Posts Tagged ‘sql injection’

Glastopf Web focus honeypot gets SQL injection simulation capability

Tuesday, September 11th, 2012

The Honeynet Project, a non-profit classification that develops open-source confidence investigate tools, has combined a member for a Glastopf Web focus honeypot module that can obey applications unprotected to SQL injection attacks in sequence to pretence enemy into divulgence their intentions.

In a context of mechanism security, honeypots are systems that are intentionally left unprotected in sequence to collect technical information about attacks. That information can be used to strengthen a confidence of other systems found on a same network or to rise conflict signatures for confidence products like firewalls.

Honeypots can be used by researchers to learn formerly different attacks and constraint formerly undetected malware or can be used by businesses to know how a complement unprotected to a Internet with a sold pattern would be targeted by hackers.

One of a several honeypot collection combined by people concerned in a Honeynet Project is called Glastopf and consists of a Web server that boldly emulates unprotected Web applications in sequence to attract attackers.

Glastopf has been in growth given 2009 and is now during chronicle 3. However, until final week, it lacked a capability of emulating SQL injection vulnerabilities, an critical category of Web focus vulnerabilities that are ordinarily targeted by attackers.

That’s no longer a case, since on Saturday a Honeynet Project expelled an SQL injection “handler” for a Glastopf web focus honeypot.

The new member was grown as partial of Cyber Fast Track, a investigate module saved by a Defense Advanced Research Projects Agency (DARPA), a investigate arm of a U.S. Department of Defense.

“The categorical idea of this plan was a growth of a SQL injection disadvantage emulator that goes over a collection of SQL disadvantage probings,” a Honeynet Project pronounced in a blog post on Saturday. “It deceives a counter with crafted responses relating his ask into promulgation us a antagonistic cargo that could embody all kinds of antagonistic code.”

SQL injection vulnerabilities concede enemy to write antagonistic information into a website’s database or to remove supportive information from it. Because of this, they can outcome in critical information breaches.

According to a semi-annual report expelled by confidence organisation Imperva in August, a median series of SQLi attacks gifted by a standard Web focus between Dec 2011 and May 2012 was 17.5 and in a misfortune box it was 320.

Article source:

Black Hat 2012: Dan Kaminsky tackles secure program development

Thursday, July 26th, 2012

’s annual “black ops” speak Wednesday during a 2012 Black Hat Briefings discussion was a
departure from past years’ presentations, that were low dives with a unaccompanied focus, exploring
vulnerable core network functionality such as DNS
security vulnerabilities
and more.

“We have to figure out what new
tools we can give to developers to capacitate them to write formula a approach they wish to.”

Dan Kaminsky

Instead, this year he offering attendees a macro perspective of confidence and discernment on a potential
effects on a economy and inhabitant confidence if a stream state of affairs in information
security isn’t reversed.

“We have to repair this,” Kaminsky told a packaged event hall. “And we’re not going to repair it by

Primarily, Kaminsky focused on a need for improved formula essay and secure
software development
, not usually for Web applications though also OS heart development. Kaminsky
also due new technical means for improving a time it takes to find bugs, as good as a pitch
for Net neutrality, a means he’s championed in a past, and a censorship of information and trade by

Kaminsky pronounced developers are a pivotal to righting a confidence ship. He pronounced developers want
their formula to work, they don’t wish information to shun and they wish elementary collection that don’t impede
performance, or deadlines.

“Developers are in charge, not a architects, academics or management; confidence is not in
charge either,” Kaminsky said. “We have to give them useful stuff. [Developers] like their formula to

Kaminsky hold SQL injection vulnerabilities adult as a instance of continued coding issues that
are exploited with good success — and could have been bound with equal success.

“We have to stop creation fun of these attacks,” Kaminsky said, observant that a perfect series of
successful SQL injection attacks have impassive confidence teams to their seriousness. “The infancy of
these attacks are used to take stuff, and they’re murdering us. They’re not [elite], and they are

For example, enemy used a blind
SQL injection attack
final year to take down website and display data. Research from
the Privacy Rights Clearinghouse expelled final year pronounced that 83% of hacking-related information breaches
were executed around SQL injection attacks. Additional investigate from Redwood Shores, Calif.-based data
protection businessman Imperva Inc. put a series of Web applications exposed to SQL injection at
115 million.

“We can contend that we’re regulating these problems, though if they’re removing fixed, this would not be so
pernicious,” Kaminsky said. “We have to figure out what new collection we can give to developers to
enable them to write formula a approach they wish to.”

More from Black hat

For all a news, analysis, explanation and video interviews from Las Vegas, revisit’s Black Hat 2012
special coverage page

Kaminsky’s anti-censorship efforts continue as well. Last year during Black Hat, he announced a new
tool he called N00ter, that is radically a filter that screens out routers that could change the
path and smoothness time of trade packets, withdrawal only ISP to source paths.

