that appears in the crafted input is very important; it indicates to the database server that the remaining characters in the SQL statement are a comment and should be ignored. This capability is one of the most important tools that is available to an attacker and without it, it would be difficult to ensure that the malicious SQL statements were syntactically correct.
Although the crafted field, which is the username field in the previous example, must be tailored to the vulnerable application, a large set of documented strings that are readily available on the Internet have proven successful at enabling SQL injection attacks. The previous example may be simplistic, but it illustrates the effectiveness of SQL injection attack techniques.
Blind and Second Order SQL Injection
In situations where data from a backend SQL database is not returned directly to the user or attacker, it may be necessary for an attacker to utilize the Blind SQL Injection technique. With this technique, an attacker can determine whether a SQL statement was executed using means other than the direct presentation of data. Using Blind SQL injection, an attacker could perform reconnaissance, obtain sensitive information, or alter database contents, including authentication credentials.One example of the Blind SQL Injection technique is the introduction of a delay as part of a malicious SQL statement. Depending on the database software in use, an attacker could build a SQL statement that is designed to cause a database server to perform a time-consuming action. With the MySQL database software, it may be possible to craft a SQL statement using the sleep() function. For example, incorporating sleep(10) into a malicious query will create a 10-second delay. An attacker could induce a recognizable delay on database servers that do not contain the sleep() function by executing an operating system command or time-consuming sub-query or attempting to establish an outbound HTTP connection. Should the time-consuming SQL statement be executed, the web application may take noticeably longer to respond than is typical. This method allows attackers to determine whether their SQL statements are being executed with some level of certainty.
Second Order SQL Injection attacks involve user-submitted data that is first stored in the database, then retrieved and used as part of a vulnerable SQL statement. This class of vulnerability is more difficult to locate and exploit, but Second Order SQL Injection attacks justify data validation prior to the execution of all SQL statements in an application, as well as the comprehensive use of parameterized queries.
Friday, November 5, 2010
Hack BSNL broadband for more speed
Use third party DNS servers instead of BSNL DNS servers or run your own one like djbdns. The easiest options is to use OpenDNS. Just reconfigure your network to use the following DNS servers:
208.67.222.222
208.67.220.220
Detailed instructions specific to operating system or your BSNL modem are available in the OpenDNS website itself. After I reconfigured my BSNL modem to use the above 2 IP addresses, my DNS problems just vanished! Other ‘freebies’ that come with OpenDNS are phishing filters and automatic URL correction. Even if your service provider’s DNS servers are working fine, you can still use OpenDNS just for these two special features.After you hack BSNL DNS servers, you will see improvement in your broadband speed.
208.67.222.222
208.67.220.220
Detailed instructions specific to operating system or your BSNL modem are available in the OpenDNS website itself. After I reconfigured my BSNL modem to use the above 2 IP addresses, my DNS problems just vanished! Other ‘freebies’ that come with OpenDNS are phishing filters and automatic URL correction. Even if your service provider’s DNS servers are working fine, you can still use OpenDNS just for these two special features.After you hack BSNL DNS servers, you will see improvement in your broadband speed.
DISK WIPING
The secure way of erasing the hard disk is called Disk Wiping.Disk wiping is a secure method of ensuring that data, including company and individually licensed software on your computer and storage devices is irrecoverably deleted before recycling or donating the equipment. Because previously stored data can be brought back with the right software and applications, the disk wiping process will actually overwrite your entire hard drive with data, several times. Once you format you’ll find it all but impossible to retrieve the data which was on the drive before the overwrite. The more times the disk is overwritten and formatted the more secure the disk wipe is.
There are a variety of disk wiping products available that you can purchase, or freely downloaded online to perform more secure disk wipes.One of my favorite disk wiping software is
WipeDrive
You have to use this tool by burning the iso image file onto a CD or by using a floppy disk.After burning this tool you have to boot your PC and follow the screen instructions to completely erase the hard disk.
There are a variety of disk wiping products available that you can purchase, or freely downloaded online to perform more secure disk wipes.One of my favorite disk wiping software is
WipeDrive
You have to use this tool by burning the iso image file onto a CD or by using a floppy disk.After burning this tool you have to boot your PC and follow the screen instructions to completely erase the hard disk.
Change your i/p in Windows.
This article will help you to change your IP address within a minute. Just follow the following step and you will be thru.
1. Click on "Start" in the bottom left hand corner of screen
2. Click on "Run"
3. Type in "command" and hit ok
You should now be at an MSDOS prompt screen.
4. Type "ipconfig /release" just like that, and hit "enter"
5. Type "exit" and leave the prompt
6. Right-click on "Network Places" or "My Network Places" on your desktop.
7. Click on "properties"
You should now be on a screen with something titled "Local Area Connection", or something close to that, and, if you have a network hooked up, all of your other networks.
