Week 11: SQL Injection

This is a great article because it outlines most of the fears I always had when looking at scan results in my own systems that separated the types of vulnerabilities from critical down to low. Vulnerability scans provide a way for organizations to check how resistant their networks will be to an attack. The way they typically work is this: a scan shows the known vulnerabilities in the target systems and then ranks them by severity, usually on a scale of “Low,” “Medium,” “High” and “Critical.” In order to best protect the network, the Critical and High severity vulnerabilities are fixed, the Medium severity vulnerabilities are dealt with when and if there is personnel and budget capacity, and the Low severity vulnerabilities are left to persist indefinitely.

First it is necessary to understand how vulnerabilities are assigned a severity ranking. Let’s assume that the scanning tool’s severity rankings are based either directly or indirectly on a vulnerability’s Common Vulnerability Scoring System score.

The general idea is that a number of criteria are considered in order to calculate a “Base Score” for a vulnerability. The Base Score ranges from 0-10 where the threshold for Medium Severity is 4.0, High is 7.0 and Critical is 9.0, and it is this information that is often used to assign severity ratings to vulnerability scanning tool findings.

The Base Scores are calculated using a number of factors including how complex a vulnerability is to exploit, where it can be exploited from, whether an attacker needs to be authenticated, and what the potential impact would be on confidentiality, integrity and availability. While these are all valid criteria that can tell us quite a bit about a vulnerability, the base score ignores some key things that should matter to us. The full version of the CVSS can also calculate “Temporal” and “Environmental” scores.

Focusing on the Critical and High Risk vulnerabilities also ignores the possibility of vulnerabilities being chained together by an attacker. For example, one vulnerability may allow an attacker to gain a foothold on a system under an account with very low privileges while another vulnerability may allow an attacker to escalate privileges to an administrator level. Taken independently these vulnerabilities might each be Low or Medium severity but when combined together the result is an attacker who can gain remote access with administrator level privileges which many organizations would (or at least should) consider high risk. A real world example of how chaining vulnerabilities this way works can be seen in the “Hot Potato” exploit that relies on a series of Windows vulnerabilities, some of which date back over a decade.

 

here is the rest of the article: http://www.securitymagazine.com/articles/87600-why-low-severity-vulnerabilities-can-still-be-high-risk

Facebook is buying passwords from the online black market and comparing them to the passwords of the users. The list of passwords, captured in plaintext, goes through a hash function and compares the hash results to their user’s hashed password. Allegedly Facebook doesn’t store passwords in plaintext, when a user logs on the password entered it compared to the hash stored in the system for that user. Facebook does the same for the passwords it mines from the online black market. If a match is found, Facebook locks the account and hides the account from the public until the user changes his or her password. I’ve seen this before somewhere else, in fact I was alerted to it through CSID, an identity protection company. CSID alerted me that the password for one of my monitored email accounts was found online in black market. I changed that password so fast..  

 

https://nakedsecurity.sophos.com/2016/11/11/facebook-is-buying-up-stolen-passwords-on-the-black-market/

 

Account safety is about more than just building secure software because a data-saturated company of Facebook’s size and scope can build a perfectly secure software and yet users can still get hurt. This is the philosophy approach of Facebook’s chief security officer, Alex Stamos, as an alternative way to ensure Facebook users’ safety. To achieve so, the social media giant purchases passwords in the black market from hackers to keep your account safe.

For example, Alex explains that many users are still using “123456.” As a solution, Facebook users with these types of passwords are automatically alerted to make their accounts safer because they are more vulnerable to being compromised. This is something Facebook is keen to help its users avoid, says Alex. There are additional interesting details behind the reasoning and how Facebook is doing this. Feel free to access full article via the link below.

https://www.cnet.com/news/facebook-chief-security-officer-alex-stamos-web-summit-lisbon-hackers/

Researchers from Invicea Labs recently discovered two zero day vulnerabilities in Belkin’s home automation devices. These vulnerabilities were to SQL injection and cross site scripting. The devices utilize an app to allow users to control various internet of things devices in their home through one interface. However, using SQL injection, hackers can change or insert new rules into the database that the application uses in order to control the devices.

http://www.pcworld.com/article/3139972/internet/google-brands-malicious-websites-with-repeat-offender-warnings.html

 

Google in a fight to protect the users who use their browser, has now a safe browsing arsenal to protect them from using websites with malware and unwanted software.  Google will flag the websites as unsafe using a big red warning sign in the browser.  Sites will have apply to google to get the warning lifted.  Site owners will not be able to apply for a repeal of the warning for 30 days.  The red large warning sign will remain until after the repeal process.

 

A recent research found gaping security holes in several SuperPAC public websites that may expose personal information of donors and other sensitive data. These vulnerabilities range from weak or nonsexist encryption and open ports to old and outdated server platforms. Security firm UpGuard assessed the security posture of top SuperPACs actives in the 2016 US election, and found that most of them could reach the average level of security. SuperPACs do not store payment information, but they keep donors’ personal information. Exposing donors’ identifies is a great issue because the purpose of these organizations is to hide who’s giving money. The main vulnerabilities are due to lack of encryption, no email authentication to avoid phishing scams, open SQL ports, and no DNSSEC adoption.

Link: http://www.darkreading.com/vulnerabilities—threats/some-superpac-websites-are-not-super-secure/d/d-id/1327430

 

https://www.hackread.com/ddos-attacks-on-apartments-heating-system/

 

Here is an example of how incorporating IoT into our everyday lives could have a crippling effect on us. An apartment building in the city of Lappeenranta in Finland, had its heating system hit with a DDOS attack causing residents to lose heat and hot water. Luckily on the day of the attack, the temperature was 20℉.  Lappeenranta is known to have temperatures go as low as -25℉ in the winter.

Chinese courts have signed into law an agreement that will make it more difficult for companies to house data on servers inside the country. The data that is housed in the country must now be censored even though the company may not be in China. This changes the landscape of freedom of speech on the internet. Since China is the biggest internet market in the world with over 700 million users (double the population of the United States) it could have serious implications on censorship throughout the world. State run press in the country states that this censorship will help with fraud in the country. Hopefully companies doing business in China can find elsewhere to house their data to avoid censorship of the internet.

Article: https://www.cnet.com/news/chinas-new-cyberlaws-have-many-scared/

This article discusses how the IoTs have been being used in botnets created by malware to attack companies.  The FBI warns that new attacks may occur, different from the Mirai attacks that took place last month.  Since most IoTs were not designed to withstand attacks, it is hard to prevent these attacks from occurring.

Article:

FBI: New Malware to Spur More Large-Scale Cyber Attacks

 

Security researchers discovered a couple flaws in Belkin home devices and discussed it during last Friday’s Black Hat Europe conference. These were SQL injection and XSS vulnerabilities, the same ones we discussed last class. The SQL injection vulnerability ultimately led to root access being compromised for these devices. The XSS vulnerability allowed personal information, such as pictures of GPS locations, to a remote server. These issues are very concerning. As people start to connect their homes with these devices, this can be a serious safety issue. Belkin has since released firmwares to fix these vulnerabilities, but there needs to be more done in order to mitigate this. There is a lot more information in the article, definitely check it out.

Article: http://www.csoonline.com/article/3138935/security/sqli-xss-zero-days-expose-belkin-iot-devices-android-smartphones.html