Home Tags SQL Injection

Tag: SQL Injection

Million-Plus WordPress Sites Exposed by Vulnerable Plugin

The popular NextGEN Gallery WordPress plugin was recently patched to address a “severe” SQL injection vulnerability that put website databases at risk.

Researchers find “severe” flaw in WordPress plugin with 1 million installs

If you use NextGEN Gallery, now would be a good time to update.

Russian-Speaking Rasputin Breaches Dozens Of Organizations

Attacker behind Election Assistance Commission hack now using SQL injection as his weapon of choice against universities and government agencies.

Rasputin whips out large intimidating tool, penetrates uni, city, govt databases...

Ra, Ra Rasputin.
SQL injection is his thing A Russian-speaking miscreant dubbed "Rasputin," who potentially hacked into the US Election Assistance Commission and sold access to its systems, has struck again, it is claimed.…

How to predict the next major hack

I think we can all agree that Yahoo has really had an off decade (or so). Most recently, reports revealed that, basically, Yahoo's security mechanism was at best an honor system and at worst a giant fraud.

This is only the latest major uh-oh in a string of them.The crazy thing is that most cracking instances are either the result of not keeping up with patches or boneheaded programming errors that allow code injection, SQL injection, and cross-site scripting.

This happens over and over and over again.

Avoiding these problems is easy: All you need are good coding and QA practices.[ Expand your security career horizons with these essential certifications for smart security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]But many organizations don’t do that.
Instead they move development to “low-cost countries” and treat attacks as a sort of rare, 100-year weather event they can’t avoid or afford to mitigate.

Thus, it happens over and over again.To read this article in full or to leave a comment, please click here

WordPress patches dangerous XSS, SQL injection bugs

The security release fixes three flaws in the content management system.

WordPress slips out three quick patches

Cross-site scripting, cross-site request forgery shuttered WordPress has fixed three flaws in its content management system, shuttering cross-site scripting and SQL injection bugs three weeks after its last update.…

WordPress 4.7.2 Update Fixes XSS, SQL Injection Bugs

WordPress fixed three security issues, including a XSS and SQL injection, with WordPress 4.7.2 this week.

GitHub Bug Bounty Program Continues to Pay Rewards

GitHub celebrates the third anniversary of its Bug Bounty program, with bonus rewards for security disclosures, as the program continues to help the popular code development platform stay secure. In January 2014, the GitHub distributed version control code repository first launched a bug bounty program, rewarding security researchers for responsibly disclosing software vulnerabilities. Now three years later in January 2017, GitHub is celebrating the third anniversary of its bug bounty program, with bonus rewards for the top submissions made in January and February.The current GitHub bug bounty platform runs on the HackerOne platform. Greg Ose, GitHub’s Application Security Engineering Manager explained that GitHub moved to HackerOne in April 2016."We have developed API integrations with HackerOne to kick off our internal triage with developers and to maintain our bounty website at bounty.github.com," Ose told eWEEK. "Bounty.github.com still includes our program's leaderboard and detailed write-ups for submissions."Over its three year existence, the bug bounty program has worked out well for both GitHub and participating security researchers. In the first two years of the program, GitHub paid out a total of $95,300 in bug bounties across 102 submissions. Ose noted that in the third year of the program, GitHub paid out a total of $81,700 for 73 submissions. Looking at all the different issues that have come into the bug bounty program, there have been several that have really stood out. Ose said that one issue that helped define a major focus area for application security at GitHub was a report that was received in February 2014. The report detailed a dangerous Cross-Site-Scripting (XSS) vulnerability on the main GitHub.com website. "We had worked to harden GitHub.com against various cross-site scripting (XSS) attacks using a, then recent, browser feature called Content Security Policy (CSP)," Ose explained. "The submitter was able to not only demonstrate a content injection vulnerability within GitHub.com, but also detailed a bypass to our existing CSP to allow JavaScript execution."After fixing the issue, GitHub used the vulnerability as an example to lock down the restrictions enforced by CSP and to implement new browser security features. Ose said that the new features aim to help prevent content injection vulnerabilities from escalating to JavaScript execution or to the exfiltration of sensitive information from GitHub's web pages. He added that GitHub's engineering team has been documenting some its CSP efforts online and the plan is to publish additional details of protections GitHub has continued to implement.While GitHub is an online repository for projects, at its core, the site makes use of the open-source Git version control system, originally developed by Linux creator Linus Torvalds."While less common than submissions in our web applications, we have received, paid out, and fixed vulnerabilities in Git," Ose said. "Luckily, a number of core Git developers are also employees at GitHub so we've been able to quickly contribute fixes for these issues upstream." Anniversary Contest For the third anniversary of the GitHub bug bounty program, there is a contest that will award additional prize money for the best security reports. Ose said that the contest will end on February 28th, 2017, with the most severe vulnerabilities reported winning the top prizes. The top prize in the contest is a $12,000 award, second place is $8,000 and third prize is $5,000."Typically, vulnerabilities such as SQL injection, gaps in authorization, and system level vulnerabilities, like remote code execution, net the highest severity and payouts," Ose said.Additionally Ose noted that GitHub has also set aside a $5,000 reward for the best report. He explained that sometimes GitHub receives reports that might not have the biggest technical impact, but that are unique in their nature or just really well described by the reporter.Looking forward, Ose said that GitHub is always looking to expand its bug bounty program, both in application scope as well as participation by the security community. For example, in January 2017, the program now includes the GitHub Enterprise platform as a target for security researchers."We will also be launching very focused bug bounties, with increased payouts, for specific features of our applications," Ose said. "For example, as we utilize new browser security features, we would like researchers to focus on these specific protections.""Submissions in these focused areas allow us to not only improve our implementation, but also help us contribute back best practices to other development and application security teams," he said.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Deceive in order to detect

Interactivity is a security system feature that implies interaction with the attacker and their tools as well as an impact on the attack scenario depending on the attacker’s actions. For example, introducing junk search results to confuse the vulnerability scanners used by cybercriminals is interactive. As well as causing problems for the cybercriminals and their tools, these methods have long been used by researchers to obtain information about the fraudsters and their goals. There is a fairly clear distinction between interactive and “offensive” protection methods. The former imply interaction with attackers in order to detect them inside the protected infrastructure, divert their attention and lead them down the wrong track. The latter may include all the above plus exploitation of vulnerabilities on the attackers’ own resources (so-called “hacking-back”). Hacking-back is not only against the law in many countries (unless the defending side is a state organization carrying out law enforcement activities) it may also endanger third parties, such as users’ computers compromised by cybercriminals. The use of interactive protection methods that don’t break the law and that can be used in an organization’s existing IT security processes make it possible not only to discover if there is an intruder inside the infrastructure but also to create a threat profile. One such approach is Threat Deception – a set of methods, specialized solutions and processes that have long been used by researchers to analyze threats. In our opinion, this approach can also be used to protect valuable data inside the corporate network from targeted attacks. Characteristics of targeted attacks Despite the abundance of technology and specialized solutions to protect corporate networks, information security incidents continue to occur even in large organizations that invest lots of money to secure their information systems. Part of the reason for these incidents is the fact that the architecture of automated security solutions, based on identifying patterns in general traffic flows or monitoring a huge number of endpoints, will sooner or later fail to recognize an unknown threat or a criminal stealing valuable data from the infrastructure. This may occur, for example, if the attacker has studied the specific features of a corporate security system in advance and identified a way of stealing valuable data that will go unnoticed by security solutions and will be lost among the legitimate operations of other users. nother reason is the fact that APT attacks differ from other types of attacks: in terms of target selection and pinpoint execution, they are similar to surgical strikes, rather than the blanket bombing of mass attacks. The organizers of targeted attacks carefully study the targeted infrastructure, identifying gaps in configuration and vulnerabilities that can be exploited during an attack. With the right budget, an attacker can even deploy the products and solutions that are installed in the targeted corporate network on a testbed. Any vulnerabilities or flaws identified in the configuration may be unique to a specific victim. This allows cybercriminals to go undetected on the network and steal valuable data for long periods of time. To protect against an APT, it is necessary not only to combat the attacker’s tools (utilities to analyze security status, malicious code, etc.) but to use specific behavioral traits on the corporate network to promptly detect their presence and prevent any negative consequences that may arise from their actions. Despite the fact that the attacker usually has enough funds to thoroughly examine the victim’s corporate network, the defending side still has the main advantage – full physical access to its network resources. And it can use this to create its own rules on its own territory for hiding valuable data and detecting an intruder. After all, “locks only keep an honest person honest,” but with a motivated cybercriminal a lock alone is not enough – a watchdog is required to notify the owner about a thief before he has time to steal something. Interactive games with an attacker In our opinion, in addition to the obligatory conventional methods and technologies to protect valuable corporate information, the defensive side needs to build interactive security systems in order to get new sources of information about the attacker who, for one reason or another, has been detected inside the protected corporate network. Interactivity in a security system implies a reaction to the attacker’s actions. That reaction, for instance, may be the inclusion of the attacker’s resources to a black list (e.g. the IP address of the workstations from which the attack is carried out) or the isolation of compromised workstations from other network resources. An attacker who is looking for valuable data within a corporate network may be deliberately misled, or the tools used by the attacker, such as vulnerability scanners, could be tricked into leading them in the wrong direction. Let’s assume that the defending side has figured out all the possible scenarios where the corporate network can be compromised and sets traps on the protected resource: a special tool capable of deceiving automated vulnerability scanners and introducing all sorts of “junk” (information about non-existent services or vulnerabilities, etc.) in reports; a web scenario containing a vulnerability that, when exploited, leads the attacker to the next trap (described below); a pre-prepared section of the web resource that imitates the administration panel and contains fake documents. How can these traps help? Below is a simple scenario showing how a resource with no special security measures can be compromised: The attacker uses a vulnerability scanner to find a vulnerability on the server side of the protected infrastructure, for example, the ability to perform an SQL injection in a web application. The attacker successfully exploits this vulnerability on the server side and gains access to the closed zone of the web resource (the administration panel). The attacker uses the gained privileges to study the inventory of available resources, finds documents intended for internal use only and downloads them. Let’s consider the same scenario in the context of a corporate network where the valuable data is protected using an interactive system: The attacker searches for vulnerabilities on the server side of the protected infrastructure using automated means (vulnerability scanner and directory scanner). Because the defending side has pre-deployed a special tool to deceive scanning tools, the attacker has to spend time analyzing the scan results, after which the attacker finds a vulnerability – the trap on the server side of the protected infrastructure. The attacker successfully exploits the detected vulnerability and gains access to the closed zone of the web resource (the administration panel). The attempt to exploit the vulnerability is recorded in the log file, and a notification is sent to the security service team. The attacker uses the gained privileges to study the inventory of available resources, finds the fake documents and downloads them. The downloaded documents contain scripts that call the servers controlled by the defending side. The parameters of the call (source of the request, time, etc.) are recorded in the log file. This information can then be used for attacker attribution (what type of information they are interested in, where the workstations used in the attack are located, the subnets, etc.) and to investigate the incident. Detecting an attack by deceiving the attacker Currently, in order to strengthen protection of corporate networks the so-called Threat Deception approach is used. The term ‘deception’ comes from the military sphere, where it refers to a combination of measures aimed at misleading the enemy about one’s presence, location, actions and intentions. In IT security, the objective of this interactive system of protection is to detect an intruder inside the corporate network, identifying their attributes and ultimately removing them from the protected infrastructure. The threat deception approach involves the implementation of interactive protection systems based on the deployment of traps (honeypots) in the corporate network and exploiting specific features of the attacker’s behavior. In most cases, honeypots are set to divert the attacker’s attention from the truly valuable corporate resources (servers, workstations, databases, files, etc.). The use of traps also makes it possible to get information about any interaction between the attacker and the resource (the time interactions occur; types of data attracting the attacker’s attention, toolset used by the attacker, etc.). However, it’s often the case that a poorly deployed trap inside a corporate network will not only be successfully detected and bypassed by the attackers but can serve as an entry point to genuine workstations and servers containing valuable information. Incorrect implementation of a honeypot in the corporate network can be likened to building a small house next to a larger building containing valuable data. The smaller house is unlikely to divert the attention of the attacker; they will know where the valuable information is and where to look for the “key” to access it. Simply installing and configuring honeypots is not enough to effectively combat cybercriminals; a more nuanced approach to developing scenarios to detect targeted attacks is required. At the very least, it is necessary to carry out an expert evaluation of the attacker’s potential actions, to set honeypots so that the attacker cannot determine which resources (workstations, files on workstations and servers, etc.) are traps and which are not, and to have a plan for dealing with the detected activity. Correct implementation of traps and a rapid response to any events related to them make it possible to build an infrastructure where almost any attacker will lose their way (fail to find the protected information and reveal their presence). Forewarned is forearmed Getting information about a cybercriminal in the corporate network enables the defending side to take measures to protect their valuable data and eliminate the threat: to send the attacker in the wrong direction (e.g., to a dedicated subnet), and thereby concealing valuable resources from their field of view, as well as obtaining additional information about the attacker and their tools, which can be used to investigate the incident further; to identify compromised resources and take all necessary measures to eliminate the threat (e.g., to isolate infected workstations from the rest of the resources on the corporate network); to reconstruct the chronology of actions and movements of the attacker inside the corporate network and to define the entry points so that they can be eliminated. Conclusion The attacker has an advantage over the defender, because they have the ability to thoroughly examine their victim before carrying out an attack. The victim doesn’t know where the attack will come from or what the attacker is interested in, and so has to protect against all possible attack scenarios, which requires a significant amount of time and resources. Implementation of the Threat Deception approach gives the defending side an additional source of information on threats thanks to resource traps. The approach also minimizes the advantage enjoyed by the attacker due to both the early detection of their activity and the information obtained about their profile that enables timely measures to be taken to protect valuable data. It is not necessary to use prohibited “offensive security” methods, which could make the situation worse for the defending side if law enforcement agencies get involved in investigating the incident. Interactive security measures that are based on deceiving the attacker will only gain in popularity as the number of incidents in the corporate and public sector increases. Soon, systems based on the Threat Deception approach will become not just a tool of the researchers but an integral part of a protected infrastructure and yet another source of information about incidents for security services. If you’re interested in implementing the Threat Deception concept described in the post on your corporate network, please complete the form below:

Threat Attribution: Misunderstood & Abused

Despite its many pitfalls, threat attribution remains an important part of any incident response plan. Here's why. Threat attribution is the process of identifying actors behind an attack, their sponsors, and their motivations.
It typically involves forensic analysis to find evidence, also known as indicators of compromise (IOCs), and derive intelligence from them. Obviously, a lack of evidence or too little of it will make attribution much more difficult, even speculative.

But the opposite is just as true, and one should not assume that an abundance of IOCs will translate into an easy path to attribution. Let’s take a simple fictional example to illustrate: François is the chief information security officer (CISO) at a large US electric company that has just suffered a breach.

François’ IT department has found a malicious rootkit on a server which, after careful examination, shows that it was compiled on a system that supported pinyin characters. In addition, the intrusion detection system (IDS) logs show that the attacker may have been using an IP address located in China to exfiltrate data.

The egress communications show connections to a server in Hong Kong that took place over a weekend with several archives containing blueprints for a new billion-dollar project getting leaked. The logical conclusion might be that François’ company was compromised by Chinese hackers stealing industrial secrets.

After all, strong evidence points in that direction and the motives make perfect sense, given many documented precedents. This is one of the issues with attribution in that evidence can be crafted in such a way that it points to a likely attacker, in order to hide the real perpetrator’s identity.

To continue with our example, the attacker was in fact another US company and direct competitor.

The rootkit was bought on an underground forum and the server used to exfiltrate data was vulnerable to a SQL injection, and had been taken over by the actual threat actor as a relay point. Another common problem leading to erroneous attribution is when the wrong IOCs have been collected or when they come with little context. How can leaders make a sound decision with flawed or limited information? Failing to properly attribute a threat to the right adversary can have moderate to more serious consequences.

Chasing down the wrong perpetrator can result in wasted resources, not to mention being blinded to the more pressing danger. But threat attribution is also a geopolitical tool where flawed IOCs can come in handy to make assumptions and have an acceptable motive to apply economic sanctions.

Alternatively, it can also be convenient to refute strong IOCs and a clear threat actor under the pretext that attribution is a useless exercise. Despite its numerous pitfalls, threat attribution remains an important part of any incident response plan.

The famous “know your enemy” quote from the ancient Chinese general Sun Tzu, is often cited when it comes to computer security to illustrate that defending against the unknown can be challenging.
IOCs can help us bridge that gap by telling us if attackers are simply opportunistic or are the ones you did not expect. More Insights

Trump’s cyber-guru Giuliani runs ancient ‘easily hackable website’

Stunned security experts tear strips off president-elect pick hours after announcementUS president-elect Donald Trump's freshly minted cyber-tsar Rudy Giuliani runs a website with a content management system years out of date and potentially utterly hackable. Former New York City mayor and Donald loyalist Giuliani was today unveiled by Trump's transition team as the future president's cybersecurity adviser – meaning Giuliani will play a crucial role in the defense of America's computer infrastructure. Giulianisecurity.com, the website for the ex-mayor's eponymous infosec consultancy firm, is powered by a roughly five-year-old build of Joomla! that is packed with vulnerabilities.
Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open – from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. Security gurus are right now tearing strips off Trump's cyber-wizard pick.

