Quick and Basic Security Assessment for Databases

When preparing a database solution, one must always make sure that the security of the database is up to specification. The first step in proper securing of the database is a security posture assessment.

While there are a lot of tools that will do this for you, Imperva has a free tool named Scuba that will do very basic but very fast database security posture assessment.

To use Scuba, just download and extract the zip file to a folder. Input the DBMS connection parameters, test the connection and press Go.

After Scuba finishes the assessment, it produces an XML report. To review it in a human readable form, choose the level of detail from the report templates (Summary, Assessment with details, Assessment without details) and generate the HTML.

Here is a screenshot of the generated assessment report

The level of the report quality is basic, but it will point you in the right direction by sifting through the well known attack methods and vulnerabilities. One must not rely simply on this tool for database security, and should employ other relevant tools.

User warning: Since the tool comes with NO DOCUMENTATION, here are several warnings and tips that will ease your usage

  1. Since Scuba is a Java based tool, it requires JRE to work. Also, in order to connect to MS SQL RDBMS, you must have a Microsoft SQL Server JDBC Driver installed.
  2. The error messages are logged but there is no user friendly message when an error occurs. In order to debug possible problems, look for the 'scuba-error.txt' file and read through the Java exceptions recorded.
  3. The 'scuba-error.txt' file is appended, so the last error in the file is the one that hit you. For easier debugging, delete the scuba-error.txt after each session to limit the errors from the current session only.
Talkback and comments are most welcome

Related posts
Thrown in the Fire - Database Corruption Investigation
SQL Server Bulk Import - BCP HOW TO
3 Rules to Prevent Backup Headaches

Creating BackTrack4 Pentest Virtual Machine

BackTrack4 is an excellent Penetration Testing Distro, but in the LiveCD version it is quite crippled:

  • There is no possibility to install additional software
  • There is no possibility to create custom scripts
  • All attacks need to start from scratch

In order to alleviate this issue, there are several options. My most flexible solution is to create a VMware virtual machine with the installation. Since BackTrack4 has no installer included, here is a brief tutorial with the scripts included.

Create a Virtual Machine as Custom Linux, and Choose Ubuntu as the assumed Host Operating System
Choose a SCSI Hard Disk of at least 5GB (We recommend 8GB)
Boot the Virtual Machine from the BackTrack DVD

Creation of Partitions
After booting, log-on and partition the SCSI Hard Drive (/dev/sda)
Create 2 primary partitions, one for BackTrack, Linux - type 83 with at least 4 GB space, and one Linux Swap - type 82 of 512MB
fdisk /dev/sda
After creating the partition table, format the BackTrack partition

mkfs /dev/sda1
After formatting, mount the partition
mkdir /mnt/sda1
mount /dev/sda1 /mnt/sda1/

Copy the BackTrack Data
Create the copying script in the root's home directory
vi create_bt_disk
Paste the following text in the VI editor and save it
list=`cd /;ls -l|awk {'print $8'}`
for i in $list
if [ "$i" = 'mnt' -o "$i" = 'proc' -o "$i" = 'sys' ];then i='root';fi
echo $i
cp -pR /$i /mnt/sda1
mkdir /mnt/sda1/sys
mkdir /mnt/sda1/proc
mkdir /mnt/sda1/mnt
echo 'Done'

Make the script executable and run it
chmod 755 create_bt_disk

Finishing Touches

After the script finishes, change the root directory to the disk drive in order to make the disk bootable
mount --bind /dev/ /mnt/sda1/dev/
mount -t proc proc /mnt/sda1/proc/
chroot /mnt/sda1

Run LILO to write info to the MBR of /dev/sda. NOTE: The default lilo.conf works with disk /dev/sda and partition /dev/sda1. If you have a different disk configuration, you need to change the /etc/lilo.conf appropriately before running LILO
lilo -v

All done. Just reboot and remove the BackTrack DVD

We hope that this tutorial eases your use of the BackTrack suite.

Talkback and comments are most welcome

Related posts
BackTrack 4 Penetration Test Distro - First Glance

BlogTipz hack - The BlogTipz editor response

We received the reply from the editor of BlogTipz.

From the info, it seems that the hack on BlogTipz is merely a target of opportunity.

The hack method is probably not related to error of WordPress, but the editor of BlogTipz does not reveal the actual attack method.

At any rate, blog masters everywhere need to maintain blog security high on their list of priorities

Here is the reply in full

Yes, I was going to possibly write a post on the blog, because I was not aware of it (it could have been up for 12+ hours). They simply changed the login name and password and injected in a new index (main) page, so it was rather simple to recover (within an hour).