8. Right click on "Local Area Connection" and click "properties"
9. Double-click on the "Internet Protocol (TCP/IP)" from the list under the "General" tab
10. Click on "Use the following IP address" under the "General" tab
11. Create an IP address (It doesn't matter what it is. I just type 1 and 2 until i fill the area up).
12. Press "Tab" and it should automatically fill in the "Subnet Mask" section with default numbers.
13. Hit the "Ok" button here
14. Hit the "Ok" button again
You should now be back to the "Local Area Connection" screen.
15. Right-click back on "Local Area Connection" and go to properties again.
16. Go back to the "TCP/IP" settings
17. This time, select "Obtain an IP address automatically"
tongue.gif 18. Hit "Ok"
19. Hit "Ok" again
20. You now have a new IP address
With a little practice, you can easily get this process down to 15 seconds.
This only changes your dynamic IP address, not your ISP/IP address. If you plan on hacking a website with this trick be extremely careful, because if they try a little, they can trace it back.
1. Click on "Start" in the bottom left hand corner of screen
2. Click on "Run"
3. Type in "command" and hit ok
You should now be at an MSDOS prompt screen.
4. Type "ipconfig /release" just like that, and hit "enter"
5. Type "exit" and leave the prompt
6. Right-click on "Network Places" or "My Network Places" on your desktop.
7. Click on "properties"
You should now be on a screen with something titled "Local Area Connection", or something close to that, and, if you have a network hooked up, all of your other networks.
8. Right click on "Local Area Connection" and click "properties"
9. Double-click on the "Internet Protocol (TCP/IP)" from the list under the "General" tab
10. Click on "Use the following IP address" under the "General" tab
11. Create an IP address (It doesn't matter what it is. I just type 1 and 2 until i fill the area up).
12. Press "Tab" and it should automatically fill in the "Subnet Mask" section with default numbers.
13. Hit the "Ok" button here
14. Hit the "Ok" button again
You should now be back to the "Local Area Connection" screen.
15. Right-click back on "Local Area Connection" and go to properties again.
16. Go back to the "TCP/IP" settings
17. This time, select "Obtain an IP address automatically"
tongue.gif 18. Hit "Ok"
19. Hit "Ok" again
20. You now have a new IP address
With a little practice, you can easily get this process down to 15 seconds.
This only changes your dynamic IP address, not your ISP/IP address. If you plan on hacking a website with this trick be extremely careful, because if they try a little, they can trace it back.
Error
SQL Server 2000
Syntax
@@ERRORReturn Types
integerRemarks
When Microsoft® SQL Server™ completes the execution of a Transact-SQL statement, @@ERROR is set to 0 if the statement executed successfully. If an error occurs, an error message is returned. @@ERROR returns the number of the error message until another Transact-SQL statement is executed. You can view the text associated with an @@ERROR error number in the sysmessages system table.Because @@ERROR is cleared and reset on each statement executed, check it immediately following the statement validated, or save it to a local variable that can be checked later.
Examples
A. Use @@ERROR to detect a specific error
This example uses @@ERROR to check for a check constraint violation (error #547) in an UPDATE statement.USE pubs
GO
UPDATE authors SET au_id = '172 32 1176'
WHERE au_id = "172-32-1176"
IF @@ERROR = 547
print "A check constraint violation occurred"
B. Use @@ERROR to conditionally exit a procedure
The IF...ELSE statements in this example test @@ERROR after an INSERT statement in a stored procedure. The value of the @@ERROR variable determines the return code sent to the calling program, indicating success or failure of the procedure.USE pubs
GO
-- Create the procedure.
CREATE PROCEDURE add_author
@au_id varchar(11),@au_lname varchar(40),
@au_fname varchar(20),@phone char(12),
@address varchar(40) = NULL,@city varchar(20) = NULL,
@state char(2) = NULL,@zip char(5) = NULL,
@contract bit = NULL
AS
-- Execute the INSERT statement.
INSERT INTO authors
(au_id, au_lname, au_fname, phone, address,
city, state, zip, contract) values
(@au_id,@au_lname,@au_fname,@phone,@address,
@city,@state,@zip,@contract)
-- Test the error value.
IF @@ERROR <> 0
BEGIN
-- Return 99 to the calling program to indicate failure.
PRINT "An error occurred loading the new author information"
RETURN(99)
END
ELSE
BEGIN
-- Return 0 to the calling program to indicate success.
PRINT "The new author information has been loaded"
RETURN(0)
END
GO
C. Use @@ERROR to check the success of several statements
This example depends on the successful operation of the INSERT and DELETE statements. Local variables are set to the value of @@ERROR after both statements and are used in a shared error-handling routine for the operation.USE pubs
GO
DECLARE @del_error int, @ins_error int
-- Start a transaction.
