Long story short, Target has confirmed a massive data breach of their credit card data. It doesn’t look like any statistics have been released yet, but usually in cases like this it affects all customers that have paid with a credit card.
My organization is doing what many organizations that use Microsoft products are doing right now, and that is evaluating Office 365. I think it’s safe to say that the response from the Security team has been overwhelmingly that it is a bad idea from the get go, especially with the amount of confidential data that we have. On top of this, it is a lot more expensive compared to our internal, secure hosting that we are using now. Suffice to say, I was incredibly joyful when I stumbled across an article last night showcasing a severe vulnerability for Office 365. Check it out at: Office 365 Vulnerability
Now, this is being released because Microsoft is about to patch it, but it has been around since at least April, and most likely longer, and there are probably many other security issues as well. It’s always nice to see articles such as this when as Microsoft sales reps are constantly telling you just how secure everything is, how there are no problems, and it is just as secure as the internal hosting we’re using now. We all know it’s a line of bullshit, but it is nice to have the proper validation.
I decided to start sharing some of the tools that I use on a daily basis to perform my job, and one of my favorites is SQLMAP. SQLMAP is a command-line tool that is used for automatic SQL injection and database take over. It is built in python so it is available for any operating system that can run python.
The tool itself will support MySQL, Oracle, Microsoft SQL Server, MS Access, SQLite, and a few other database systems. Basically, if an application is important enough to have a database, SQLMAP can attack it. The tool can hit a url, a direct connection to the database, log files (such as Burp), config files, and many others. There are options to support proxies, cookies, specify injection points, etc. For a full list of options a switches consult the user manual.
It is also a great tool to use for demos. Quite often, I am invited to management level meetings to talk about application security and why it is so important. Like many things in information security, nothing is quite as convincing as giving a live demo.
Please note that using this tool against any database that you do not own would generally be considered illegal. Please use at your own risk. There are several platforms that you can download to test a tool like SQLMAP in your own environment, such as SQLOL or DVWA but we will leave that discussion for a later time.
Here is a great video from a presentation I attended at DerbyCon 2013 this year. It is a video demonstrating how to use SQLMAP to attack the SQLOL database and has a lot of good information. Later on, I will post some videos and demos of how to install this, make it work, attack the database, etc. Credit goes to Conrad Reynolds for putting together this presentation.
This is another good video from the HP Protect 2013 conference. It’s another video of Dr. Gary McGraw talking more about his thoughts and the BSIMM. Definitely worth a watch, there is a lot that you can learn from this guy.
Bug Parades, Zombies, and the BSIMM: A decade of software security!
I had the privilege of attending the HP Protect conference in Washington D.C. this year. I found it to be a great experience and I’ll see if I can’t get a write up of it going sometime in the near future. One thing that I did want to share was an excellent video from the software security keynote by Dr. Gary McGraw of Cigital. Very informative and entertaining.
Another type of attack that we haven’t talked about yet is cross-frame scripting. A cross-frame scripting attack is where an attacker will take a page of your site and embed it in an iframe. Some simple css can then be put in place to make it look like the site is actually yours rather than looking like an iframe. This might seem pretty harmless, but the hacker could include some malicious scripts to do things like capture the keypresses and send them to a web service on their real site. Some really good information can be found at OWASP.
Modern day, this attack is a bit trickier to pull off as cross-domain communication is generally blocked and it takes quite a bit of work to get around this. That being said, it can be done so you should treat this as a real threat. This also becomes a bigger insider threat as I could write an app that includes another dev’s site and then steal user credentials that way without having to worry about cross-domain issues.
So, how about the defense. Ready for this?
<META http-equiv="X-Frame-Options" content="Deny" />
That’s it! Just put that html in the header of your application and it will prevent your site from being rendered in an iframe!