I will be securing WordPress even more form this day forward to prevent it form happening on other sites. I was using a current version of WordPress. The attacker was called "North-Africa Security Team" and appears to be one of the most popular hackers in terms of results (~14 million).

If you need any further information, please inform me. I will be informing readers about this soon.

And, thanks for informing your readers about this.

Talkback and comments are most welcome

Related posts
Blogtipz Hacked

Blogtipz Hacked

Today, blogtipz.com - a good internet blogging site got hacked. The attack is a simple defacement attack, and the signed culprits are Dr.0rYX|Cr3W-Dz.

Here is a screenshot of the hacked version of the blogtipz.com site

With the little information available, the most probable attack vector is a vulnerability in the implemented version of Wordpress. We are including two screenshots of the original (google cached and after the defacement was fixed)

We have submitted the following questions to the editor of Blogtipz

1. Did you get threatened by the hacker teams that hacked the page?
2. How much time did it take for you to recover from the hack?
3. Did you discover the attack vector, and would you share it?
4. Is your Wordpress now patched against such attacks?
5. Any message on your side for the readership?

As soon as response is back, we'll post the response.

Talkback and comments are most welcome

Google Voice - No Privacy Remains?

Google is announcing a new service - Google Voice. Apart from the automatic transcripts of voicemail, call filtering and other user benefits, the service will give Google access to enormous amounts of information about your life - including recordings of your voice mail.

Of course, the Google creed is - Do no evil! But let's dig deeper into what Google will get their hands on:

  • Records of voice mail calls, with automatic transcription - Google will have the voice AND a searchable text of your messages, possibly even your calls at some point
  • Voice imprints of all the people who called you - and they can match those imprints to a source phone number.
  • FULL listing of your incoming call list - since Google Voice is a service integrated with Grand Central (Google Number) which creates one single number and when the caller rings that number, you can select up to 6 phones to ring simultaneously.
The reason for all this is simple - profit. The Google Voice service will be free and Google will try to insert ads - first in the transcripts and then possibly even in the audio segments of the conversation.

I have no objection to the efforts of Google to make a profit - especially since they offer a free service for this.
But the amount of information that is going to be collected in this way will soon rival a system popularly known as ECHELON - a highly secretive grid of US and UK government datacenters and communication hubs used to intercept, process and analyze electronic communications.

So instead of having to spend billions of dollars to set-up and operate huge datacenters and hundreds of employees, the NSA, FBI, CIA and all other 3-4 letter agencies will just use USA PATRIOT Act or something similar to 'ask' Google for access to all recorded.
And it's not only the government that will try to get their hands on such info. I suspect that Google Voice will become a target of all kinds of hacker groups, intelligence agencies and generally anyone trying to extract possibly useful info from the archived data.

So next time you are phoning someone, first thing you do is ask the person on the other side - are you on Google?

Talkback and comments are most welcome

Related posts
Hunting for hackers - Google fraud style
Nobody's safe - Google's personal data stolen

Email security - leaks in corporate e-mails

During a business e-mail communication a lot of people tend to include non-business related information. Such unrelated information is usually generic info about the senders company but it can expose the company to unwanted risks of social engineering attacks or reduction of competitive advantage.

Here is one of the less disastrous e-mails that drop in my mailbox. It is anonymized so it will be recognizable only to the author - should he choose to read this post.

Let's analyze the information and it's relevance to the possible attacker:

  1. The confidential content of the message can be fake - the sender dropped an entirely fake information to create the appearance of great importance. While such information cannot be used in creating an attack, it is a great weapon in discrediting the company. All the attacker needs to do is to continue the communication and draw out more such e-mails. Then, it's just a matter of 'leaking' such e-mails to the public with appropriate commentary and reference to any commercial promise of their product.
  2. The confidential content of the message is true (partially or fully) - the sender dropped a true information, trying to increase the importance of his company or trying to extend confidence in the recipient of the e-mail. In any case, this leaves a great foothold for a social engineering attack:
    • The attacker can continue the communication, even returning fabricated confidential information in order to gain further trust and extract more information
    • With just the information about a trip to Spain, it would be easy to craft a message from an apparently Spanish sender, referencing a meeting with the owner during such and such time. In such a message the attacker can try to receive more confidential information or build a trust relationship with the sender or others in the company.
    • Information about travel of a company executive can be used to research the possible partners in Spain, and launch a social engineering attack on them.
Whatever the reason for communication, always stick to the matter at hand, and under no circumstances volunteer or drop additional facts which are not relevant to the subject matter.
For companies, the above sentence should be a part of the internal security policy and e-mail usage policy.