BEGIN TRAN
-- Execute the DELETE statement.
DELETE authors
WHERE au_id = '409-56-7088'
-- Set a variable to the error value for
-- the DELETE statement.
SELECT @del_error = @@ERROR
-- Execute the INSERT statement.
INSERT authors
VALUES('409-56-7008', 'Bennet', 'Abraham', '415 658-9932',
'6223 Bateman St.', 'Berkeley', 'CA', '94705', 1)
-- Set a variable to the error value for
-- the INSERT statement.
SELECT @ins_error = @@ERROR
-- Test the error values.
IF @del_error = 0 AND @ins_error = 0
BEGIN
-- Success. Commit the transaction.
PRINT "The author information has been replaced"
COMMIT TRAN
END
ELSE
BEGIN
-- An error occurred. Indicate which operation(s) failed
-- and roll back the transaction.
IF @del_error <> 0
PRINT "An error occurred during execution of the DELETE
statement."
IF @ins_error <> 0
PRINT "An error occurred during execution of the INSERT
statement."
ROLLBACK TRAN
END
GO
D. Use @@ERROR with @@ROWCOUNT
This example uses @@ERROR with @@ROWCOUNT to validate the operation of an UPDATE statement. The value of @@ERROR is checked for any indication of an error, and @@ROWCOUNT is used to ensure that the update was successfully applied to a row in the table.USE pubs
GO
CREATE PROCEDURE change_publisher
@title_id tid,
@new_pub_id char(4)
AS
-- Declare variables used in error checking.
DECLARE @error_var int, @rowcount_var int
-- Execute the UPDATE statement.
UPDATE titles SET pub_id = @new_pub_id
WHERE title_id = @title_id
-- Save the @@ERROR and @@ROWCOUNT values in local
-- variables before they are cleared.
SELECT @error_var = @@ERROR, @rowcount_var = @@ROWCOUNT
-- Check for errors. If an invalid @new_pub_id was specified
-- the UPDATE statement returns a foreign-key violation error #547.
IF @error_var <> 0
BEGIN
IF @error_var = 547
BEGIN
PRINT "ERROR: Invalid ID specified for new publisher"
RETURN(1)
END
ELSE
BEGIN
PRINT "ERROR: Unhandled error occurred"
RETURN(2)
END
END
-- Check the rowcount. @rowcount_var is set to 0
-- if an invalid @title_id was specified.
IF @rowcount_var = 0
BEGIN
PRINT "Warning: The title_id specified is not valid"
RETURN(1)
END
ELSE
BEGIN
PRINT "The book has been updated with the new publisher"
RETURN(0)
END
GO
Thursday, November 4, 2010
Microsoft issues advisory on Internet Explorer drive-by attack
"The exploit code was discovered on a single website that is no longer hosting the malicious code," said Jerry Bryant, group manager of response communications in the Microsoft Trustworthy Computing Group.
In a blog entry, Bryant said engineers were working on an automated "fix-it" repair until a permanent patch could be released. Currently, the issue "does not meet the criteria for an out-of-band release," Bryant said.
Drive-by attacks have become an increasingly common method of attack. Users are often lured to visit a malicious website in an email message, an instant message or through poisoned search engine results. Often times legitimate websites are compromised to host attack code. Blogs, social networks and Web forums can also be used to host drive-by attacks.
The Microsoft Security Advisory outlined a number of workarounds to mitigate the threat posed by the vulnerability, which include reading email messages in plain text, applying a customer cascading style sheet as an override when reading html data, enabling data execution prevention (DEP) in IE 7 and deploying the Enhanced Mitigation Experience Toolkit. (EMET).
Microsoft said the vulnerability could be targeted by attackers using drive-by attack websites or by compromising websites that accept or host user-provided content, such as blogs and social networks. In addition, website display advertisements can be compromised to trigger an exploit that targets the flaw.
"In all cases, however, an attacker would have no way to force users to visit these websites," Microsoft said. "Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or in an instant messenger message that takes users to the attacker's website."
A successful attack could give cybercriminals complete control of a victim's machine and the ability to download additional malware or attempt to gain access to the network.
GOOGLE EXTENDS BOUNTY PROGRAM FOR WEB APPLICATION BUGS
The move is an expansion of Google's current bounty program, which was launched in February to reward security researchers who reported Chrome browser flaws. Google said it would reward as much as $3,133.70 for significant flaw finds. The number pays homage to "eleet," sometimes identified as 31337, an alternative alphabet used by coders on the Internet.
"Any Google Web properties that display or manage highly sensitive authenticated user data or accounts may be in scope," Google said in an announcement on its security blog. "For now, Google's client applications (e.g. Android, Picasa, Google Desktop, etc.) are not in scope. We may expand the program in the future."
