Checkmate

Format Preserving Encryption – In the guise yet retrievable as it is

Khushbu Jithra — Tue, 09 Feb 2010 11:11:02 +0000

A recent dive into challenges faced from privacy compliance requirements unearthed an interesting patent. The unearthing of this new patent on the block came from the need of anonymizing data for several reasons including compliance (PCI DSS, German Data Privacy Law [BDSG], UK Data Privacy Act).

With inputs from experts in the domain here is an overview of this unique encryption technology.

The challenge:
Simply randomizing the data won’t help if the data drives a process like indexing in a database – the introduction of database indexing problems, or destruction of the integrity of the data in the de-identification process may render it useless as far as a business application or statistical analysis is concerned even if the process should not access specific identifiable fields. So, if you need to de-identify or depersonalize yet still use the data, there needs to be a more thought put into it to ensure the process cannot be reversed and to ensure that the use of the de-identified data can be preserved.

For example, if we have two databases, both indexed on a national ID number containing e.g. health records but we need to de-identify the personal data, yet retain the referential integrity across internal database tables in addition to preserving record relationships across two independent databases, and replace the personal data with data that is still meaningful for analysis but truly de-identified, then we need to preserve referential integrity across all the de-identified databases.

What if we need this process to be selectively reversible for e.g. a e-discovery request or specific analysis where real data is needed? Traditionally, data owners would have to keep some kind of mapping table – an ugly solution as it simple moves the problem of de-identification to another place.

The solution:
There are some new techniques that permit de-identification of data – in a secure fashion. Specifically Format Preserving Encryption (FFX/FFSEM mode AES) which can:

* Encrypt/De-identify data without changing length, structure, type, format, referential integrity of data (again optional if this is essential or if de-association of record relationships is actually required) on the fly

* Provide the dual purpose – de-identification or data protection in place (no database schema changes) or protection of data in live systems with a single technique

* reversible or non reversible by policy

* Supports native mainframe, open systems and legacy out of production systems.

In this paper on Fiestal Finite Set Encryption (FFSEM), the author elaborates on the Pseudo-Random Permutation used in this mode and the security of the construction. The author is quoted, “In many applications, such as encryption of credit card numbers, it is desirable to encrypt items from an arbitrarily sized set onto that same set. Unfortunately, conventional cipher modes such as ECB, CBC, or CTR are unsuitable for this purpose. Feistel Finite Set Encryption Mode (FFSEM) allows encryption of a value ranging from 0..n with resultant ciphertext in that same range. This mode can be used to encrypt fields where the expansion associated with a block cipher is undesirable or the format of the data must be preserved.”

An academic paper on the subject summarizes – “Format-preserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid credit-card number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment.We provide one, starting off by formally defining FPE and security goals for it.We investigate the natural approach for achieving FPE on complex domains, the “rank-then-encipher” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cycle-walking approach for enciphering on a non-sparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak.”

Now the interesting bit….is it implemented and is it commercial?
Yes. http://www.voltage.com/technology/format-preserving-encryption.htm

Full patent description is available here
http://www.freshpatents.com/Format-preserving-cryptographic-systems-dt20080717ptan20080170693.php?type=description

And of course, at the first look, Wikipedia also did not help understanding it much unless I read the background and the two papers

http://en.wikipedia.org/wiki/Format-Preserving_Encryption

GeoEdge – IP Address Locator

Nikhil Wagholikar — Wed, 06 Jan 2010 12:02:28 +0000

Introduction

Log analysis, is one of the very basic but crucial exercise of any Forensics Analyst. It includes many aspects for analysis; some of the important ones being:

Determine actions/requests performed by User/Host/IP Address
The application’s or Server’s reactions towards user’s requests
Finding more information about a particular User/Host/IP Address who may be performing some extra-ordinary transactions with the application/server
Application/Server performance
Application/Server traffic monitoring to calculate business growth etc

However from forensics point of view, investigating “which user did what on the application/server that lead to its compromise” is of the most importance. Similar scenario applies to Email investigation. It’s quite simple now to find out the IP Address of the person who is sending out fishy or threatening emails to the victim(s).

Here we are discussing a post investigation aspect of above and similar scenarios i.e. what after once the source IP Address (of the attacker) is identified? In this article we are going to discuss about a simple tool/script, which helps forensic analyst to get the exact location of the source IP Address on this very beautiful earth.

Geo-Edge

“geoedge.py” is a small Python utility/tool/script developed by Laramies from “edge-security.com” to get the exact location of the target host/IP Address on earth. This directly helps in finding the attacker’s physical location from where he carried out the attack.

However, those who don’t have a Python compiler/interpreter need not to worry, since NII Consulting have put in some more efforts and made this python script available in EXE format.

This tool can be downloaded as:

Original Python Version: Download here

EXE Version: Download here

The beauty of this tool is that it queries two sources – Maxmind and geoiptool, to extract information about given target host or IP Address. Hence possibility of availability and correctness of information about host or IP Address is high.

Example

Let’s first have a look how to use this tool:

Now we’ll try to locate physical location of IP Address 64.246.16.151.

So for this, we’ll issue:

As we can see, both the sources provided us with correct information about Latitude and Longitude of the target IP Address.

Now what? We have Latitude and Longitude information with us, but which country, which lane, which area this belongs to on earth?

So for this, we’ll refer to online world map available on MAP-Quest website.

We provide this obtained/derived information about Latitude and Longitude to this website, and find the exact location of this IP Address on earth.

The physical location of the target host/IP Address is shown using a red star marked on the map. Two kinds of views are available for getting the Latitude and Longitude information.

First view is the “Street View” in which we get the nearby street information about the target.

A little further zoom can help us to get more information about the target host/IP Address.

The second view is the “Aeriel view”, in which we get to see the exact satellite view of the target host/IP Address.

Further zoom is available subject to the database availability of MapQuest website.

Conclusion

So from this, we learn that it’s not at all difficult for any forensics analyst to find out the exact physical location of the attacker.

Besides this technique, “GeoTools” available at WikiMapia is also very handy and useful.

Hacking Microsoft Windows 2003 Server with Microsoft SQL Server 2005

Taufiq Ali — Tue, 08 Dec 2009 05:30:53 +0000

This post is a complete switch over from my previous post on phishing modus operandi. A little background on the hack. I was doing an assessment of a financial application; the objective was to evaluate the security of the complete infrastructure on which the application will be hosted once it goes live. As oppose to the routine list of findings this particular hack took the limelight. It was system compromise with Administrator access to the system. Yeah!

It was last day of our assessment; I had little time on hand before I could wind up for the day. So I thought why not bash the ‘sa’ account. I open the Microsoft SQL Server 2005 Management Studio and try some brute forcing for ‘sa’ account with common passwords, I get errors and disappointments. But this was short lived, it dint take me more than 7 tries to get the combination right. And that opens my way into the system.

Once I was inside, the next step was to use the stored procedure xp_cmdshell. The “xp_cmdshell” extended stored procedure runs operating system commands from within the database engine. You can use the query analyzer or T-SQL code to run the command. Back to the hack, I than open the query analyzer and type the following command

exec xp_cmdshell ‘dir C:\’

Though I was logged in ’sa’ account (the highest privilege account in SQL server), as expected I get this long error message.

Msg 15281, Level 16, State 1, Procedure xp_cmdshell, Line 1
SQL Server blocked access to procedure ’sys.xp_cmdshell’ of component ‘xp_cmdshell’ because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of ‘xp_cmdshell’ by using sp_configure. For more information about enabling ‘xp_cmdshell’, see “Surface Area Configuration” in SQL Server Books Online

In short the error means, I cannot use the xp_cmdshell stored procedure to do my hack. Microsoft (MS) has turned this stored procedure OFF in the version above SQL 2000 as a part of the security configuration. The previous versions of SQL Server 2005 had full access to xp_cmdshell turned ON in the default setup. And hence it was easy to do the system compromise. One obvious advantage of disabling the xp_cmdshell is, once a hacker gets access to the SQL server, the system compromise would not become a cake walk. But let’s check out how you can still do cake walk on version above Microsoft SQL Server 2000. Just a little tricky but easy

If you read the error carefully it gives out a lot more than it should. Check the last line of the error message. It says xp_cmdshell can be enabled using the “Surface Area Configuration”. I further Google and get plenty of articles that tell me how to use Surface Area Configuration wizard to enable the stored procedure. They would ideally work but it dint work for me for whatever reason. If you want to enable xp_cmdshell with Surface Area Configuration method on your own system, try the following

Goto Microsoft SQL Server 2005
Configuration Tools > SQL Server Surface Area Configuration > Surface Area Configuration for Feature > Expand the SQL server Instance name > Under Database engine goto xp_cmdshell > Check “Enable xp_cmdshell” and Apply

That’s it, you can have now enabled xp_cmdshell for your own box. You can again run the command mentioned above. You should not get any error now. The image below summarizes this

Fig: Enabling xp_cmdshell using the Surface Area Configuration Wizard

I had to enable xp_cmdshell on the remote system. I open my SQL Server Surface Area Configuration wizard and click on “Change computer” and specify the remote system SQL server instance name (or IP). It popped me with some error. I tried a few time but phew! It does not work for me. It was time, I try something else. I go back and start to find if there was some a command line to do the same thing. Again a few searches and I get my results. You can enable the xp_cmdshell in 4 simple steps.

1) EXEC master.dbo.sp_configure ’show advanced options’, 1 (ONE means ON, ZERO means OFF)
2) RECONFIGURE
3) EXEC master.dbo.sp_configure ‘xp_cmdshell’, 1
4) RECONFIGURE

sp_configure displays or changes global configuration settings for the current server. And the ‘sa’ account has privileges on this stored procedure. Eh! sp_configure is my key inside the system. So I first enable all the advance options than enable the xp_cmdshell. The image below shows my ‘xp_cmdshell’ in action on the remote system.

Fig: xp_cmdshell in action on victim system

Once I enabled xp_cmdshell, it was time for me to add user. So I type the following commands at the query analyzer console,

1) EXEC xp_cmdshell ‘net user pwnsauc3 h3ll0w0rld$ /ADD’
2) EXEC xp_cmdshell ‘net group Administrators pwnsauc3 /ADD’

In case the remote terminal service is not ON, goto to Start > Run and type service.msc. Right click on the parent node and connect to remote services and use the above username and password. Start the Terminal Services. You can now sit and relax; you are a step away from administrator access to the system. Fire up your remote terminal client and type in the IP and login with the user name and password we created. The images below conclude my hack.

Fig: Verify the user addition from command line

Fig: Remote terminal to the victim system

Fig: Verifying the user added to Administrators group

Adios!
Taufiq Ali

A Phishy Story

Taufiq Ali — Thu, 05 Nov 2009 12:17:40 +0000

Phishing sounds similar to fishing. Fishes are to the volume of internet users today much like fishermen are to phishers. Zillions of fishes falling prey the nets is nothing less compared to internet users being phished through their own in boxes and messengers. Phishers tend to have some personal favorites – personal information, credit cards numbers, debit cards numbers with ATM pins, etc. Though phishing has been around for a long time, it became more prominent back in 2003. You can read more here on the big scams here.

How does it all work?

A typical modus operandi:

1) The Phisher would either go out and buy a phishing kit from the underground channels or create a look alike page himself.

2) He would then need hacked websites or a server where the pages can be hosted. This can also be easily made available. He would pay or trade for a list of hacked websites on IRC channels, underground forums etc. These are some very common sources for such deals. He could also target systems that are vulnerable to a particular vulnerability or weakness in the website – vulnerability in the hosting providers control panel software, exploit for popular CMS like Joomla, 0day vulnerability in web server, etc. A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others, undisclosed to the software vendor, or for which no security fix is available. (ref : http://en.wikipedia.org/wiki/Zero_day_vulnerability)

3) Once the hacked infrastructure is ready it’s time to spam. They would ideally send out emails in large volumes. These emails are crafted to perfection. They would have the company logo, an appealing message in the email; use the CSS as the company that is phished, etc. All this together make it look perfect. It’s like decorating the devils face with cosmetics to make it look innocent. But not to forget the devil under a thin layer of cosmetics. They will have a crafted link and the hyperlink actually pointing to some website where the pages are hosted.

However, the entire process is a gamble. Some may fall prey to their phish nets while others may not. Over the years, phishing scams have grown from simply stealing accounts into much more dangerous criminal intention. Assuming the user is a prey of the phish net, let us understand the ways in which a phisher can harvest the data of the victim. There are various ways in which this can be done.

1) The attacker here uses services of websites that let you send HTML forms embedded in your email. On submit of this HTML form the phished page will redirect you to the legitimate website. This often tricks the user. They don’t realize what just happened. The details entered on the form are then emailed to the phisher’s inbox that is supposed to collect the details. The most common examples where you can see them are when advertising on the internet.

2) Second, the email is scripted in a way that a user is tempted or forced to visit the copied website. The attacker can also use the tactic mentioned above and use services like www.emailmeform.com. Attacker creates an account here and links his entire phished page to use their service to capture the details and then email it to them. This is the most common method used by phishers. Also the pages are scripted in server side programming languages like PHP, .NET, JSP etc. Doing so it does not expose the modus operandi or the attacker’s identity in any way or other details in any way.

3) The third type is where the phishers use nothing like above and instead writes all the output to a predefined file. In this way he needs no email address or anything mentioned above to capture the user details. This is what I am exactly going to write about.

Since I had some time off before I could start with the next takedown, I decided to dig further. Before we begin let me give you a brief about our service and the client. We offer take down services to a large public sector bank. We have a strict timeline defined of 24 hrs for every takedown. Every time a customer or their monitoring reports a phished page we have to takedown the site to protect the loss of financial and other details. While doing takedowns I also get a chance to research on understanding the modus operandi behind the operation. It is very interesting.

I have just started my day checking my email over a cup of coffee. I receive a new email on Tue 11/3/2009 10:22 AM about a phished link being up with the URL and we need to immediately start the takedown. He also sends me a sample email. We did the usual process and the link was down by noon. Have a look at a sample phishing email.

The email looks so real. It has the logo of the customer and perfect login URL. On hover I found it was actually pointing to some server in Russia. The page ‘retails.html’ simply redirects to the next URL where the phished page is hosted. Have a look at the closing lines of the email below. The phisher uses pressure tactic that will force the user to browse the URL.

Ok I now click and I am now redirected to the URL http://200.119.X.X/retail/login.php. The page looks like this

I then enter some fake details on this page and press the Enter key. I am now redirected to another page called ‘accounts.php’ on the same domain. I quickly check the html source code (view source) of the page to check for the

tag. This is where I would see where the page is going on hitting ’submit’. I am now redirected to another page hosted on a hacked domain called hxxp://stirileprotv.fnhost.org/bi/ib.php

I go a level up in the URL hxxp://200.119.X.X/retail/login.php and now I see the directory listing. I see 2 files under the retail folder namely ‘login.php’ and ‘accounts.php’. Directory Listing has been common in all my takedowns. They don’t really care for the directory listings. What I also observed, at the bottom of the ‘account.php’ page is more interesting. The page is has an IFRAME with src pointing to http://statanalyze.cn/lib/index.php. This is some malware getting downloaded on victim system.

My anti virus immediately pops up an alert that a malware is getting downloaded. And it immediately blocks it. Coming back to ‘accounts.php’ it asks for my Name, email address, credit card number, ATM pin and expiration date. On entering some fake details I am now redirected to a third domain hxxp://stirileprotv.fnhost.org/bi/ib.php. And from ‘ib.php’ it redirects me to the legitimate page of my client website. I have changed that to hxxp://www.google.com in the code snippet. Aren’t these guys sick of so many re directions? Not really they have a smart modus operandi. They don’t use one domain to complete their operation.

I again go a level up on the http://stirileprotv.fnhost.org/bi/ib.php. What I happen to find is something even more interesting. It had a page ‘ib.php’ under the ib folder and a .txt file. When I tried accessing the file what I find is the actual account details of the people who have fallen prey to the trick with their usernames, credit card numbers, internet banking IDs and passwords. Check file snippet below

I then contact the client to freeze the accounts and get in touch with the hosting providers. I make sure I ask the hosting providers to provide me with the pages as they aid to my research in understanding various modus operandi out on pr0wl. Most of the time they don’t give the pages but this time I was lucky. The tech support guys actually emailed me the contents of the ib folder. Have a look at the php code

Let me explain the code in brief. It opens a stream to a file called x-account-all.txt and then captures the post variables from the URL http://200.119.X.X/retail/accounts.php. The following table explains what each variable means

I thought that was it. I was done with my research. I relaxed a bit and stretched my arms. But hold on readers I recollect that the website was also vulnerable to IFRAME injection. No more research on this malware guys I have colleagues who enjoys this. I will send this to him. Till he comes up with his analysis there are some who have already done it. Check the link below

http://wepawet.iseclab.org/view.php?hash=363c95666cf1e80072656c7b562c4dbb&type=js

http://anubis.iseclab.org/?action=result&task_id=1c109b3e2cc07d1f49168943cc884e1d2

http://www.virustotal.com/analisis/837508d65acc78ec684c0d7a907bea7f49ce223052a18a076240018fc61a0d7f-1257141946

I was still way too itchy to pull down a full stop. I picked some arbitrary entries from the file and picked the ‘ea’ and ‘bb’ field. Why only them? (I got this particular combination after trying out a few) I was able to login to the Yahoo accounts of the victim since the password used was the same for both the accounts. I then checked the spam box and found the email that the victim had received. There were similar emails and to my surprise I found another URL hosting the phished page. Ok guys that’s it, I need to get back to my next takedown immediately  Oh! By the way, this time it is some Windows 2003 server behind some ADSL router running the phished page on a XAMP server. I did RDP to the box, 3389 was found open. I will come back if I find something more interesting.

All the details in this post have being changed or rename to protect real identity of our client.

Adios!
Taufiq Ali

Deobfuscating Javascript Malware

Wasim Halani — Thu, 01 Oct 2009 11:20:32 +0000

Some days back I was greeted by a Google Safe browsing warning when I tried visiting a ‘known’ site. As I was sure it was supposed to be clean and harmless site, I thought it would be good to dig further into this problem. The trail led to interesting amounts of codes, concepts and techniques.

Malware writers are very smart nowadays (haven’t they always been ?). They know that once their code is understood it most likely to be detected by anti-malware applications. To delay detection by such applications, they resort to a wide range of techniques. In this blog post I’ll be discussing the most potent and easily created malware.

Javascript has become the boon and bane of the Internet. It provides greater interactivity with the user but can also be used by malware writers to infect innocent users. Javascript is a client-side scripting technology which means the processing of the script is handled by the user’s browser.

Obfuscation is the concealment of intended meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret.

JavaScript is sometimes obfuscated to prevent users from easily understanding their functionality. ( Legitimate uses are to prevent stealing of code)

There may be many ways to obfuscate a code and similarly there may be multiple ways to de-obfuscate a code. What I’ve presented below is very raw and cannot be used to analyze many malicious JS. But since this is the beginning for me, I thought it may help others too.

Disclaimer: Links presented below are live at the time of writing this blog post. Please do not visit them if you do not know what you are getting into.

First thing first, we need to get the HTML source the malicious page. We can either use wget/curl or Malzilla, which is what I used. It was observed that this page is dependent on the HTTP referrer. So if the domain receives a request for the page without a ‘valid’ HTTP referrer page, the page is not returned.
We get the ‘bad’ HTML at http://mybetorwager.cn:8080/index.php with a valid HTTP referrer.

The complete HTML source can be viewed here

The code starts off with the following in the SCRIPT tag.

Vhotzdq(function(p,a,c,k,e,d)

This section of the code shows that the javascript has been packed by the popular Dean Edword JS Packer. This packer is available online as well as in download-able formats. We use a GreaseMonkey script “Decode It!” to enable the online ‘ Decoder‘ on the webpage.

We paste the code from Vhotzdq(function(p,a,c,k,e,d) onwards till the end and rename the function name Vhotzdq to eval. This will help us decode and evaluate the result. The output of which can be found here

—————————————————-

Update
Seems like Dean Edwards had coded an UNPACKER as well. It can be accessed at http://dean.edwards.name/unpacker/. If using this tool, simply replace the Vhotzdq to eval and run the script. No additional GreaseMonkey scripts are necessary

—————————————————-

Fig: Unpacked Javascript using Dean Edwards Packer

As can be seen above, we need to unescape the code to get the decoded output. This can be done in multiple ways:

Replace Vhotzdq as eval, and execute the script
Use the Malzilla decoder feature “Decode UCS2 (%u)”
Use an online encoder/decoder like PHP Charset Encoder/PHP String Encrypter

Fig: Using the 'unescape' feature provided by PHP Charset Encoder

The decoded output of the above step can be found here

Now the code is in a more human readable format. To further complicate analysis, the malware authors have implemented small amounts of string manipulations on the code. Also, the variables used have been obfuscated or mangled. This will not pose a problem to us as the variables can be given any names.

Note that there exists a certain amount of code-block which is still encoded. Another malware analysis shows this section as the Shellcode. I will update this as I get more information on how to decode it.

—————————————————-

Update
OK, it turns out that the segment was indeed the shellcode. Using the Malzilla tool we concatenate the variable “var unf57UBnT”
This presents us with an encoding which seems to be UCS2. Next, we can either use Malzilla to convert UCS2 to Hex (which does not provide reliable results) or use a shellcode to EXE converter available at http://sandsprite.com/shellcode_2_exe.php.

Fig: ShellCode 2 EXE

Once we obtain the EXE from the shellcode, we can analyze this executable in a tool called FileInsight developed by Mcafee Labs. Below is a snapshot of FileInsight analysis output which shows the malicious URL.

Fig: FileInsight - Shellcode.exe analysis

URLMON.DLL is a system DLL generally used by malwares to download files from online locations

—————————————————-
The next step is to execute the ‘replace’ functions which involve Regular Expressions to clean out the manipulated code.
As an example below is the line of code that we currently have in our decoded output.

rqeqG6Spq.setAttribute(‘i#)@d!’.replace(/$|\!|&|\$|@|\^|$|#/ig, ”),rqeqG6Spq);

Let’s take this code in detail:

rqeqG6Spq	–>	declared variable
setAttribute	–>	the property of the variable rqeqG6Spq
/$\|\!\|&\|\$\|@\|\^\|$\|#/ig	–>	Regular Expression
(In JavaScript, to define a regex pattern, we define it between /…../ . ‘g‘ indicates Global Match and ‘i‘ is for Case-Insensitive search)
.replace()	–>	is a JavaScript string manipulation function, which runs the regex on the ‘object’ i#)@d!

After executing the replace() function, the output would look like this

rqeqG6Spq.setAttribute(‘id’,rqeqG6Spq);

Similar replace operations are performed at all other places, till we get the final output as shown here

NOTE: Your Anti-Malware may issue an alert when you try to visit the above link. I have modified the malicious URL a bit so the script won’t move ahead.

We are now at a stage where we can make a few observations on what the JavaScript does and how it works.
The original malicious domain is found to be http://3c8.ru:8080/welcome.php .This domain serves the malware payload.
The script tries to exploit a vulnerability in ActiveX which allows it to download and execute a malicious binary.
I haven’t had the chance to go deeper into the execution of the malware But once I get the time, I’ll look into analyzing the binary as well.

Before I end this long post, just a quick note that to automate this entire process, we can use an online tool called wepawet, which is a service for detecting and analyzing web-based malware. It currently handles Flash and JavaScript files.
You can find the result of the analysis of our malicious page at http://wepawet.iseclab.org/view.php?hash=07fc283602731721a97f196c3ab19092&type=js
It provides for a comprehensive analysis.

Also, do check out the VirusTotal scan results for the obfuscated and deobfuscated Javascript
Obfuscated Detection rate is 2/41
De-obfuscated Detection rate is 14/41

I guess that’s it. Hope you liked this basic tutorial. Do leave your feedback in the comments section below

SQL Injection in Stored Procedure & Preventing from the same

Dhiraj Ranka — Wed, 30 Sep 2009 10:03:51 +0000

Following is the small example of creating a stored procedure.

====================================================================

CREATE PROC sp_login (@loginid nvarchar(25),@password nvarchar(25))
AS
DECLARE @SQLString VARCHAR(500)
DECLARE @loginid VARCHAR(64)
DECLARE @password VARCHAR(64)

/* Build the SQL string once.*/

SET @SQLString = ‘SELECT * from cust_users WHERE login_id = ‘+ ””+@loginid+”” + ‘AND password = ‘+ ””+@password+””

EXECUTE sp_executesql @SQLString

====================================================================

Your ASP.NET Code would look like this:

oCmd.CommandText = “sp_login”;
oCmd.CommandType = CommandType.StoredProcedure;
oCmd.Parameters.Add( “@loginId”, strUserName);
oCmd.Paramerters.Add( “@password”, strPassword);
oCon.Open();
string result = (string)oCmd.ExecuteScalar();
oCon.Close();

====================================================================

If the user input is as follows:
loginId = ‘ OR 1=1 –
password = junk

SQL injection will not work and ASP.NET will throw an exception

“Unclosed quotation mark after the character string ‘ OR 1=1 — and password=junk’.
Incorrect syntax near ‘ OR 1=1 — and password=junk’.”

In this case you can use

loginID = ” OR 1=1–

password = junk

Two single quotations are used to complete where clause with null condition and OR is used to make the condition true always.

If you use sp_executesql this will definitely leads to the SQL Injection.

See more on this http://msdn.microsoft.com/en-us/library/ms188001.aspx

Solution :

Instead one should use the same stored procedure which he has created, for passing parameters.

exec sp_login ‘param1′, ‘param2′

param1 – would be loginID

param2 – would be password

And you are stored procedure would look like this i.e. with out sp_executesql

====================================================================

CREATE PROC sp_login

@loginid VARCHAR(64)
@password VARCHAR(64)

BEGIN
SELECT * FROM cust_users WHERE loginid=@loginid AND password=@password
END

====================================================================

This will avoid the possible SQL Injection

Concurrent RDP connections hack – XP

admin — Thu, 26 Mar 2009 16:56:57 +0000

by Toufiq Ali, NII Consulting
Before you read further make sure you back up all the original settings of the registry or set create a restore point of your system. I assume reader know what a windows remote terminal service is. If not please refer to http://en.wikipedia.org/wiki/Terminal_Services

In Windows XP when a remote user tries to connect using the Remote Desktop Connection (RDC) client in Windows XP, the local user is disconnected from his current session forcefully. RDC, unlike Terminal Server Services in Windows 2000, Server 2003 and Server 2008, is designed for only one session at a time.. This excerpt aims at making terminal services functionality of multiple user login from Windows server 2000, windows server 2003 etc in Windows XP. This would be very useful in environment where the network admin often troubleshoots problem on the network using RDC.

Keep reading as the hack unfolds to enable concurrent remote desktop connection sessions support in Windows XP using the following patched files.

Download files.zip from the link given below on the system where you want to enable concurrent RDC connections.

Download files.zip
Windows XP SP1 and SP2: Windows XP RTM, SP1 and SP2.zip

Windows XP SP2: Windows XP SP2.zip

Windows XP SP3: Windows XP SP3.zip

Before you go ahead further, you should be in the safe mode (Press F8 during boot up). If you don’t want to prolong your wait to see this work,

1. goto ‘Start’ > ‘Run’ services.msc
2. Right click on Terminal services & goto Properties.
3. From the startup type drop down choose disable or simply stop the services.
4. Click on apply or Ok & exit the services.msc file.

2. Go to %windir%\System32 and & rename the termsrv.dll to anything that you can remember.
3. Go to %windir%\System32\dllcache & rename the termserv.dll.

4. Copy the downloaded termsrv.dll in the following two locations
1. to %windir%\System32
2. %windir%\System32\dllcache.

Note: when you copy the files Windows will pop up the Windows File Protection dialog box. Click the cancel button & then Yes to keep this copy of the patched file.

5. Now, download and run the concurrent_sessions.bat file. Click yes to add these values to the registry or you can run Registry Editor to manually add the following registry value:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core]
“EnableConcurrentSessions”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“EnableConcurrentSessions”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“AllowMultipleTSSessions”=dword:00000001

6. Click on Start Menu -> Run command and type gpedit.msc,

7. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services.

8. Enable Limit Number of Connections and set the number of connections to number of concurrent sessions you want to allow

9. Restart the terminal services on that system again. Also enable Remote Desktop from the System Properties’ Remote tab & check for Allow users to connect remotely to this computer.

10. Turn on Fast User Switching in Control Panel -> User Accounts -> Change the way users log on or off.

11. Restart the computer normally.

If the Windows XP computer is connected to a domain, every time you restart your computer Windows will set the value of the regkey “AllowMultipleTSSessions” to “0″. To ensure that multiple or unlimited Remote Desktop connection sessions is allowed in AD domain environment, the value data for “AllowMultipleTSSessions” has to be set to “1″ on system startup. To change the value, run the concurrent_sessions.bat every time the computer is started. Instead, put the concurrent_sessions.bat at C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder.

With the release of Service Pack 2 (SP2) for Microsoft Windows XP, SP2 has introduced a feature that limits concurrent TCP connection attempts that are possible to 10 per seconds. In Service Pack 1 or without Service Pack, there is no limit on concurrent TCP connection attempts. So if you have set the value of “Limit Number of Connections” in step 8 greater than 10 and you happen to run a SP2, you need to apply the patch to override the max limit. You can download the file from the following link.

Just for your information on disassembling the original & patched file following HEX code bits have being changed:

00022A17: 74 75
00022A69: 7F 90
00022A6A: 16 90

Infosec Scenario in 2009

admin — Thu, 01 Jan 2009 09:58:06 +0000

1. Business continuity to get focus over disaster recovery
BCM is a process issue related to building the framework to increase business resiliency and restoration capability, while DR is about building redundancy through infrastructure investments. It is quite likely that new DR site investments might happen fewer than they did in 2008. But I would not advise cutting down on building your BCM capability – even if you are an SME. Each one of your people does need to know what needs to be done when things begin to fail. This does not require huge amounts of investment, but does require common sense, risk assessment, and regular training and awareness.
Counter: Focus on an effective Business Continuity Plan that takes into account at least the following – fire, ISP failure, transportation link failure, and yes a terrorist attack as well.
2. Capital expenditure on security technologies likely to be hit
This is one area that has seen the biggest hit and is likely to continue feeling the impact with new investments simply not happening. So fewer firewall upgrades, fewer adoptions of recently introduced solutions such as Data Leakage Prevention (DLP), Network Access Control (NAC), and others.
Counter: Really look for ROI on your capital expenditure on security technologies.
3. Focus on regulatory compliance to increase
Make sure you know very clearly what your responsibilities are towards data protection – not only for the specific industry you are in – but also for the countries that you do business in. I’ll soon be releasing a write-up on the Indian IT Act, and the new amendments recently pushed through in the Parliament, and what these mean for every individual and every business. Essentially, even if you are not ISO 27001 compliant or PCI DSS regulated, you are still very much legally liable to ensure due diligence to protect your customer’s data.
Counter: While cutting budgets on infosec is fine, don’t end up putting the existence of your business at risk due to negligence towards data protection.
4. Scareware, Social Networking Attacks, Phishing, and others
While Phishing attacks rose quite a bit in 2008, it is quite likely they will become more prevalent, more insidious and a huge pain in the wrong places in 2009. Combined with Scareware tactics (http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/), exploitation of social networking sites (http://www.internetnews.com/security/article.php/3789496 and http://news.cnet.com/8301-1009_3-10078353-83.html), and even Google (http://go.theregister.com/feed/www.theregister.co.uk/2008/12/30/google_calendar_phish/ and http://blogs.zdnet.com/Google/?p=1053) is going to ensure attacks are highly smart, effective, and definitely lucrative for the attackers.
Counter: Focus on awareness, not just within your organizations but also within your families and communities.
5. Computer fraud may rise – a lot
Today attackers are not concerned with releasing the latest virus onto unsuspecting Internet users. Do we even remember how long ago it was when CodeRed or Slammer hit us bad? Attackers today – both external and internal – have one simple agenda – making as much money as they can within as short a time as possible. We’re already seeing SAP, Oracle Apps, and business applications becoming the most lucrative target of fraudsters. All they need is the knowledge (if you’re working with 2-3 years on the same system you know its flaws well enough), motive (layoffs, salary cuts, no bonuses), and opportunity.
Counter: Invest in forensic accounting, and keep a panel of experts on standby to be called in when fraud happens. Get advice on a list of red flags to watch out for.
6. Cyberwarfare could become a reality
At least as far as the South East Asian region is concerned, we’ve already seen an increase in the number of cyber attacks on Indian banks and government websites. This trend will get more serious and more malicious with some really sensitive data being targetted in the months to come. The next frontier for terrorism will be digital, and we’re all going to be facing the brunt of professional hacking, espionage, and digital sabotage. We’re already seeing this with the current Israeli war on Gaza (http://blog.wired.com/defense/2008/12/israels-info-wa.html), and the recent attacks by Pakistani hackers on the Eastern Railways site (http://in.news.yahoo.com/241/20081225/1262/twl-pak-hacker-attacks-e-rlys-site-threa.html), and a couple of PSU banks. See this link for in-depth Indo-Pak cyberwar coverage http://intelfusion.net/wordpress/?p=468
Counter: If your organization is governmental, semi-governmental, public sector, or provides a service or utility of national importance, you are pretty much going to be targeted. Focus on securing your external perimeter and get it tested.

Reasons for Failure of Business Continuity Plans

admin — Wed, 31 Dec 2008 11:41:13 +0000

I was recently attending a conference on Business Continuity Management, and happened to attend an enlightening talk given by Mr. Vijay Sethi, CIO of Hero Honda – the world’s single-largest two wheeler company. The focus of the talk was on “Reasons for BCP Failure”, and I believe the points given below are highly applicable to a lot of organizations. With his permission, I am presenting the key ideas presented:

1. Faulty drivers for implementing BCP
A lot of organizations implement BCP because customers demand it, or they need it for ISO 27001 certification, or because their auditors have repeatedly stated so.

2. Not business-centric
A lot of BCPs end up becoming focused purely on IT infrastructure, and are more like Disaster Recovery Plans, rather than comprehensive Business Continuity Plans.

3. No clear owner of the BCM process
The success or failure of the BCM depends on who is the internal driver or champion of the process. Thus the owner of the BCM should be clearly defined. While, the CIO or CTO could be the owner, he must ensure he has a larger business perspective, and more importantly the rest of the organization should not see it as an technology-focused initiative, rather as something that affects all of them.

4. No regular BCP tests
The efficacy and strength of the BCP depends on the frequency and quality of tests carried out. More often than not, testing is done just before an audit. The lessons from a BCP test are also not incorporated into improving the BCP. The practical reason for this is that testing is not an easy process – it requires a lot of thought, effort, and resources to execute properly and efficiently.

5. No regular updating of the BCP documents
Often the numbers given in a call-tree turn out to be not reachable or worse still the person no longer works for the organization. In today’s business environment, organizations are changing rapidly in terms of processes, new technology, new lines of business, as well as people turnover. The BCP document can very quickly become obsolete and useless if it is not updated regularly.

6. No regular training
The truth is that no one will have the time or occasion to read the BCP document when an emergency strikes. Therefore, the successful execution of the steps in the BCP is dependent on the level of training and awareness regarding the BCP. Again, people turnover results in training not being given to the people who have replaced earlier BCP team members.

7. BCP is too rigid or too complex
No crisis will turn out exactly as envisioned in the BCP. Therefore, the BCP must allow for enough flexibility, fallback options, and enough authorization to the crisis management team to take decisions that they feel to be in the best interests of the organization. Teams should be trained to think outside-the-box. Primary focus should be on enabling and empowering the team, rather than the BCP document.

8. No clear management involvement
I would put this as the #1 reason. Management is often not truly interested in the development and maintenance of the BCM, and usually plays a peripheral role in developing and driving it within the organization.

9. Cost cutting
In the current economic scenario, it is likely the first budget cuts might be to resources allocated to the BCM. Check whether within your organization, during budgetary discussions, it is the BCM that is losing out on getting priority.

To round out the number to 10, and to also add some post-script after the 26/11 attacks, I’d also like to add my 2-cents to the list above:
10. Post 26/11 knee-jerk reactions
From what we are observing around the country, organizations are rushing in to implement security measures, which are not really based on a risk assessment or business impact analysis. Especially in hotels, malls, corporates and governmental organizations the measures are being implemented without taking into account realistic threat probabilities and actual business dependencies.

The talk was filled with very interesting quotes, and I’ll end this article by reproducing a very appropriate one here:

“The time to repair the roof is when the sun is shining”, John F. Kennedy.

First conviction under IT Act

admin — Thu, 07 Feb 2008 17:52:31 +0000

Finally, we have our first conviction under the IT Act 2000 in India. After more than a 100 cases being lodged, and about half of them actually reaching the courts, we have our first conviction of an orthopaedic surgeon in Chennai being convicted of recording and uploading pornographic images. He and his brother in the US were found running a profitable pornographic website selling the videos and images.
Other notable cases nowhere near conviction include the hacking of the Mumbai cybercrime cell, the financial defrauding of Citibank customers by its BPO Mphasis, the creation of an Orkut group criticising Shivaji which got an IT engineer in Bangalore wrongly incarcerated due to a serious goof-up by Bharti (the ISP), and others.
Coming back to the original case, though, I wonder why the actions of the doc, warranted a life sentence? What is intriguing is the presence of machine gun bullets at his farmhouse – wonder where the machine gun correlating to the bullets might be? Maybe the doc was also a gun-runner in addition to being a pervert.