Talkback and comments are most welcome

Related posts
Tutorial - Mail Header Analysis for Spoof Protection
Tutorial - Measures for minimizing Spear Phishing Attacks
Example - SMTP message spoofing

Tutorial - Secure Web Based Job Application

In the effort to minimize costs, a lot of companies create web based forms for job application. But web hosting is mostly outsourced to hosting providers, which host hundreds of sites on the same server, thus potentially exposing the personal data of applicants to hacker attack.

Here is a blueprint design for making a web based employment application with minimal risk of unnecessary exposure of the personal data of the applicants.

The process
The corporate concept of the web based job application is using the following process:

  • The applicant fills in a web form, and the information is stored in a database.
  • The corporate HR operator accesses the database and applies appropriate filters to applicants to generate an automatic shortlist from competencies and education filters
  • Applicant data within the database can have automatic retention setting to delete old records.

Summary Risk Analysis
The risk analysis of the design has the following assumptions:
  1. Web hosting is outsourced
  2. There is no direct link from the hosted web site to the corporate network
  3. The site is hosted on shared hosting with generic security provisions provided by the hosting provider for hosted all sites
  4. HTTPS is available for any web page on the outsourced hosting
With these assumptions in place, the main risk to the applicant data is from an attacker who compromises any of the hosted sites and gains access to the applicant database - should it be kept on the hosted servers.

Solution design
To mitigate the identified risk, the design separates the location of application form from the actual database of personal information. The entire design is presented on the diagram below, with each numbered step described in detail:

  1. The applicant web form is hosted on the web hosting server. The web form is accessed via HTTPS. The applicant fills in the web form
  2. The web form packages the information into an XML file which is sent as an attachment of an signed and encrypted e-mail message to the corporate e-mail server
  3. The signed and encrypted e-mail message is read via an automated process, signature is verified and the message is decrypted
  4. The XML file is extracted and parsed by a process on the internal application server
  5. The parsed information of the job applicant is sent to the HR database, located within the security zones of the corporate network - no access from the outside
  6. The HR operator uses a web interface to access the stored information via the internal application sever
  7. The internal application server accesses the applicant data stored in the HR database

The proposed design can be used as a prototype for job application portal which minimizes risks of data theft. There can be several modifications or variants of the design to target specific requirements and expectations.

Ofcourse, this design will be disputed by most ISPs since they claim that their sites are safe.

But in a corporate environment, the corporation is responsible for protecting the personal information of the registered persons. And should a security breach occur, no amount of penalties to the ISP will reduce the responsibility of the corporation.

Talkback and comments are most welcome

Related posts
8 Steps to Better Securing Your Job Application
Tutorial - Measures for minimizing Spear Phishing Attacks
8 Tips for Securing from the Security experts
Nobody's safe - Google's personal data stolen

HP partners with Sun - Anybody remember Digital?

Hewlett-Packard and Sun will announce details of “their newly expanded partnership agreement”. Might this be a step towards a merger?

The analysts list a number of of mutual benefits for both companies, with two major elements

  • Major benefit for Sun - Cashflow
  • Major benefit for HP - Enterprise level architecture and OS technology

The older readers may remember a company with great technology that got eaten by a PC vendor.
Compaq got its hands on Digital hoping to benefit from it's technology and expertise. At the end, they didn't seem to know what to do with it until HP acquired Compaq.

Sun also has great technology and is also down on it's financial luck.
But is HP actually prepared to reap the benefit of the great technology that Sun brings?

History teaches us that HP had several shots at large enterprise and somehow managed to miss most of them:
  • HP is supporting 3 large enterprise platforms, which obviously puts a huge strain on their interoperability and compatibility design. Also, so many platforms mean that the buyers are easily confused:
    • It's own series of CPUs (PA-RISC) and Operating System (HP-UX) that is designed for large enterprise - The Superdome
    • The acquired Alpha CPU based servers with TruUnix64 or OpenVMS which are still being supported as legacy systems
    • The Integrity series with Itanium CPUs supporting several OS platforms
  • HP bet on Itanium1 and missed an entire generation when Intel delivered a chip of mediocre power and there was no major enterprise software support for it
  • HP didn't manage to develop a native middleware platform for their hardware, and relies on Sun, IBM and third party vendors to deliver such platform.
With such a track record, one needs to be worried about the realistic benefits and outcome of this partnership
In the long run, we just hope that Sun survives as independent high quality vendor for enterprise solutions.

Talkback and comments are most welcome

Designed by Posicionamiento Web