Top hacker Dan Tentler was first to point out the severely out-of-date Joomla! install. "It speaks volumes," Tentler told The Register, referring to Giuliani's computer security credentials, or lack of, and fitness for the top post. "Seventy-year-old luddite autocrats who often brag about not using technology are somehow put in charge of technology: it's like setting our country on fire and giving every extranational hacker a roman candle – or, rather, not setting on fire, but dousing in gasoline." Content management system developer Michael Fienen also pulled no punches: It gets worse. "Giuliani is running a version of PHP that was released in 2013, and a version of Joomla that was released around 2012," said Ty Miller, a director at Sydney-based infosec biz Threat Intelligence. "Using the version information, within minutes we were able to identify a combined list of 41 publicly known vulnerabilities and 19 publicly available exploits.

Depending upon the configuration of the website, these exploits may or may not work, but is an indication that Giuliani's security needs to be taken up a level." Found on /r/sysadmin, presented without comment. pic.twitter.com/UmWe7tHURv — Ryan Castellucci (@ryancdotorg) January 12, 2017 The most surprising fact in all of this is that the Giuliani Security website hasn't ALREADY been hacked.

They might as well put out a sign. — Michael Fienen (@fienen) January 12, 2017 Another computer security expert, speaking to The Register on condition of anonymity, analyzed Giuliani's website for us. Our guru, based in Australia, said that while the pending cyber-tsar is likely to have outsourced management of his online base, the fact that the mayor-turned-cyber-expert didn't check for lax security on his own website is not going to instill any confidence. We have reproduced our contact's assessment in full on the next page. ® 'Someone should be taken to task for this' Well, talking nuts and bolts: that website is hosted with a hosting provider.
It looks like it has its own IP address based on having a single DNS PTR object (reverse address to the name giulianisecurity.com) which means its unlikely to be in use by other organisations (except maybe his own... who knows.) That IP address is allocated out of a block of addresses registered to Japanese giant NTT but these could also be provided to NTT’s customers such as web developers/hosting providers etc. Without actively poking at the site – which I’m terrified to do, frankly – it may be shared hosting, may be a VPS, or may be a physically separate dedicated hosting solution.
I’m betting it’s a cheap VPS-based ‘dedicated’ solution. My experience with this kind of hosting means that a nice attack vector is identifying the hosting provider and trying to get allocated a similar hosting solution in the adjacent IP address space, getting root on it (or having it if it’s a VPS) and then using ‘layer 2’ fun and games to redirect the victim site’s traffic to the attacker.

This still works amazingly well and is why smart people try to do things like statically publish layer-2 addresses for layer 3 IP gateways (although this is only so effective, really). For the giulianisecurity.com domain they seem to use Microsoft Office 365 for his email. Not a bad choice.

Email security sucks and, unless you know what you’re doing/are a glutton for punishment or are generally my kind of tinfoilhat wearer (hey, friends), it’s best to leave email security to someone reasonably credible. I also note they use a large trademark monitor company – MarkMonitor.com – for the DNS service provider for the domain name giulianisecurity.com. Which is hilarious.

Because, yeah, you’d want to intrude trademark-wise on this guy’s name because it’s such a valuable brand. Like Trump’s, you know? The reality is someone else makes these choices for him for his business.
It’s not like he’s there, updating his ancient and known vulnerable Joomla content management system himself (he’d get props from me if that were the case :) Anyone truly trying to protect your brand would avoid putting a giant red flag like an unpatched CMS in a commodity hosting environment out there. Whether it’s Giuliani’s company’s responsibility or an outsourced provider’s (very likely) the ‘having ancient Joomla’ in place is a pretty bad look.
Someone should be taken to task a bit for this.

And if you’re a security and safety company with an understanding of information security threats you’d have threat management programs in place to identify and improve your controls. For example, if you were undertaking actual security testing of your site I’d wager anyone in infosec – or in IT generally really – would’ve noticed the ancient CMS and its default install remnants using the crappiest, free-est tools out there.
So respectfully, Rudy, get someone to patch your shit and seek out some kind of specialist advice. Snarky comments aside – it really comes down to this greater concern: there’s literally millions of people in infosec who would be better cyber security advisors than Giuliani or whomever his technical advisors are that he’d call on for advice. So I’d ask – again respectfully – that the president elect cast a slightly wider net than he has to receive ‘cyber’ security advice.

As much as most people in infosec are a bunch of opinionated jerks (oh, and we are) we’re all here to help. Just ask a professional.

First sign in knowing one? It’s the person who doesn’t use the word ‘cyber’ to prefix everything they say.