“The Internet is reduction prosaic each day. Content is changing formed on where we are, and not
because of those using websites. It’s since ISPs and governments are altering content,” he
said. “Sometimes this is silently done.”

Kaminsky pronounced he’s operative with remoteness and polite liberties organizations such as a Electronic
Frontier Foundation to opposite Internet censorship by giving them a information streams generated by
N00ter and other tools, only as a information source, rather than as a information manager.

“I wish to give them a resource to see what’s accessible and what’s being blocked,” Kaminsky

Article source:

Internet confidence improved though tainted exploits grow, IBM says

Saturday, March 24th, 2012

IBM pronounced it found startling improvements in Internet security such as a rebate in focus confidence vulnerabilities, feat formula and spam, though it also remarkable that those improvements come with a price: Attackers have been forced to rethink their tactics.

BACKGROUND: From Anonymous to Hackerazzi: The year in confidence mischief-making

OTHER STUFF: All hail: Inside a Museum of Nonsense

IBM’s confidence group, X-Force, expelled a 2011 Trend and Risk Report that surveys some 4,000 customers, and a news showed a following:

• Spam out: a 50% decrease in spam email compared to 2010.

• Better patching: Only 36% of program vulnerabilities remaining unpatched in 2011 compared to 43% in 2010. Some confidence vulnerabilities are never patched, though a commission of unpatched vulnerabilities has been dwindling usually over a past few years. 

• Higher peculiarity of program focus code: Web-application vulnerabilities called cross-site scripting (XSS) are half as expected to exist in clients’ program as they were 4 years ago, IBM stated. However, XSS vulnerabilities still seem in about 40% of a applications IBM scans.

• Fewer exploits: When confidence vulnerabilities are disclosed, feat formula is infrequently expelled that enemy can download and use to mangle into computers. Approximately 30% fewer exploits were expelled in 2011 than were seen on normal over a past 4 years.

Of march there is a dim side. These are new confidence problem trends IBM reported:

• Shell authority injection vulnerabilities some-more than doubled: For years, SQL injection attacks opposite Web applications have been a renouned matrix for enemy of all types. SQL injection vulnerabilities concede an assailant to manipulate a database behind a website. As swell has been done to tighten those vulnerabilities — a series of SQL injection vulnerabilities in publicly confirmed Web applications forsaken by 46% in 2011– some enemy have now started to aim bombard authority injection vulnerabilities instead. These vulnerabilities concede a assailant to govern commands directly on a Web server. Shell authority injection attacks rose by dual to 3 times over a march of 2011.

• Automated cue guessing: Poor passwords and cue policies have played a purpose in a series of high-profile breaches during 2011. There is also a lot of programmed conflict activity on a Internet in that attacks indicate a ‘Net for systems with diseased login passwords. IBM celebrated a vast spike in this arrange of cue guessing activity destined during secure bombard servers in a latter half of 2011.

• Increase in phishing attacks that burlesque amicable networking sites and mail parcel services: The volume of email attributed to phishing was comparatively tiny over a march of 2010 and a initial half of 2011, though phishing came behind with a reprisal in a second half, reaching volumes that haven’t been seen given 2008. Many of these emails burlesque renouned amicable networking sites and mail parcel services, and tempt victims to click on links to Web pages that might try to taint their PCs with malware. Some of this activity can also be attributed to promotion click fraud, where spammers use dubious emails to expostulate trade to sell websites.

• Publicly expelled mobile exploits adult 19% in 2011: This year’s IBM X-Force news focused on a series of rising trends and best practices to conduct a flourishing trend of “bring your possess device,” or BYOD, in a enterprise. IBM X-Force reported a 19% boost over a before year in a series of exploits publicly expelled that can be used to aim mobile devices.

Cloud computing presents new challenges: In 2011, there were many high-profile cloud breaches inspiring obvious organizations and vast populations of their customers. IT confidence staff should delicately cruise that workloads are sent to third-party cloud providers and what should be kept in-house due to a attraction of data, IBM said. The IBM X-Force news records that a many effective means for handling confidence in a cloud might be by Service Level Agreements (SLAs) since of a singular impact that an classification can practically practice over a cloud computing service. Therefore, clever care should be given to ownership, entrance management, governance and stop when crafting SLAs, IBM stated.

Follow Michael Cooney on Twitter: @nwwlayer8 and on Facebook.

Read some-more about far-reaching area network in Network World’s Wide Area Network section.

Article source:

Sony Europe hacked by Lebanese grey shawl hacker

Saturday, June 4th, 2011

A grey shawl hacker famous as idahc, has managed to concede Sony Europe’s Database of Application Store.

The SQL injection penetrate has suggested 120 credentials, including a username, password, mobile, office, email, and website of a influenced users — all in plain text. Last week, a same hacker has once again managed to concede, with a hacker claiming that he had a ability to remove credit cards data, though didn’t do it given he doesn’t understand himself as a black hat.

Article source: