security


Sid is doing his popular course, The Art of Exploiting Injection Flaws, at this year’s Black Hat. You can find more details here.
Definitely highly recommended.

These are some amazing statistics

I was interviewed for a nice article about database security on Dark Reading. The interesting question, I think, is not wether to invest in DB security. To me, it’s a given that you have to do it (even though some customers still don’t agree). The question is – how will the threat landscape change if everyone went ahead and deployed DB security protection – activity monitoring, vulnerability assessment, encryption where possible, etc.

If you were a hacker, what would you do?

I have to say that I don’t believe in silver bullets and perfect tools so whatever the enterprise deploys, it will have holes. But, as a hacker, knowing that there is constant monitoring and prevention on every access to the database, I’d probably be very careful and maybe take a different route to the data (file servers, end-point machines, …).

What do you think?

Just published a blog entry on my McAfee official blog. It talks about some of the trends of database security as we see them from the global McAfee Threat Report.

Just today I reviewed Verizon’s Intellectual Property Theft and it has a large section about databases, privileged users and compromised assets.

The one figure that caught my eye is this:

Compromised assets by percent of breaches involving Intellectual Property theft

I’ve attended BlackHat Vegas last week and of course went to see David Litchfield’s presentation. It started rather slow with vulnerabilities I was already familiar with but he saved the best for last. Another Oracle 0day – and I’ve got the pictures to prove it!

Slide image

 

 

And this:

An example of Oracle 0day

 

As you can see above, creating a table with a specially crafted blob column, creating an ODCI (Oracle Data Cartridge Interface) index on it, gathering statistics and then dropping the table triggers a dynamic statement with the column name not properly escaped.

Nice one, David – although we had to scramble and quickly protect against it with our McAfee vPatch solution.

Joxean Koret, a hacker we’ve worked with in the past, has just released a 0day following Oracle’s April 2012 CPU. As far as I understand, Joxean believed that the CPU fixed the issue as his name was mentioned and this was the feedback he got from both Oracle and the company he sold the hack to.

But, to his surprise, it turns out that Oracle did not really fix the issue. Oracle’s response was that the issue will be fixed in the next version. This is really confusing because Oracle’s customers expect the CPU to mention only fixed vulnerabilities.

All in all, a very solid work by Joxean!

UPDATE: official word from Oracle

It’s always funny to hear yourself speak :-)

http://www.youtube.com/watch?v=PbmVSGTra30

Earlier today, a company I recently joined as a board member (and in the interests of full disclosure, an investor as well) announced their first product. The company is called ‘enlocked’ and they are addressing a problem that I’ve felt has been unnecessarily ignored for many years. That is:

While we almost all use email as our primary communications vehicle today, there are still some things that we must reserve for voice (by phone or in person), hardcopy, or even fax.

Being a security minded person, I cringe whenever my accountant, banker or co-worker asks for some sensitive information over email. I usually break my routine, pick up the phone, and pass the information verbally if I can. Since I’m in the security industry (and running Linux), I have had PGP keys for a long time now and Thunderbird supports PGP nicely using Enigmail. But, most people I communicate with use Windows, don’t have PGP keys and don’t know how to install and generate any of the above. Even if I find someone with a PGP key, the exchange is cumbersome and I cannot read their secure emails on my iPhone, iPad and Kindle Fire.

We all understand the security issues with email. Usually, it is sent entirely in the clear as it goes from your server to the recipients server, open for anyone to read along the way. Another issue is that when an email account is compromised or a device is lost, all emails in the account can be read and your sensitive information is exposed. Never mind that the administrators on those servers could be reading any inbound or outbound message, without you knowing it.

Now, some of you are probably thinking: hey, if I really wanted to use email to send this private information, I could just buy some encryption software, exchange keys with the recipient, and I’m all set. As I said earlier, for those of us who deal with a lot of sensitive data, the complexity (and cost) of doing this is worth it. But, for the average user out there who just wants to send someone a quick message, there is a huge adoption hurdle. These tools aren’t getting used, and people are either interrupting their normal email channel and calling with these details, or they are relying on ‘security by obscurity’ in the hope that their message doesn’t get eavesdropped.

The magic of enlocked is that they’ve figured out how to do this in a truly simple way for the sender, without needing to even contact the recipient in advance, let alone install compatible software. By building simple plug-ins and mobile apps, they can leverage your existing authentication to your email server, connect to a cloud service they’ve built, and take care of all the ugliness. You just hit a “send secured” button. The receiver gets their first enlocked message, and is directed to the enlocked.com site to get a plug in for their device / browser. They authenticate themselves to their email server, and the message is readable. Now that they’ve installed it, future messages (from you or anyone else) require no special handling, they just display automatically. And they can send their own secure email as well.

The best way to really see how well this has been done, is just to try it. The downloads and the service are completely free, so head on over to enlocked and send someone a secret message.

Well, that was fun. I had a great time at UKOUG at Birmingham. Met friends, enjoyed the parties and gave a SQL Injection security presentation. All in all, I think it went well – no demos crashing, etc.

It’s pretty much the same presentation I gave at in the hacking exposed series so you can download it here with all the scripts and the demo app.

Presentation Attendies

Presentation Attendies

Here is the presentation and demo application I’ve used for the hacking exposed webinar I did on April 14th. The download file includes an eclipse project and instructions under the “etc” folder. It also includes a few scripts I used for blind SQL injection and worm infection.

Tell me what you think…

HackingExposed

Next Page »