Great article on Havij, a tool designed to execute SQL injections.  Ericka at Dark Reading deserves major kudos for writing about the topic and bringing attention to it.

As the piece states and, as we highlighted in our hacktivism report, Havij is a major tool in hacker's arsenal.  We detailed how Havij was used to breach PBS last year.

Essentially, Havij is an automated SQL injection tool.  Hackers use it in conjunction with vulnerability assessment (VA) tools such as Acunetix or Nikto.  VA scanners find vulnerabilities but stop short of an actual exploitation—and that’s exactly where Havij starts.  In other words, VA gives you a list of targets, Havij takes the shots.

What does the process of using Havij look like?  It’s hardly complicated (click image to BIGGIFY):

Note some of the key functionality:

• Get DBs:  Hmm, wonder what that does.
• Get Tables:  Hmm, wonder what that does.
• Get Columns:  Hmm, wonder what that does.
• Get Data:  No idea.

You’ll also note in the above the picture, Havij reconstructs the database’s contents.  It can perform many types of SQL injections to achieve that task.

How do you stop Havij?  We detailed the steps for stopping SQL injection here.  It’s one of the most read blogs we’ve ever written and is always worth reviewing.  Its also worth noting that traditional network firewalls as well as next-generation firewalls can't block Havij.

Here’s what our WAF looks like when hit by Havij (see the green box):

Here’s what Havij looks like when blocked or unable to find an exploit (see red at the bottom of the picture):

Several years ago during the second Bush administration, heated debates were taking place over reforming American immigration policies.  One of the best political cartoons of the time captured the conundrum beautifully.  On the American side, builders assembled a 20-foot fence.  On the Mexican side, Raul was renting 21-foot ladders:



In many ways this is a nice analogy for what is a (hopefully) growing epiphany among cyber security professionals.  Though hacking and immigration have very different moral motivations, the rhetorical parallels are interesting.

Example #1:  Shawn Henry of the FBI said in the Wall Street Journal 28 March edition, “In many cases, the skills of the adversaries are so substantial that they just leap right over the fence and you don’t ever hear an alarm go off.”  Companies, he added, “need to be hunting inside the perimeter of their network.”

Example #2:  "We've got the wrong mental model here," said Dr. James Peery, director of the Information Systems Analysis Center at Sandia National Laboratories. "I don't think that we would think that we could keep spies out of our country. We've got this model for cyber that says, 'We're going to develop a system where we're not attacked.' I think we have to go to a model where we assume that the adversary is in our networks. It's on our machines, and we've got to operate anyway." [Emphasis ours.]

Example #3:  The commercial software industry has, of course, realized that the old idea of a perimeter defense is increasingly useless, and groups such as the Jericho Forum have been working on systems to protect data, rather than network boundaries for many years. Such principles might be antithetical to the military mind, but Dr. Kaigham Gabriel, current head of the DARPA, said that the cost of perimeter control would be huge and most likely ineffective anyway. [Emphasis ours.]

The question, however, is what to do.  For more on that, read our blog.

If you're thinking of a WAF, a good read.  If you're not thinking of a WAF, a good ready anyways.

Incapsula published a great report breaking down the traffic of 1000 different websites.

Automated bad guy traffic:

• 5% is hacking tools searching for an unpatched or new vulnerability in a web site.
• 5% is scrapers.
• 2% is automated comment spammers.
• 19% is from “spies” collecting competitive intelligence.

Automated not-bad guy traffic:

• 20% is from search engines - which is non-human traffic but benign.

Non-automated traffic:

• 49% is from people browsing the Internet.

For more, you can more details from Incapsula here.

Of course, when your site is under attack, the amount of traffic will go even higher.  We detail those numbers here.

*Updated: Blog entry updated to correct stats that were incorrectly reported in the original post.

In this corner:

In this article, we learn the details of how a fake Facebook page of a NATO commander was created and its impact.  Notably: 

The frequency of fake Facebook pages claiming to be connected to important officials is now so significant that NATO has had to dedicate staff to liaising with the company to have them removed.

And in this corner:

No more than 5% of FB accounts are fake! (Facebook's S-1 filing or check out this more detailed overview).

Great read.  

The most interesting bits around what outed Sabu:

• reusing "anonymous" usernames and variations on them for many years resulting in "bleeding" of his identity elements (ie. usernames, e-mail addresses, domain registration information) between different, supposedly-unrelated social media and online accounts;
• giving out too much personal information about his political/national affiliations/ethnicity; 
• accidentally logging once or twice into IRC chat channels without first anonymizing through VPN or Tor proxies;
• mentioning in a chatroom a domain name he owned, whose whois status—i.e. its domain ownership information—had not always been set to private, and which once listed his real name and address, subsequently preserved on the Internet;
• On an Internet that forgets nothing, once a document is made publicly available, even if only briefly, it may be archived in perpetuity. One old clue to even one element of a still-in-use identity can be enough to take down even the most careful hacker. 