Google said it is difficult to provide a definitive list of vulnerabilities eligible for a reward, but added a number of categories that would be rewarded, including cross-site scripting errors, cross-site request forgery flaws and authorization bypass bugs. To be eligible for a reward, researchers must privately report the bugs using Google's security contact list.
Google says:-
"It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered," Google said. "Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release."
The base reward for qualifying bugs is $500. At each bug hunter's discretion, Google will publicly credity the finds if the flaws are deemed legitimate. Google said each submission will be evaluated by a security expert panel, which "may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward." In addition, bug hunters can donate rewards to charity, through Google.
Google said it chose to extend the bounty program for Web application bugs because it received a sustained increase in the number of high-quality reports from researchers on bugs found in the Chromium browser, the open source browser on which Google Chrome is based. Those bugs can be reported using the Chromium bug tracker system and include flaws discovered using plug-ins shipped with the Chrome browser by default.
Some other software makers offer similar programs. Mozilla announced its Security Bug Bounty Program in 2004, funded by Linux distributor Linspire (now owned by Xandros Inc.) and Mark Shuttleworth, the founder of the Ubuntu Project. Under Mozilla's program, reporters of valid, critical security bugs nowreceive a $3,000 cash reward and a Mozilla T-shirt. The maximum cash reward was increased from $500 in July.
By contrast, Microsoft refuses to reward bug hunters with cash prizes. In an announcement in July regarding responsible disclosure, Dave Forstrom, director of Microsoft's Trustworthy Computing Program, said such programs run counter to Microsoft's vulnerability research efforts and ultimately don't help the customer.
"We don't think it's in the customer's best interest to offer a per-vulnerability bounty," Forstom said in an earlier interview. "There are a number of ways that we work with the researcher community that we think best serves the community: everything from acknowledging our work together, to all of the sponsorships of conferences that we do further develops the community."
"Any Google Web properties that display or manage highly sensitive authenticated user data or accounts may be in scope," Google said in an announcement on its security blog. "For now, Google's client applications (e.g. Android, Picasa, Google Desktop, etc.) are not in scope. We may expand the program in the future."
Google said it is difficult to provide a definitive list of vulnerabilities eligible for a reward, but added a number of categories that would be rewarded, including cross-site scripting errors, cross-site request forgery flaws and authorization bypass bugs. To be eligible for a reward, researchers must privately report the bugs using Google's security contact list.
Google says:-
"It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered," Google said. "Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release."
The base reward for qualifying bugs is $500. At each bug hunter's discretion, Google will publicly credity the finds if the flaws are deemed legitimate. Google said each submission will be evaluated by a security expert panel, which "may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward." In addition, bug hunters can donate rewards to charity, through Google.
Google said it chose to extend the bounty program for Web application bugs because it received a sustained increase in the number of high-quality reports from researchers on bugs found in the Chromium browser, the open source browser on which Google Chrome is based. Those bugs can be reported using the Chromium bug tracker system and include flaws discovered using plug-ins shipped with the Chrome browser by default.
Some other software makers offer similar programs. Mozilla announced its Security Bug Bounty Program in 2004, funded by Linux distributor Linspire (now owned by Xandros Inc.) and Mark Shuttleworth, the founder of the Ubuntu Project. Under Mozilla's program, reporters of valid, critical security bugs nowreceive a $3,000 cash reward and a Mozilla T-shirt. The maximum cash reward was increased from $500 in July.
By contrast, Microsoft refuses to reward bug hunters with cash prizes. In an announcement in July regarding responsible disclosure, Dave Forstrom, director of Microsoft's Trustworthy Computing Program, said such programs run counter to Microsoft's vulnerability research efforts and ultimately don't help the customer.
"We don't think it's in the customer's best interest to offer a per-vulnerability bounty," Forstom said in an earlier interview. "There are a number of ways that we work with the researcher community that we think best serves the community: everything from acknowledging our work together, to all of the sponsorships of conferences that we do further develops the community."
Can a UID number be misused?
The UID project will create a unique number for every citizen of India and build a UID database of individuals, associated with 12 parameters of identity. For the initial two to three years, UIDAI will focus only on creating the ‘unique number’ and not on the instrument that holds the ‘ID card’. A biometric record of each individual’s 10 fingerprints or iris scan will be collected and tagged to his unique 16 digit number (UID). Chandiramani believes that just having a UID is much more secure than having a physical card, which can be duplicated, stolen or misused; however, stealing someone’s biometric identity is not an easy task.
Na Vijayashankar (also known as Naavi), an independent cyberlaw consultant and founder of Ujvala Consultants who has issued a draft on ‘Reasonable Security Practices for UID Project’ informed that a UID database would be used by making a query. The query will provide the UID number along with one of the parameters such as name. The answer returned will either be ‘true’ or ‘false’. The users will mostly be service providers who check the ID of a prospective client. According to Naavi, return of false information by the database or its inability to find the match of a genuine query could be security threats. Another important UID security concern is can somebody’s UID number be misused by another individual? Naavi retorts, “If a person has access to someone else’s UID number, it can be misused in all cases where the biometric check is not done.” Chandiramani agrees, “To confirm if a UID number and person are the same, the biometric data should match.”
Securing the central database
UIDAI is expected to build one of the largest centralized database consisting of UID numbers, biometric records, and other personal details. Unauthorized access to UIDAI servers, organized attack from cyber terrorists or cyber warriors, and stealing or leaking of sensitive personal information are some of the prominent security threats to UID centralized database. Naavi suggests strong role-based access control, firewall, intrusion detection system, manpower training, and background check, as critical measures to ensure security of UID centralized database. Chandiramani also informs about strong encryption mechanism that will be deployed by UIDAI during all processes and IT operations. UIDAI is already implementing strong security policies, monitoring mechanism and penalties for security breach.
Naavi further notes that as UIDAI will have a repository of sensitive personal data, it will have to maintain reasonable security practices under the IT amendment act, 2008. “The global standards of data protection and privacy ought to be applied. Many of the security requirements should be at par with National Institute of Standards and Technology guidelines in USA or appropriate derivatives from such standards,” observes Naavi.
Security during transmission
The UID authentication process is expected to authorize an individual by matching the fresh biometric scan with the existing image in the centralized server. If a hacker tries to breach UID security by manipulating data during the transmission, it may directly affect the matching process at the centralized server and a genuine person may be denied services. Naavi informs that according to preliminary indications (subject to confirmation from UIDAI), during the creation of the original database, registrars would capture UID data in a portable media such as an USB drive and bring it to the UID center to upload to the central database through the Internet. “Hopefully, UIDAI will develop an application, which transmits the data in encrypted form so that transmission security can be managed. However, while the data is in the USB drive, it is exposed to the risk of being stolen or modified,” cautions Naavi. Chandiramani suggested that the transmission would happen on a private network for the moment, but will ultimately take place over a secure cloud. Hence, irrespective of the network, you will be able to connect to UIDAI server securely.
Internal threats
There could be serious internal threats to UID security. Chandiramani opines, “Internally, someone could attempt to sabotage the system, crash it or steal some information. Segregation of duties, roles, limited access, audit monitoring mechanism, physical security, and background checks are some key measures to be implemented on this front.”
Naavi points that this could involve corruption and other motivations. This is the most sensitive issue because political considerations could dilute the security to meet various “reservations” involved in selection of personnel.
UID data privacy
As a country, we lack specific laws on data privacy and hence, some feel that we may be ill-equipped to deal with disclosure or leakage of personal information if UID security is weak. Chandiramani mentions that currently UIDAI is capturing limited data (like father’s name, age, DOB and not things like height, weight or cast) and even at the time of authentication, only the UID number is verified. However, he feels that privacy will become a major issue after service providers start tracking a unique ID and tag it to everything to understand a person’s purchase decision. Chandiramani also adds that as this will happen outside the UIDAI environment, it may not be held responsible.
A UID system requires elaborate security, which takes care of technology, law and human resources.
Na Vijayashankar (also known as Naavi), an independent cyberlaw consultant and founder of Ujvala Consultants who has issued a draft on ‘Reasonable Security Practices for UID Project’ informed that a UID database would be used by making a query. The query will provide the UID number along with one of the parameters such as name. The answer returned will either be ‘true’ or ‘false’. The users will mostly be service providers who check the ID of a prospective client. According to Naavi, return of false information by the database or its inability to find the match of a genuine query could be security threats. Another important UID security concern is can somebody’s UID number be misused by another individual? Naavi retorts, “If a person has access to someone else’s UID number, it can be misused in all cases where the biometric check is not done.” Chandiramani agrees, “To confirm if a UID number and person are the same, the biometric data should match.”
Securing the central database
UIDAI is expected to build one of the largest centralized database consisting of UID numbers, biometric records, and other personal details. Unauthorized access to UIDAI servers, organized attack from cyber terrorists or cyber warriors, and stealing or leaking of sensitive personal information are some of the prominent security threats to UID centralized database. Naavi suggests strong role-based access control, firewall, intrusion detection system, manpower training, and background check, as critical measures to ensure security of UID centralized database. Chandiramani also informs about strong encryption mechanism that will be deployed by UIDAI during all processes and IT operations. UIDAI is already implementing strong security policies, monitoring mechanism and penalties for security breach.
