Introduction to Ethical Hacking

Web Services are defined in the reading as “component services that others might use to build bigger service.” An example of this is a service that automatically updates the stock price while you’re reading a Wall Street Journal article about a company. This lead me to the question “what is the difference between a web application and a web service?” So I did a little poking around and it looks like one of the big differences is an application is full service with a user interface and much more robust. A web service is part of a larger presentation on the webpage, like the stock price updater is just a component of the presentation of the story. If you went to the Wall Street Journal stock tracker that would be an application because it has a full interface where you can select stocks, see prices, select different periods of time for the chart and completely customize the experience.

Web services can be attractive for launching attacks because they run through ports that are often kept open so advanced queries can get through a firewall. Web services are also good for reconnaissance and have a number of opportunities for denial of service attacks.

My question for the class would simply be if my above explanation of the difference between an application and service is correct.

News article: Comcast resetting passwords of users whose account credentials were posted online http://www.zdnet.com/article/comcast-resets-passwords-after-login-details-posted-on-dark-web/

590,000 Comcast account credential combinations were released on a dark market website selling access to the accounts in exchange for bitcoin. Comcast says about 1/3 of these are still active accounts. I thought this was of interest because even though Comcast is, and will continue to be, the one who suffers the PR blowback for this, it appears it was a 3^rd party vendor who had the security breach. It reminds us how important it is to have proper controls in place with 3^rd party vendors to ensure security of data because the 3^rd party vendor won’t face near the backlash that the other company receives.

Presentation Details:
Title: =MIS 5211.001_11/4/2015
Date: Wednesday, November 4, 2015
Time: 5:30 PM (UTC-05:00) Eastern Time (US & Canada)
Duration: 2:30:00
Link: http://tucapture.fox.temple.edu/Mediasite/Play/c74f441fa3884080837e5cfcd47e105e1d

Intro-to-Ethical-Hacking-Week-11

What are your thoughts?

SQL injection is a SQL vulnerability in the database that allows certain queries to be typed in or exploited to reveal the contents of the database. One way of doing this is going into a user input page and typing ” any’ 1=1#; ” which would tell the database, if 1=1, then reveal the database contents. One can tamper with the URL if the URL reveals the user input, and put SQL queries in the URL, such as “order by 1” to test how many rows or entries are in the database.

Some SQL injection tools are Tamper Data and Cookie functions. One can find the cookie session for the logins, and as long as the user is logged in, you can use the cookie session pasted into the URL to catch the login session. Tamper Data is if the code will not allow you to tamper with the input. Tamper Data, on Mozilla Firefox or Iceweasel will allow you to modify the input type to test for SQL vulnerabilities or gain database contents.

SQL Map will automate most SQL attacks for you, test if the website is vulnerable, and run the SQL injection attack on, returning the results.

News article:

Canada wants to hack its own trucks to find vulnerabilities.
http://www.popularmechanics.com/military/research/a18071/the-canadian-military-wants-to-hack-their-own-trucksbefore-someone-else-does/

Web application vulnerabilities are rampant and the most popular form of this style of attack is SQL injection. The attacker in this attack format will attempt to place data that is interpreted as instructions in common inputs. There are many goals associated with such an attack; attacker may use SQL injection to do a number of database exploitation all the way through circumventing authentication and finally gain complete admistrative control of the sought after databases from a remote server.

The reason why this style of attack is so effective is because SQL is the standard language for accessing databases. Moreover, majority of web applications today use some sort of SQL database to store data for the application.

Problems come up time and time again because strings are not properly escaped. Secondly, data types are appropriatly restricted and constrained. There are ways to prevent SQL injection but not eliminate. First, we will need to constrain data types (e.g. Integer data field should only accept integer value, etc…). Another way is to ensure that escape user input is eliminated if possible. Meaning that escaping the apostrophes and backslashes (e.g. ‘, \’, \, \\). Finally, I have also read that the best way is using prepared statements; although it was originally designed to optimize database connectors, a prepared statements can restrict separate user data from SQL instructions. In view of that, when one uses prepared statements, the user input will not be interpreted as SQL instructions.

News Article:
Attackers used SQL injection flaw to attack Joomla. Within hours of discovery, release and patching of a critical vulnerability, malicious attackers began exploiting Joomla, a popular open-source content managment system. This SQL injection flaw found in versions 3.2 and 3.4.4 of Joomla could potentialy grant attackers full administrative access to any vulnerable site. This vulnerability was discovered by Trustwave researches. For more information on this article, please click on the link below.

Reading: Full SQL Injection Tutorial

SQL injection is a technique that uses code injection via malicious statements and commands to attack applications with the goal to dump the database contents to the attacker. The tutorial goes into lengths explaining each line of code, with expected results and variations. While it involves a fair amount of guessing, the article also provided the most common names of tables and columns.

A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete) and issue commands to the operating system.

Mitigation options include Parameterized statements, escaping, pattern check, hexadecimal conversion and limiting permissions on the database. Parameterized statements treats the injection as a strange parameter value and does nothing to it.

In The News:

$1 million bounty for hacking iPhone has been claimed

Apple devices are widely considered extremely secure and hard to hack. But as the internet adage says, everything can be hacked—even the new iPhone…..the challenge consisted of finding a way to remotely jailbreak a new iPhone or iPad , allowing the attacker to install any app he or she wants with full privileges. The initial exploit, according to the terms of the challenge, had to come through Safari, Chrome, or a text or multimedia message.

SQL Injection reading

SQL injections techniques are one of the most popular code injection methods used by hackers to attack websites. An attacker finds vulnerabilities in the target website or SQL-based application software. Then, an attacker exploits those vulnerabilities by issuing malicious SQL statements or by exploiting incorrect input. It is done by probing techniques so that using various variables in the web address allow to test whether target website is vulnerable. Once exploited, an attacker attempts to gain admin/root access rights to the server or SQL DB. When successful, the attacker is able to gather useful and valuable information such as user names, passwords, credentials, etc. that are used to access the databases, systems and other network resources.

Question to the Class: Is there any useful tool that allows to use predefined variables sql injection commands based on entered web site address?

In the News

A Security researcher in Germany has managed to hack ATM and self-service terminal from Sparkasse Bank that allowed him to reveal the sensitive details from the payment card inserted into the machine.

Read more at: http://thehackernews.com/2015/11/german-atm-hack.html

Reading: Marezzi@gmail.com (2008), “Full SQL Injection Tutorial”.  The tutorial describes SQL injection as a code insertion technique for attacking poorly implemented data-driven client-server and n-tier applications based on databases that support SQL. Poverty of implementation comes into play when user input is not strongly typed and unexpected code is executed, or user input is incorrectly filtered and literal escape characters embedded in SQL expressions are permitted to execute and run nefarious commands.  Successful SQL injection attacks can be used to probe and exploit any unprotected SQL database or website supported by a SQL database. The result of SQL injection can violate database’s confidentiality, integrity or availability.

InTheNews: Kovacs, E. 2015-09-17, “Russian Hackers Target Industrial Control Systems: US Intel Chief.” Security Week. Russian actors have compromised at least three industrial control systems (ICS) vendor’s product supply chains with malware, and the production lines of many are at risk.  “Supply chains are difficult to secure, they create risk that is hard to identify, complicated to quantify and costly to address. A compromise anywhere in the supply chain can have just as much impact on your organization, and its reputation, as one from within the organization. … There’s a great necessity to track everything that is happening in the supply chain as even the smallest supplier or the slightest hiccup can have dangerous impact on your business.” http://www.securityweek.com/russian-hackers-target-industrial-control-systems-us-intel-chief

Question for Class: What would be a practical/feasible approach to managing the cost implications of the need for ‘cradle to grave’ supply chain security for small high-tech firms integrating industrial controls for clients?

SQL injection is a technique where someone uses the URL of a website to inject SQL queries and establish information about the SQL database that the application runs off of. Once the information is gathered it is possible to launch more attacks. Using this technique, you can get usernames and passwords and then go further from that point. Someone could get any information from the table if they’re able to properly guess what the column or row heading might be.

Question for the class. How would you prevent against this type of attack?

Article: http://www.zdnet.com/article/dark-mail-debut-to-open-door-for-lavabit-return-ladar-levison/

The same guy behind Snowden’s encrypted email service is working on a new set of protocols and software from the ground up to create a new surveillance proof service for security minded individuals. This is an interesting project and will further the conversation about what information companies are responsible to provide authorities, how we go about obtaining data from emails etc.