Anyone attending this year’s RSA conference couldn’t help notice one thing:  the security industry is awash in guilt over the failure to stop hackers.  RSA chairman Arthur Coviello said “security vendors and practitioners need to shift their strategies beyond signature and perimeter-based defenses and collaborate to develop and adopt new intelligence-based approaches to information security.”  And this mea culpa follows another one from McAfee who wrote in an August 2011 report, “The security industry may need to reconsider some of its fundamental assumptions, including 'Are we really protecting users and companies?’

One reason for the guilt trips?  The inadequacy of antivirus.  Today, the enterprise desktop security software spend is $3.4 billion worldwide. Consumers will spend even more — nearly $5 billion — on antivirus this year.  However, new virus detection remains quite low.  For example, one of the most prominent virus kits—the Blackhole Exploit—was missed by 30% of antivirus packages.  In other words, out of nearly $8B in spend, at most around $2.4B is spent with some efficacy—but $5.6 billion isn’t.  That’s a lot of wasted money.

As many of us in security know, evading antivirus is not complicated.  In fact, virus evasion is a growing industry unto itself.  In 2010, the Verizon Data Breach report observed, “This year nearly two-thirds of malware investigated in the Verizon caseload was customized—the highest we have ever seen.”  Translation:  malware/virus writers know that evasion is the name of the game.  (For more on this, see my colleague Noa Bar Yosef’s detailed, excellent explanation in an SC Magazine column.)  The individual behind RankMyHack.com had this interesting perspective on antivirus—from a hacker (!):

The big money comes from silent espionage, viruses that do NOTHING but silently record your keystrokes and send them to a remote location, or viruses that in one blast steal all the information stored in your browser cookies.

To be clear, antivirus is needed.  But the important thing is to stop wasting so much time and—more importantly—money on products whose rate of return is so poor.  

So what should companies and consumers do?  Rebalance their portfolios.  In finance, when stocks over or under perform, you dump them for other investments to adjust your risk.  Today, antivirus is an underperforming asset that deserves rebalancing.   We can’t speak for everyone, but we see more customers operating on the assumption that antivirus will fail.  One of our customers relies on database security controls to monitor and block aberrant access to sensitive data (e.g., malware accesses databases at inhuman speeds so that should be blocked).  How many more such companies exist?  Not sure.  But it’s a safe bet that their numbers increase daily.

What if companies took some of the billions spent on antivirus and put it towards employee education? Companies could also consider newer technologies.  Our report on Anonymous highlighted the successful role a web application firewall played in thwarting data theft and DDoS.  What if just a small fraction of companies with transactional websites rebalanced a portion of security spend on WAFs to minimize data breaches?  (Yes, I work for a WAF vendor but I don’t need to visit a confessional having made the previous statement).

The security industry—companies and analysts—prefer inertia to keep antivirus spend exactly where it is.  But their motivations aren’t sinister.  It’s much more complicated than that.

In 2010, Harvard Business School professor Richard Tedlow published a book, Denial, about companies who fail to see critical shifts in their markets. In it, he explains that “Denial is more endemic to older firms because it so often results from stubborn adherence to a once-accurate perception of reality that has gradually become obsolete. In the words of John Kenneth Galbraith, one's view of the world ‘remains with the comfortable and the familiar, while the world moves on.’”  One security analyst gives us a perfect illustration:

Yes, we need new layers of defense but we would be well served to take better advantage of the technologies already in place before running for the new security thing.

Meanwhile, the world moves on.  Our Anonymous report explained how hacktivists don’t rely on malware.  Nonetheless, I was criticized for “hyperbole” when I called antivirus “useless.”  In the case of hacktivism, however, antivirus is useless.  As we point out in the report, hacktivists merely mimic the approach deployed by for-profit hackers.  And when it comes to private hackers and malware, the 2010 Verizon report explained how customized evasion has been commoditized and become “more accessible to an ever-increasing pool of criminals by an extensive ‘malware-as-a-service’ market. We find it hard to foresee anything but trouble here for the good guys.”  [Emphasis mine.]

What we are seeing reminds me of Keith Richards during the height of his drug addiction: “I've never had a problem with drugs. I've had problems with the police.”

Tedlow’s book details denial with mostly “old school” companies, such as Sears.  Denial in the security industry, however, is exponentially more complicated.  Sears only had to deal with fickle consumers.  In security, in addition to buyers, we must throw adversaries into the mix who are—by definition—early adopters and innovators.  This dynamic makes any stock volatility look downright docile. 

If our stocks performed this badly, financial advisors would be lightning quick to suggest shifting investments.  

Time to rebalance your software security portfolio.

According to a recent article, there's a new a DDoS tool from Anonymous called high-orbit ion canon or HOIC (click image to BIGGIFY):

The claim is this:  LOIC did TCP, UDP and HTTP flooding, but HOIC focuses on HTTP only. HOIC includes a new feature called 'boosters' which are files you download or add to an attack machine which enables the attacker to manipulate headers such as language, referrer, host, etc.  This new feature is designed to bypass signature based systems by using a lot of different headers. Additionally, HOIC is supposedly faster. 

But is it really an improvement?  Overall, not really.  There are several reasons:

• Problem 1:  HOIC seems like a step backwards in terms of usability as it requires client side installation and complex configuration files. LOIC offered the ability for people with limited technical skills to perform DDoS--definitely not the case with HOIC.
• Problem 2: HOIC is indeed HTTP focused. However, HTTP flood is inherently slower than UDP flood and simple TCP flood.
• Problem 3:  Just writing in the tool's description "HOIC is faster" does not make it faster and certainly does not explain why.  As they say in the automobile industry:  you can't judge until the rubber hits the road.
• Problem 4: The "boosters" are nothing but configuration files that just allows broader targeting. HOIC could allow you to diversity DDoS attack, but mostly for pretty sophisticated users.  But as we point out in bullet #2 above, are you really gaining more in firepower?

In the past, we've discussed, at length, how automated tools are used in all kinds of hacking campaigns.  The Register just published a story on two South Korean men who stole data from the country's two major telcos.  But the real interesting aspect is that:

...the men allegedly developed software designed to harvest personal user information and location data without the knowledge of the user and then sold it on for up to 300,000 won (£168 or $265) per set of information.

Automated tools are getting into the enterprise. We've discussed automated tools in context of the external threat--but here you have its usage by malicious insiders (subcontractors). These folks purchased an online commercial tool, used it to harvest user data and then sold off that data.

Could this be a future trend?  Possibly.  Many organizations have deployed DLP which likely would not have blocked this.  Proper mitigatation against such a threat would require database tools that recognize--and block--aberrant behavior.  In this case, the aberration massive data downloads at inhuman speeds.

Tons of news with the Lulzsec arrests.  Which articles should be read?  We've assembled a reader's guide of our favorites.  The criteria?  They are educational, illuminating or just plain funny.

Here's the top reads:

#1:  Alleged Stratfor hacker no stranger to law enforcement

Source:  Network World  

Why is it worth a read?  This story is about arrested Lulzsec hacker Jeremy Hammond.  

The best line?

Hammond also is a freegan, an individual who reclaims and eats food that has been discarded by others, as part of an anti-consumerist movement. "Dumpster diving is all good I'm a freegan goddess," he says in one online chat conversation with another alleged hacker. Federal agents conducting surveillance on Hammond reported seeing him going into dumpsters for food.

I had no idea freegans even existed.  Here's a great overview from Bloomberg.

#2:  The one tiny slip that put LulzSec chief Sabu in the FBI's pocket

Source: The Register

Why is it worth a read?  Great overview of how Sabu was found by the FBI.

The best line?

They caught him because just once, he logged onto IRC without going through Tor, revealing to the FBI his IP address," Graham claims. "This reveals a little bit about the FBI, namely that they've infiltrated enough of the popular IRC relays to be able to get people's IP addresses. We've always suspected they could, now we know.

#3:  Stop calling Anonymous activists!

Source: Kings of War (a blog)

Why is it worth a read?  Great perspective on what truly drives hacktivism.

The best line?

The anonymity of the groups not only hampers on their political accountability but also blurs any of their messages, as one cannot judge their motives. In other words, they lack transparency as much as their targets allegedly do.

So, in the end, one should be careful about not giving too much credit for such actions. Anonymous seeks to achieve more personal fame and maybe the media shouldn’t give in to that. Recently, Cyberwarnews.com released an interview of a hacker that allegedly defaced '80 Brazilian Government sites’. Hacktivism, again? The hacker was 13 (this should already cast a doubt about his political judgement). When asked about his motives for hacking, he answered: ‘I hack to take part in the latest operations and to get better at hacking’. How can we know that Anonymous has not got exactly the same strong sense of political action to help the larger community? (sic)

 #4  Hackers Arrested as One Turns Witness

Source: Wall Street Journal

Why is it worth a read?  Best overview of the entire Lulzsec crowd and history of the hacking spree.

The best line?

Louis Monsegur, a family member of the man accused of being Sabu, said Tuesday his relative was "into computers" from a young age, but that he was surprised by the breadth of the allegations against him. "I never knew the kid was into stuff like that," he said of Hector. "He's a smart kid."

#5 Disillusioned ex-Anonymous first outed Sabu last year

Source:  CNET

Why is it worth a read? Another good read on the role of understanding IP addresses when it comes to identifying hackers.

The best line?

It was February 2011 when she and her partners at Backtrace Security compiled a list of identities they believed were tied to the hacker handles associated with the HBGary Federal hack and others. Her break with discovering Sabu's identity came to her from a friend in the group in the form of log files from an Internet Relay Chat room in which Sabu and other LulzSec members discussed the HBGary Federal compromise, she said. One of the log files contained a domain that led to a subdomain that had a mirror to a page where Monsegur posted photos and video of his beloved Toyota AE86 on a car enthusiast social-networking site. That led to a YouTube video that had information that allowed Emick to eventually find Monsegur's Facebook page using a Google search.

#6:  What Do the LulzSec Arrests Mean for Anonymous?

Source:  New York Times

Why is it worth a read? Good perspective on the impact the arrests will have on Anonymous.

The best line?

It will be difficult for Anons to work collaboratively now that their ranks are undoubtedly infiltrated by feds, security contractors and rival hackers.