Naavi further notes that as UIDAI will have a repository of sensitive personal data, it will have to maintain reasonable security practices under the IT amendment act, 2008. “The global standards of data protection and privacy ought to be applied. Many of the security requirements should be at par with National Institute of Standards and Technology guidelines in USA or appropriate derivatives from such standards,” observes Naavi.
Security during transmission
The UID authentication process is expected to authorize an individual by matching the fresh biometric scan with the existing image in the centralized server. If a hacker tries to breach UID security by manipulating data during the transmission, it may directly affect the matching process at the centralized server and a genuine person may be denied services. Naavi informs that according to preliminary indications (subject to confirmation from UIDAI), during the creation of the original database, registrars would capture UID data in a portable media such as an USB drive and bring it to the UID center to upload to the central database through the Internet. “Hopefully, UIDAI will develop an application, which transmits the data in encrypted form so that transmission security can be managed. However, while the data is in the USB drive, it is exposed to the risk of being stolen or modified,” cautions Naavi. Chandiramani suggested that the transmission would happen on a private network for the moment, but will ultimately take place over a secure cloud. Hence, irrespective of the network, you will be able to connect to UIDAI server securely.
Internal threats
There could be serious internal threats to UID security. Chandiramani opines, “Internally, someone could attempt to sabotage the system, crash it or steal some information. Segregation of duties, roles, limited access, audit monitoring mechanism, physical security, and background checks are some key measures to be implemented on this front.”
Naavi points that this could involve corruption and other motivations. This is the most sensitive issue because political considerations could dilute the security to meet various “reservations” involved in selection of personnel.
UID data privacy
As a country, we lack specific laws on data privacy and hence, some feel that we may be ill-equipped to deal with disclosure or leakage of personal information if UID security is weak. Chandiramani mentions that currently UIDAI is capturing limited data (like father’s name, age, DOB and not things like height, weight or cast) and even at the time of authentication, only the UID number is verified. However, he feels that privacy will become a major issue after service providers start tracking a unique ID and tag it to everything to understand a person’s purchase decision. Chandiramani also adds that as this will happen outside the UIDAI environment, it may not be held responsible.
A UID system requires elaborate security, which takes care of technology, law and human resources.
Thursday, October 28, 2010
MALWARE SAMPLES USED IN TARGETED ATTACKS
TORONTO -- Security researchers demonstrated malware samples used in
recent targeted attacks during a session Tuesday at the SecTor 2010
conference. These malware samples, through the use of simple,
automated processes within the code, were able to evade antivirus
detection and dupe computer forensics investigations.
The researchers, members of Trustwave's Spiderlabs forensics and
pen-testing teams, investigated more than 200 security incidents
worldwide during the last year, collecting hundreds of malware
samples; on Tuesday, they demonstrated a Windows credential stealer,
a network rootkit and a client-side PDF attack.
recent targeted attacks during a session Tuesday at the SecTor 2010
conference. These malware samples, through the use of simple,
automated processes within the code, were able to evade antivirus
detection and dupe computer forensics investigations.
The researchers, members of Trustwave's Spiderlabs forensics and
pen-testing teams, investigated more than 200 security incidents
worldwide during the last year, collecting hundreds of malware
samples; on Tuesday, they demonstrated a Windows credential stealer,
a network rootkit and a client-side PDF attack.
GOOGLE ANTIMALWARE EFFORTS RELY ON MALWARE DETECTION
TORONTO -- Google Inc. this week revealed how it detects websites
infected with malicious code, part of its effort to protect users
from drive-by downloads and other malicious content.
Fabrice Jaubert of the Google antimalware team presented details
about Google's antimalware efforts at the SecTor 2010 conference. The
team uses proprietary algorithms to identify malware distribution
sites and sites that have been infected with malicious code. While
Google's technical efforts succeed in identifying and blocking
millions of websites suspected of hosting malicious code, Jaubert
described the process as a typical cat-and-mouse game, in which savvy
cybercriminals find ways to avoid detection.
infected with malicious code, part of its effort to protect users
from drive-by downloads and other malicious content.
Fabrice Jaubert of the Google antimalware team presented details
about Google's antimalware efforts at the SecTor 2010 conference. The
team uses proprietary algorithms to identify malware distribution
sites and sites that have been infected with malicious code. While
Google's technical efforts succeed in identifying and blocking
millions of websites suspected of hosting malicious code, Jaubert
described the process as a typical cat-and-mouse game, in which savvy
cybercriminals find ways to avoid detection.
Wednesday, October 27, 2010
BREDOLAB BOTNET CRIPPLED BY DUTCH CYBERSECURITY TEAMS
Dutch law enforcement and computer teams took out the Bredolab
botnet, seizing and disconnecting more than 100 command-and-control
servers used to send orders to hoards of zombie machines.
Bredolab, known for spreading spam and rogue antivirus, is thought by
some experts to have infected at least 30 million computers.
botnet, seizing and disconnecting more than 100 command-and-control
servers used to send orders to hoards of zombie machines.
Bredolab, known for spreading spam and rogue antivirus, is thought by
some experts to have infected at least 30 million computers.
BOTNET INFECTIONS
Microsoft issued its latest Security Intelligence Report last week,
indicating that botnets pose the biggest problem for security teams
attempting to defend websites, networks and end-user devices from
malware infections.
Volume 9 of the Microsoft Security Intelligence Report lays out
evidence that while there has been some success in breaking up major
botnets, more action is needed if security teams ever expect to see a
major decline in botnet malware infections. Microsoft said it cleaned
more than 6.5 million computers of botnet infections in the first
half of 2010, double the amount for the same period a year before.
indicating that botnets pose the biggest problem for security teams
attempting to defend websites, networks and end-user devices from
malware infections.
Volume 9 of the Microsoft Security Intelligence Report lays out
evidence that while there has been some success in breaking up major
botnets, more action is needed if security teams ever expect to see a
major decline in botnet malware infections. Microsoft said it cleaned
more than 6.5 million computers of botnet infections in the first
half of 2010, double the amount for the same period a year before.
Monday, October 25, 2010
There are 148 unregistered users and 0 registered users on-line. You can log-in or register for a user account on TWITTER .
The news that Adobe Shockwave Player has a zero-day vulnerability which could potentially allow an attacker control of your computer is neither shocking nor unexpected. Adobe security flaws are like buses: if you missed the last one just wait for a while and another one is sure to turn up. However, it’s the unexpected bit of this particular zero-day that is the real news here.
After all, zero-day suggests an unknown vulnerability so how could we have expected this one this week? The answer, my friend, was blowing on the Twitter wind.
Amazingly, and very depressingly, a ’security researcher’ called Shahin Ramezany posted to Twitter that to celebrate getting 1000 Twitter followers he would “release an adobe 0day” and that’s exactly what he did.
After all, zero-day suggests an unknown vulnerability so how could we have expected this one this week? The answer, my friend, was blowing on the Twitter wind.
Amazingly, and very depressingly, a ’security researcher’ called Shahin Ramezany posted to Twitter that to celebrate getting 1000 Twitter followers he would “release an adobe 0day” and that’s exactly what he did.
Saturday, October 23, 2010
MICROSOFT IIS 7 SECURITY
Microsoft's Internet Information Services (IIS) Web server has
presented enterprises with more than its share of security problems
over the years, including the infamous Code Red worm nearly a decade
ago. A key security concern with IIS has always been the number of
features that are automatically installed and enabled by default,
such as scripting and virtual directories, many of which proved
vulnerable to exploit and led to major security incidents.
With the release of IIS 6 a few years ago, a "lockdown by default"
approach was introduced with several features either not being
installed or installed but disabled by default. IIS 7, the newest
iteration, goes even further.
presented enterprises with more than its share of security problems
over the years, including the infamous Code Red worm nearly a decade
ago. A key security concern with IIS has always been the number of
features that are automatically installed and enabled by default,
such as scripting and virtual directories, many of which proved
vulnerable to exploit and led to major security incidents.
With the release of IIS 6 a few years ago, a "lockdown by default"
approach was introduced with several features either not being
installed or installed but disabled by default. IIS 7, the newest
iteration, goes even further.
Friday, October 8, 2010
Snort
Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. Snort has become the de facto standard for Intrusion Prevention Systems (IPS).
Martin Roesch remains the guiding force behind nearly all of the
improvements made to Snort. Despite business pressures that
could potentially sidetrack any vendor's technology improvements,
Roesch guides Snort with a steady hand. He created Snort as an open
source project in 1998 and in 2001 he founded Columbia, Md.-based
Sourcefire to sell appliances and software that uses the Snort
engine.
Martin Roesch remains the guiding force behind nearly all of the
improvements made to Snort. Despite business pressures that
could potentially sidetrack any vendor's technology improvements,
Roesch guides Snort with a steady hand. He created Snort as an open
source project in 1998 and in 2001 he founded Columbia, Md.-based
Sourcefire to sell appliances and software that uses the Snort
engine.
Where do we fall short?
Non-reporting of cyber crimes is an act that directly hampers the
growth of India as an IT superpower. Although cyber crimes are on the
rise in India, their reporting is fractional. Despite being the
biggest victim of cyber crimes, Indian organizations always undergo
the debate of whether they should report these attacks. In addition,
there are specific hindrances that prevent organizations from
reporting cyber crimes. Our expert takes a look at the specific
causes behind non-reporting of cybercrimes in India. He also
recommends measures that can be taken to ensure more reporting of
cybercrimes.
growth of India as an IT superpower. Although cyber crimes are on the
rise in India, their reporting is fractional. Despite being the
biggest victim of cyber crimes, Indian organizations always undergo
the debate of whether they should report these attacks. In addition,
there are specific hindrances that prevent organizations from
reporting cyber crimes. Our expert takes a look at the specific
causes behind non-reporting of cybercrimes in India. He also
recommends measures that can be taken to ensure more reporting of
cybercrimes.
SECURITY METRICS LESSONS FROM INFOSYS
It is said that what you can't measure, you can't improve. So, if an
enterprise looks forward to improve its security posture, it needs to
gauge the effectiveness of its security controls. In this week's
edition, leading Indian IT-BPO organization Infosys reveals how it
has successfully developed an information security metrics model.
Although it's not a conventional risk measurement tool, security
metrics goes a long way in security risk assessment, identification,
mitigation and governance. We bring you an up-close look at Infosys's
journey to develop security metrics.
enterprise looks forward to improve its security posture, it needs to
gauge the effectiveness of its security controls. In this week's
edition, leading Indian IT-BPO organization Infosys reveals how it
has successfully developed an information security metrics model.
Although it's not a conventional risk measurement tool, security
metrics goes a long way in security risk assessment, identification,
mitigation and governance. We bring you an up-close look at Infosys's
journey to develop security metrics.
CROSS-SITE SCRIPTING TWITTER ATTACK CAUSES CHAOS
The popular social network, Twitter, said it has fixed a
vulnerability that enabled a cross-site scripting (XSS) attack, which
wreaked havoc for a short time Tuesday. A user exploited the error,
causing people to unwillingly spread a message and annoy victims with
pop-up windows.
Victims of the attack only had to scroll over the Twitter message,
which then activated the malicious code. Once activated, the message
was reposted and viewable by the victim's followers, allowing it to
quickly spread across the website, like a worm. Pop-up windows led
vulnerability that enabled a cross-site scripting (XSS) attack, which
wreaked havoc for a short time Tuesday. A user exploited the error,
causing people to unwillingly spread a message and annoy victims with
pop-up windows.
Victims of the attack only had to scroll over the Twitter message,
which then activated the malicious code. Once activated, the message
was reposted and viewable by the victim's followers, allowing it to
quickly spread across the website, like a worm. Pop-up windows led
victims to third-party websites peddling porn.
STUXNET TROJAN
The security chief at the North American Electric Reliability Corp.
(NERC) is calling for better designed and more hardened systems in
the wake of the Stuxnet malware threat.
multiple previously unknown vulnerabilities. Stuxnet initially relied
on four zero-day vulnerabilities to gain access to devices that could
potentially connect to critical control systems, allowing Stuxnet to
spread to other machines. It was also the first piece of malware that
could inject itself into programmable logic controllers, the system
that controls temperature, pressure and other processes vital to
keeping industrial facilities running smoothly.
(NERC) is calling for better designed and more hardened systems in
the wake of the Stuxnet malware threat.
The Stuxnet Trojan quickly gained the attention of the security
industry because it was one of the first pieces of malware to usemultiple previously unknown vulnerabilities. Stuxnet initially relied
on four zero-day vulnerabilities to gain access to devices that could
potentially connect to critical control systems, allowing Stuxnet to
spread to other machines. It was also the first piece of malware that
could inject itself into programmable logic controllers, the system
that controls temperature, pressure and other processes vital to
keeping industrial facilities running smoothly.
Sunday, September 26, 2010
Mess in orkut
Google owned social networking site Orkut has been reportedly attacked by “Bom Sabado” worm on September 25th, 2010.
In Portugese, “Bom Sabado” means “Good Saturday”.
The worm seems to be posting scraps with the text “Bom Sabado” and also adding affected users to new Orkut groups.
Such XSS attacks have targeted Orkut in the past too.
Bom Sabado Orkut virus infected profiles are automatically posting virus scraps on to the other’s scrapbooks.
A near watching of Bom Sabado scrap in your scrapbook or in your friends’ scrapbooks is more than enough to get your account hacked.
Google has identified the bug that allowed this and have fixed it on September 26th, 2010.
In Portugese, “Bom Sabado” means “Good Saturday”.
The worm seems to be posting scraps with the text “Bom Sabado” and also adding affected users to new Orkut groups.
Such XSS attacks have targeted Orkut in the past too.
Bom Sabado Orkut virus infected profiles are automatically posting virus scraps on to the other’s scrapbooks.
A near watching of Bom Sabado scrap in your scrapbook or in your friends’ scrapbooks is more than enough to get your account hacked.
Google has identified the bug that allowed this and have fixed it on September 26th, 2010.
Subscribe to:
Posts (Atom)