<BODY><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d18755935\x26blogName\x3dVINOD+MEDIA%E2%84%A2\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttps://dmnvinod.blogspot.com/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://dmnvinod.blogspot.com/\x26vt\x3d-1483311251890623224', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

SQL Injection

Thursday, September 28, 2006


Hackers have a wide arsenal of attack mechanisms, from which they choose the one most suited to a particular vulnerability. SQL Injection is perhaps one of the most common application layer attack techniques used by hackers.

SQL injection is the hacking technique which attempts to pass SQL commands through a web application for execution by a backend database.

The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity.

SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

Detailed description

Databases are fundamental components of Web applications. Databases enable Web applications to store data, preferences and content elements. Using SQL, Web applications interact with databases to dynamically build customized data views for each user. A common example is a Web application that manages products. In one of the Web application's dynamic pages (such as ASP), users are able to enter a product identifier and view the product name and description. The request sent to the database to retrieve the product's name and description is implemented by the following SQL statement.

SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = ProductNumber

Typically, Web applications use string queries, where the string contains both the query itself and its parameters. The string is built using server-side script languages such as ASP, JSP and CGI, and is then sent to the database server as a single SQL statement. The following example demonstrates an ASP code that generates a SQL query.

sql_query= "SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = " & Request.QueryString("ProductID")

The call Request.QueryString("ProductID") extracts the value of the Web form variable ProductID so that it can be appended as the SELECT condition.

When a user enters the following URL:

http://www.mydomain.com/products/products.asp?productid=123

The corresponding SQL query is executed:

SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = 123

An attacker may abuse the fact that the ProductID parameter is passed to the database without sufficient validation. The attacker can manipulate the parameter's value to build malicious SQL statements. For example, setting the value "123 OR 1=1" to the ProductID variable results in the following URL:

http://www.mydomain.com/products/products.asp?productid=123 or 1=1

The corresponding SQL Statement is:

SELECT ProductName, Product Description From Products WHERE ProductNumber = 123 OR 1=1

This condition would always be true and all ProductName and ProductDescription pairs are returned. The attacker can manipulate the application even further by inserting malicious commands. For example, an attacker can request the following URL:

http://www.mydomain.com/products/products.asp?productid=123;DROP TABLE Products

In this example the semicolon is used to pass the database server multiple statements in a single execution. The second statement is "DROP TABLE Products" which causes SQL Server to delete the entire Products table.

An attacker may use SQL injection to retrieve data from other tables as well. This can be done using the SQL UNION SELECT statement. The UNION SELECT statement allows the chaining of two separate SQL SELECT queries that have nothing in common. For example, consider the following SQL query:

SELECT ProductName, ProductDescription FROM Products WHERE ProductID = '123' UNION SELECT Username, Password FROM Users;

The result of this query is a table with two columns, containing the results of the first and second queries, respectively. An attacker may use this type of SQL injection by requesting the following URL:

http://www.mydomain.com/products/products.asp?productid=123 UNION SELECT user-name, password FROM USERS

The security model used by many Web applications assumes that an SQL query is a trusted command. This enables attackers to exploit SQL queries to circumvent access controls, authentication and authorization checks. In some instances, SQL queries may allow access to host operating system level commands. This can be done using stored procedures. Stored procedures are SQL procedures usually bundled with the database server. For example, the extended stored procedure xp_cmdshell executes operating system commands in the context of a Microsoft SQL Server. Using the same example, the attacker can set the value of ProductID to be "123;EXEC master..xp_cmdshell dir--", which returns the list of files in the current directory of the SQL Server process.


Example of a SQL Injection attack

Here is a sample basic HTML form with two inputs, login and password.






The easiest way for the login.php to work is by building a database query that looks like this:

"SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password'";

If the variables $username and $password are requested directly from the user's input, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x

"SELECT id
FROM logins
WHERE username = 'Vinod'
AND password = 'anything' OR 'x'='x'";

Because the application is not really thinking about the query, but just constructing a string, the use of the single quotes has turned the WHERE into a two-component clause. The 'x'='x' part guarantees to be true regardless of what the first part contains.

This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!

Labels:

IDS vs IPS



It seems that there are always new battles being fought, as fanatics unfurl their banners to declare that Linux will overtake Windows, that asynchronous transfer mode is dead or that the world is moving to Internet Protocol telephony. These debates stir passion and serve as fodder for lively conversations at trade shows.

But besides their entertainment value, religious wars are invariably unproductive and only confound users.

Along those lines, consider the classic religious war now dividing the field of information security, where proponents are squaring off over the merits of intrusion detection systems (IDSes) versus intrusion prevention systems (IPSes).

The struggle has been especially fierce since mid-2003, when a group of industry experts declared that IDSes would be killed off by the evolving superiority of IPS systems. Rather than clearing the air, this proclamation only added to general confusion. That led users to delay purchases, leave networks inadequately protected and suffer through abundant attacks.

Let's set the record straight.

IPS devices act as security checkpoints. Packets receive some basic screening at the gateway but are interrogated far more aggressively by the addition of an IPS. The device isn't looking for every potential security threat. Rather, it's looking for known problems and blatantly suspicious behavior.

Packets that violate protocols or contain malicious payloads get terminated--no questions asked. To perform this task, IPS devices take an active role in the security infrastructure. They sit in line on corporate networks, making decisions about packets like routers and switches do.

People who take a dogmatic position on technology issues probably aren't helping their employer.
IDS devices live a more passive existence, something along the lines of a security camera. A security camera may pinpoint illegal activity, but it depends on human beings to foil the intruders. IDS devices provide a similar function by sitting offline and monitoring packets as they go by. When an IDS sees anything that looks at all suspicious, it sounds the alarm. Then, it is up to a security administrator to review the alert and take appropriate action.

Now, here comes the religious-war part. IPS bigots say today's threats need immediate attention and that IDSes are simply too passive to prevent attacks. They go on to say that IDS devices are also too paranoid. IDSes spit out thousands of false-positive alerts, they say, leaving the responsibility of finding the threat-related needles among the security alert haystacks to overburdened security personnel.

Hello? These devices are called intrusion detection systems because they were designed to detect, not prevent, malicious activity. Security cameras don't magically change into pitbulls when a thief appears. As for false-positive alerts, IDSes were engineered to be obsessive. Too many false positives, you say? Fine, tune the system. Every environment is different, so you can't rely on default settings. This takes some work, but last time I checked, system tuning always does.

IDS zealots have their own brand of passionate rhetoric. They say IPS devices can slow the network, act as a single point of failure or block legitimate traffic. These objections have roots of legitimacy but are no longer true. Today's IPS systems are built on top of lightning-fast components to keep up with almost any network. To maintain availability, IPS devices can be clustered for high-availability protection, and once again, system tuning is the key to blocking malicious code while waving legitimate traffic through.

IDS and IPS devices actually work best in tandem. The IPS device blocks known hostile code, while the IDS provides another set of eyes into real-time and historical security events. In other words, this isn't an "either...or" decision; implementing both IDS and IPS devices offers the highest level of security protection.

Companies make decisions based on business needs, and people who take a dogmatic position on technology issues probably aren't helping their employer. All they're doing is recruiting foot soldiers for a self-serving technology jihad.

Labels:

War Driving



Wardriving is searching for Wi-Fi wireless networks by moving vehicle. It involves using a car or truck and a Wi-Fi-equipped computer, such as a laptop or a PDA, to detect the networks. It was also known (as of 2002) as "WiLDing" (Wireless Lan Driving, although this term never gained any popularity and is no longer used), originating in the San Francisco Bay Area with the Bay Area Wireless Users Group (BAWUG). It is similar to using a scanner for radio.

Many wardrivers use GPS devices to measure the location of the network find and log it on a website (the most popular is WiGLE). For better range, antennas are built or bought, and vary from omnidirectional to highly directional. Software for wardriving is freely available on the Internet, notably, NetStumbler for Windows, Kismet for Linux, and KisMac for Macintosh.

Wardriving was named after wardialing (popularized in the Matthew Broderick movie WarGames) because it also involves searching for computer systems with software that would use a phone modem to dial numbers sequentially and see which ones were connected to a fax machine or computer, or similar device. (Audio commentary on the Wargames DVD says that wardialing was named after the movie and the software did not openly exist before the movie.)


Anyone who intends to listen to radio transmissions should be aware of the following:

A licence is not required for a radio receiver as long as it is not capable of transmission as well (The Wireless Telegraphy Apparatus (Receivers) (Exemption) Regulations 1989 (SI 1989 No 123). Furthermore, Wi-fi devices are a subset (defined under IEEE 802.11 interoperability standards) of the licence exempt RLAN segment of the 2.4Ghz radio frequency band. Under the terms of the exemption, a licence is only required for the operation of commercial wi-fi services such as "hotspots".

However, although it is not illegal to sell, buy or own a scanning or other receiver in the UK, it must only be used to listen to transmissions meant for GENERAL RECEPTION. The services that you can listen to include Amateur and Citizens' Band transmissions, licensed broadcast radio and weather and navigation broadcasts.

It is an offence to listen to any other radio services unless you are authorised by a designated person to do so.

There are two offences under law:

Under Section 5(1)(b) of the WT Act 1949 it is an offence if a person "otherwise than under the authority of a designated person,

either:

(i) uses any wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of any message whether sent by means of wireless telegraphy or not, of which neither the person using the apparatus nor a person on whose behalf he is acting is an intended recipient;

This means that it is illegal to listen to anything other than general reception transmissions unless you are either a licensed user of the frequencies in question or have been specifically authorised to do so by a designated person. A designated person means:

* the Secretary of State;
* the Commissioners of Customs and Excise; or
* any other person designated for the purpose by regulations made by the Secretary of State.

or:

(ii) except in the course of legal proceedings or for the purpose of any report thereof, discloses any information as to the contents, sender or addressee of any such message, being information which would not have come to his knowledge but for the use of wireless telegraphy apparatus by him or by another person."

This means that it is also illegal to tell a third party what you have heard.

With certain exceptions, it is an offence under Section 1 of the Regulation of Investigatory Powers Act 2000 for a person - "intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of:

* a public postal service; or
* a public telecommunication system."

It is similarly an offence to intercept any communication in the course of its transmission by means of a private telecommunication system.

This means that it is illegal to listen to telephone calls, including mobile phone networks which are designated as forming part of the public telecommunications system.

Labels: , , ,

RFID in Manufacturing Can Boost Productivity




The ability of radio frequency identification (RFID) technology to make the tracking and managing of assets more efficient and make inventory more visible offers an ideal solution for companies seeking to improve their manufacturing performance, according to global growth consulting company Frost & Sullivan. At the same time, as companies strive to tighten their brand security and protect their products from counterfeiting, RFID is emerging as the optimal solution to safeguard valuable products throughout the supply chain.

Frost & Sullivan finds that the European RFID Markets for Automotive, Aerospace and Industrial Manufacturing generated revenues of $23.7 million in 2005 and estimates this will reach $109.3 million in 2012.

"The unique features of RFID technology enable the development of a constant stream of innovative applications for manufacturing sectors", says Frost & Sullivan Research Analyst Rengarajan Srinivasan. "The rising need to accurately track valuable assets and products is creating significant scope for the use of RFID across a range of industrial sectors."

The highly competitive nature of modern manufacturing is driving manufacturers to reduce costs and adapt business to increasingly demand-oriented systems. In this context, RFID can enhance product availability for customers and boost productivity across the entire production process, said Frost & Sullivan. Moreover, its ability to enable just-in-time inventory control and asset management will allow companies to reduce order turn-around time and effectively manage fluctuating demand in automotive and consumer products markets.

However, the firm added, the return on investment (ROI) from RFID deployments is difficult to quantify, as the full benefits of the technology depend on its degree of integration into wider business processes. Difficulty in identifying a clear stand-alone ROI, coupled with its high implementation cost, poses a significant challenge to prospective entrants into the RFID market. The excitement and euphoria surrounding RFID in recent years, fuelled by the early retail mandates and pilot schemes, have created unrealistic expectations of the technology among many industries.

"As the RFID market starts the transition from technology trial stage toward early adopter phase, a key challenge will be to clearly identify the range of expected benefits," cautioned Srinivasan. "The uniqueness of each new RFID implementation due to varying company environments compounds this challenge, making meaningful comparisons of new systems with existing implementations unreliable. Over-optimistic or unclear objectives for implementing RFID are likely to have a negative impact on ROI and deter wider adoption."

The maximum ROI achievable from the adoption of RFID can only be realized if the designing of business processes allows operation within real-world environments and well-integrated IT infrastructures.

"Manufacturers need to establish a strong business case for implementing RFID systems and develop flexible frameworks for evaluating ROI," advised Srinivasan. "New entrants are likely to have a better understanding of the nature of ROI that is practically achievable from the experience of early adopters and increasing numbers of credible pilot schemes."

Labels:

Intel to Introduce 4 Core Processor this year not 2007



Pat Gelsinger, Intel senior vice president and general manager of the Digital Enterprise Group, in his keynote address at the Intel Developer Forum, outlined the next stage of the company's multi-core product roadmap and new industry initiatives that offer developers a design platform for innovation and new capabilities for businesses.

Gelsinger said that Moore's Law and the accelerated pace of Intel innovation are enabling faster and more reliable and secure networking and computing technologies, including PCs that boast a future "system defense" technology.

Demonstrating how the company capitalizes on Moore's Law, Intel previewed its forthcoming Quad-Core Intel Xeon processor 5300 series, products with four processors inside, for workstations and servers, and the Intel Core 2 Extreme quad-core processor for the enthusiast market segment. Available this year, the products are based on the Intel Core microarchitecture and deliver socket compatibility with existing Intel platforms.

The chips will extend technology and performance leadership by delivering up to 50% more performance within the same power envelope than today's dual-core generation. Gelsinger also reiterated that Intel will deliver a power-thrifty 50 watt quad-core server processor next year.

"Today saw the IDF stage awash in a sea of 65 nm silicon as we demonstrated the breadth and depth of our enterprise processor portfolio," said Gelsinger. "We also confirmed our commitment to leading and working with the greater high-tech industry in a number of ways to champion true open industry standards that will bring more and more benefits to businesses of all shapes and sizes."

Intel also revealed plans for more than 50 new SSE4 instructions, extending the Intel 64 instruction set architecture to better take advantage of Intel's next-generation 45 nm silicon manufacturing process and expand the performance and capabilities of Intel Architecture. New products based on the Intel 64 instruction set architecture will first appear next year and benefit a variety of applications, including those involving graphics, video encoding and processing, 3D imaging, gaming, Web servers and application servers.

The company also highlighted several new industry standards initiatives. Intel and IBM have co-developed a specification for a new PCI Express technology, codenamed "Geneseo" that would extend the standard to include co-located hardware on the bus. The goal is to make such tasks as visualization and media processing, math intensive data crunching and content processing faster and more efficient than existing add-in cards or software approaches.

Intel and IBM plan to further collaborate with the PCI-SIG, one of the oldest and most respected open industry standards organizations and the group that maintains PCI and PCI Express specifications. Intel also announced that it will license its front-side bus technology to select vendors.

Gelsinger highlighted how the company has refreshed its entire line-up of dual-core products, including more than 30 new enterprise-class processors for both business PCs and servers, all launched in less than 100 days. Among these is a new family of dual-core Intel Itanium processors designed for the high-end, reduced instruction set computing (RISC)-dominated space. Intel's Itanium processor family continues to gain momentum; worldwide system revenue in the first half of this year grew by nearly 40% compared to the same period last year, according to analyst reports.

Intel also has extended the Intel Xeon processor line, targeting lower-end, single-processor servers typically used for home offices and small businesses with the introduction of the Dual-Core Intel Xeon processor 3000 series, dramatically improving server performance and power efficiency. Intel also launched the latest ultra-dense Dual Core Intel Xeon Processor 5148 that features a low thermal design point of only 40 watts.

For business PCs, Gelsinger disclosed details on the company's next-generation Intel vPro technology that will extend the platform's manageability and security capabilities. Available next year, the platform will include the third generation of Intel Active Management technology, adding support for the new Web Services Management (WS-MAN) standard and new "system defense" features that can slow or stop the spread of viruses and worms. Further bolstering PC security, this next-generation technology will also include for the first time Intel Trusted Execution Technology, formerly codenamed "LaGrande Technology".

Gelsinger also discussed a proposed method for measuring energy-efficient performance (energy efficiency at a given performance level) on the client and encouraged the industry to move toward standardization of methodologies that deliver meaningful results to end users.

Labels:

Outsourced Santa !