31 posts categorized "Amichai Shulman"
October 29, 2012
 South Carolina Meets SQL Injection
Pin It

South Carolina in the news quite a bit last week.

What caused the breach? No one stated explicitly but as some may suspect, it was probably a SQL injection attack.  What are the indications?

First, according to official statements attacker took off with identity related information and not, for example, details of tax reports (which may be far more interesting) or bank account numbers (same here).

Second, look at the following statement:

On Oct. 16, Mandiant confirmed that in early September, unknown hackers "probed" agency systems, and sometime in the middle of the month, they were able to access the data that was stolen. On Oct. 16, the vulnerability that permitted the intrusion was closed.

Assuming that the timeline described in SC Magazine article is correct, it took Mandiant less than a day to figure out the attack and the dates, which indicates that they immediately went for the web server native logs and looked for SQL injection patterns. 

Third, we can rule out "insecure object reference" as a culprit since credit card information was stolen partly in encrypted format and partly unencrypted.  This indicates that the information was not taken from an HTML display but from the database. 

Sadly, there is some misinformation taking place.  Notice this statement by one reporter, “In August 2011, a group of hackers used Google to steal 43,000 Social Security numbers from faculty, staff and students of Yale University, due to an unprotected FTP server.”  The attackers didn’t use Google to steal information.  Rather, the attackers used Google to find out that the server was holding sensitive information.


October 26, 2012
 Banks told to step up security over DDoS attacks
Pin It

Banks have been asked to step up their DDoS protection.

The request, however, is mostly CYA. Take, for example, the call to check for vulnerabilities--which has nothing to do with DDoS attacks. I think that generally this is missing the point. In particular, it seems that the latest DDoS attacks were very massive and thus are hard to sustain over time by anyone that is not government sponsored.

In this case I would expect national authorities to be the ones to take steps against it rather than individual corporations. In general, I think that attacks of such magnitude should definitely be handled by authorities rather than by individuals. It makes sense to set up regulations for building a house that won't fall down due to a rainstorm. It does not make sense to expect individuals to build dams for the case of a Tsunami.




July 19, 2012
 When Insider Threats Start From The Outside
Pin It

A recent article describes an apparently serious FBI investigation.   The article teaches an important lesson.  In this case, the FBI wasted resources on matters of relevant little importance because they can get results fast while a huge amount of more serious data and intellectual property theft related crimes go unnoticed.

When looking at quotes from the affidavit, provided by a Simplicty EX-EMPLOYEE (!) he describes what looks like a perfectly legitimate exploration of public resources. He describes how he was INSTRUCTED to look for PUBLICLY available resources by typing legitimate resource names in the address bar. Next, the FBI claims that someone from within Simplicity’s network (or an employee of Simplicity) accessed the login form of Maxient clients.  Really?  They don’t even claim that someone tried to brute force the form, just accessed it! There is only a brief mention of a claim that Simplicity attempted SQL injection attack against Maxient’s application (which is indeed an illegal activity). Again, the claim is very general in terms that an IP address that belong to Simplicity was behind this activity.

Now my question is this: We see on a daily basis web attacks that are on a far larger scale for each there’s a far more collection of hard evidence in terms of intent and potential risk. Why is the FBI investing so many resources in this particular one? I think that the key to understanding this is the following FBI statement:

On Nov. 4, 2011, a cooperating witness who formerly had been employed by Symplicity for approximately five years provided information to the FBI concerning the conduct of Ariel Friedler, the Chief Executive Officer of Symplicity.

Someone, it seems, may have approached the FBI and pointed the finger at an alleged culprit and detailed the method of operation. Not surprisingly, that someone (by their own testimony) was actually part of the operation. At that point, the FBI together with the alleged victim of this criminal activity, who was completely unaware of this EXTREMELY unsophisticated attack, made the effort to produce audit trail evidence (which I do believe to be genuine) going back TWO YEARS showing traces of this crime.  Notice that they were not able to produce ANY data that indicates actual penetration into the application or organization or any actual illegal access to accounts.

From this point of view, it looks like a case of disgruntled employee, colluding with a competitor of Simplicity to inflict a short term or even long term damage to Simplicity’s business.  How is this for a new twist on the “insider threat” attack vector?

As stated by another quote from the article: “While the FBI's search warrant doesn't put any of Simplicity's current contracts at risk, the vendor could face suspension or be banned from future federal contracts based on the issuance of the search warrant.”

Do I believe that Simplicity people were scanning competitor site for competitive intelligence? Yes I do. Do I believe that someone from inside Simplicity attempted SQL injection against a competitor site. Yes I do. Could that someone be the same employee who reported the entire story to the FBI? Yes he could have been that someone. Do I understand why FBI are going after this case with so much rigor? No I don’t. I’d be surprised if the investigation eventually ends up with shocking discoveries about a wide network of sophisticated industrial espionage, or even of a successful breach into competitor servers. Until that happens, I think there are more pressing cyber-crime issues to go after.




July 17, 2012
 Oracle's Latest Patch Update
Pin It

Oracle’s latest critical patch update (CPU) went live today.

Overall, this is a fairly consistent release:  80 overall patches with 4 database vulnerabilities.  Likewise, the same volume of MySQL vulnerabilities is consistent with previous releases.  Some observations:

  • The database vulnerabilities are about denial of service, probably around the Oracle Listener component which helps users communicate with the database remotely.  Interestingly, for three of these database vulnerabilities all you need is network access, nothing more.  This component has been around for 25 years—yet very serious issues persist.  It emphasizes the complexity of software and the need for security outside of the code base as its written.  This highlights why enterprises need a security solution on top of what comes with the database itself.
  • Fourteen of the patches were from an acquired from a company called Stellant.  This highlights the security issues with mergers and acquisitions—which were echoed with the Yahoo! Voices and Instagram-Facebook security issues.
  • The biggest vulnerability?  A JRocket issue that was fixed recently with other Java vulnerabilities.

This patch continues to show how big companies with a wide product line struggle to find the resources to keep all their products up to speed with security fixes and how complex software created by a series of mergers and acquisitions drives the need for external security that does not rely on the code itself.


June 13, 2012
 Back Doors in US Infrastructure
Pin It

According to this, Chinese equipment makers have built backdoors into their hardware (which may be the root of Mr. Panetta's remarks).

First, a little perspective:  Most intelligent networking equipment, manufactured by almost any vendor anywhere in the past 20 years have been shown to contain some kind of a backdoor.  Master passwords for routers and secret technician codes for mobile phones or set top boxes have been published over the year (not to mention those secret key combination in Microsoft products that invoke flight simulator games).  This development begs two questions:

What percentage of infrastructure, civilian as well as military, is vulnerable to APT (enemy) shutdown?
The answer really depends on which country, what infrastructure and who is the enemy. In general large modern economies with decentralized infrastructure are less vulnerable. If you have twenty telcos, for example, each using equipment from 2-3 different vendors than the chances for a single blow by an adversary that controls a back door in the equipment of a single vendor are low.

What can companies do about it?
The “text book” mitigation strategy is indeed the use of redundant equipment by multiple vendors. This recommendation conflicts with the attempt to lower the costs of deployed system (as operating two different types of equipment by the same team is of course more costly). 


April 18, 2012
 Oracle’s Q2 CPU Release
Pin It

Oracle released its latest vulnerability list.  What this release highlights is the fact that Oracle should provide work-around instructions rather than dogmatically stick to immediate patching as the single alternative. 

This one has 88 patches.  Only four issues are in the Oracle database server whereas six are in MySQL database server.   Key observations regarding the four database vulnerabilities, two are interesting:

  • One vulnerability is severe, ranking 9 on a 10 scale.  What is significant about this issue?  It is the most severe even though exploiting it requires authentication.  In this case, the vulnerability is in a component that is installed by default and  known to have been vulnerable in the past on more than a few occasions.  What does this component do?  It allows users to do geometric searches.  However, geometric search is not used very widely.  Since the geometric search isn’t used very much, so Oracle should recommend, for example, removing the package altogether so only those who need it are exposed to it.
  • The second vulnerability is a 7.1 on a 10 scale since it’s a complex exploit—but this seems low.  Why?  This vulnerability requires two procedures:  create library and create procedure.  What is of most interest here it the create library capability which maps the OS module to the database—an inherently dangerous process because you could map any OS native code to be mapped as stored procedures accessible through a DB SQL session.  We suspect that the vulnerability allows server takeover using uncontrolled mapping, and that the patch reduces the ability to map arbitrary modules.  Regardless, a better method would be to simply not allow anyone but an administrator to perform this process. 




April 01, 2012
 Clues from the Global Payments Breach
Pin It

Another mega breach headlines last week.  Though no one can say yet what happened, as usual the press statements offer some possibilities.

What is the most important clue?  Visa and Mastercard claim (in their warning to banks) that the full Track data from the card was obtained. This is an interesting piece of information as Track data is not available for web based transactions.  In fact, Track data is only available when the credit card is swiped. It means that the source of the data is point-of-sale devices rather than Internet transactions.  

What about PCI compliance?  Track data storage is forbidden according to PCI-DSS. So either Global Payments are not in compliance with PCI-DSS or the attackers were able to sniff transactions over a network.



March 12, 2012
 Reviewing HOIC: A New Anonymous DDoS Tool
Pin It

According to a recent article, there's a new a DDoS tool from Anonymous called high-orbit ion canon or HOIC (click image to BIGGIFY):


The claim is this:  LOIC did TCP, UDP and HTTP flooding, but HOIC focuses on HTTP only. HOIC includes a new feature called 'boosters' which are files you download or add to an attack machine which enables the attacker to manipulate headers such as language, referrer, host, etc.  This new feature is designed to bypass signature based systems by using a lot of different headers. Additionally, HOIC is supposedly faster. 

But is it really an improvement?  Overall, not really.  There are several reasons:

  • Problem 1:  HOIC seems like a step backwards in terms of usability as it requires client side installation and complex configuration files. LOIC offered the ability for people with limited technical skills to perform DDoS--definitely not the case with HOIC.
  • Problem 2: HOIC is indeed HTTP focused. However, HTTP flood is inherently slower than UDP flood and simple TCP flood.
  • Problem 3:  Just writing in the tool's description "HOIC is faster" does not make it faster and certainly does not explain why.  As they say in the automobile industry:  you can't judge until the rubber hits the road.
  • Problem 4: The "boosters" are nothing but configuration files that just allows broader targeting. HOIC could allow you to diversity DDoS attack, but mostly for pretty sophisticated users.  But as we point out in bullet #2 above, are you really gaining more in firepower?



January 17, 2012
 Oracle’s Q1 CPU Release
Pin It

Imperva CTO Amichai Shulman on Oracle's latest critical patch update (CPU).

This is a standard patch.  However, quite a large volume of patches are dedicated to the MySQL database which is a new introduction into Oracle's CPU process.  Overall, there are 78 vulnerabilities which is consistent with previous releases.  However, considering Oracle added MySQL to the patching process, this number seems low.

Key observations:

  • There is a bottleneck in the Oracle patching process.  If you were to introduce a new product, there should be more vulnerabilities overall in the CPU--but this didn’t happen.  Could there be obstacles in the security and testing process?  While introducing MySQL into the patch process is a good thing, it emphasizes again scalability problems. With the introduction of a new product, especially when it shows 27 fixes in this CPU, you'd expect the number of overall patches in the CPU to increase. This has not happened. For example, the Oracle DB server product only shows two fixes. 
  • There are only two vulnerabilities in the database product.  Why? Either the database server has reached an amazing maturity in terms of security or Oracle did not have enough resources to include more fixes into the process.  This may be a consequence of adding the new MySQL product in the patching process.  However, another factor may be that these fixes are much more critical and complex than their CVSS score suggests.
  • Oracle continues to undervalue the severity of their reported vulnerabilities.  For example, the vulnerability described in InfoWorld is CVE-2012-0082 only gets a 5.5 on the severity scale.  As another proof point, one Solaris vulnerability (CVE-2012-0094), scores a 7.8 but is very similar to issues Oracle database server and MySQL products that scored just a 5.5. 
  • Other stuff:  Other than that there are many fixes in HTTP based components of the Oracle product line.

What does this release tell us to expect from Oracle security in 2012?

  • Severity scores will continue to be misleading.  Oracle should rethink their "Partial+" ranking which artificially plays down the severity.
  • Vulnerability bottleneck.  They should fix this bottleneck, especially as they introduce new products and acquisitions continue.  We assume the bottleneck exists due to the relative low num of vulnerabilities while the patch increases in terms of products covered. As in many organizations, it’s safe to assume that Oracle has a security team separate from the engineering team that deals with the vulnerabilities and so the bottleneck most likely resides there and should be removed.


January 05, 2012
 Symantec Code Leak
Pin It

Rumor has it that hackers have obtained the source code for Symantec’s Norton AV. A posting on pastebin presented the file list and hackers are claiming that they also have the code itself. While the code is not yet out, hackers are saying that it is just a matter of time as they are considering how to best publish this information.

As a major DLP vendor, this is quite embarrassing on Symantec’s part. It’s reasonable to assume that the retrieval of such a list could be a result of the files residing on a test server which was mistakenly exposed, or a posting to FTP which unintentionally became public.  It also seems, if you trust the hackers' boasting, that the code was obtained from the Indian military.  Many governments do require source code from vendors to prove the software isn't spyware.  

If the rumors turn out to be true, the implications of the anti-virus code leakage will not keep the Symantec folks awake too late at night, and certainly not their customers. After all, there isn’t much hackers can learn from the code which they hadn’t known before. Why? Most of the anti-virus product is based on attack signatures. By basing defenses on signatures, malware authors continuously write malware to evade signature detection (in 2007, antivirus could only detect between 20-30% of malware). We noted in our blog on the Black Hole Exploit that only 30% of AV would have been effective. Further, malware versions continuously evolve in such a rate where signatures cannot keep up with them in the first place. The workings of most of the anti-virus’ algorithms have also been studied already by hackers in order to write the malware that defeats them. A key benefit of having the source code could be in the hands of the competitors.

If the source code is recent and hackers find serious vulnerabilities, it could be possible to exploit the actual anti-virus program itself.  But that is a big if and no one but Symantec knows what types of weaknesses hackers could find.



Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: