I was first exposed to SQL injection when David Litchfield (see his blog) came and gave a talk on the subject while I was working at the NSA in the summer of 2002. SQL injection is a type of security vulnerability that occurs when some code includes untrusted input, such as a website form field, in a SQL database query without first escaping or removing special characters that may affect SQL syntax (‘, ”, \, etc.). This may subsequently allow an attacker to terminate the original query and inject another query to do something malicious, such as the following: “”; DROP TABLE users;”. After hearing about SQL injection, my friends and I proceeded to go home and type “‘”; select * from users;” into form fields on numerous websites. Though we didn’t see any database table dumps, a surprisingly large number of sites gave us responses with SQL syntax errors, indicating potential vulnerabilities.

Things have changed a lot since the advent of SQL injection attacks. Many security researchers have investigated the topic and written papers on how to correct the problem. As the title of this blog post suggests, however, the SQL injection problem has been solved. Sometimes it makes sense for people to continue researching a problem when existing solutions have serious usability constraints or add significant development overhead. That is not the case for SQL injection. The rest of this article briefly touches on some SQL injection research and then shows you how to avoid vulnerabilities on your website using a common PHP library as an example.

Read the rest of this entry »

Have you ever wanted to purchase a domain name for a website? The chances are that you had to spend hours testing out ______.com domain names before one was available that you liked. I have been in this situation many times and it is extremely frustrating. If each of the domain names were taken by other legitimate sites, it would be one thing. However, almost all domain names are registered by squatters whose sole purpose is to extort us, the rest of the people in the world who want good domains for their websites. Webmasters are not the only ones who have to bear this burden – everyone who uses the internet suffers by having to type in and remember longer and less-relevant domain names even though better ones are available.

Just like spammers, everybody hates what domain squatters do to the internet. Unlike junk e-mail, however, domain registration is controlled by central authorities who should be able to stop widespread domain squatting. You may wonder how domain squatting relates to security and why an article about it appears on this blog. Once you start considering actual policies that ICANN would put in place to combat domain squatting, they almost all seriously hinder legitimate registrants or suffer from loopholes that would allow domain squatters to continue their operations unimpeded. This article explores policies that ICANN may be able to enforce to make headway against the internet plague that is domain squatting.

Read the rest of this entry »

Are you concerned about protecting confidential data on computers in your organization? Sometimes it can be difficult, even for security experts, to know exactly what they are up against. This article not only enumerates threats to confidentiality, but also compares the ability of different security products to combat these threats. The resulting threat matrix paints a clear picture of exposure. This matrix also highlights the role of my own security software, Web Tap, which is partially responsible for the recent reduction in blog post frequency.

Read the rest of this entry »

but the solutions would impede usability. Any security problem that we face today could probably be solved using primitives that have existed for a long time, such as encryption, authentication, digital signatures, physical isolation, firewalls, trusted computing, and mandatory access control. How can you prevent your computer from getting a virus? Do not connect it to the Internet. How do you stop spam? Only accept signed e-mail from known associates. These solutions obviously do not meet real-life usability requirements, but they highlight an interesting point. If you think that you are researching a security problem, then you are actually researching a usability problem. Any security solution that does not account for usability will not improve security one bit. Furthermore, truly revolutionary security products should have minimal or no effect on a user’s work-flow. It is very important to keep this principle in mind when designing new security systems.

Mengjun Xie et al. presented a paper today on detecting and suppressing IM-based malware using a honeypot approach. The idea is to create decoy IM accounts and add them to random users’ buddy lists in an enterprise environment. Then, when these accounts are hit with file transfer requests or links to malicious software, HoneyIM sounds an alarm and detects the infection. Unfortunately, their approach only works on so-called “hit-all” worms that go after every user in your buddy list, which the authors admit in the paper. HoneyIM would not work against a worm that interjected links in the middle of conversations, for example. It would also fail against targeted attacks with a human behind the keyboard. This article suggests a better, alternative approach to the problem of IM malware that would detect even one instant message containing a malicious link. Read the rest of this entry »

Hi everyone, I will be at the 23rd Annual Computer Security Applications Conference (ACSAC) this week in Miami. I hope to make it to most of the interesting talks and post articles about the better presentations. The main reason for my visit will be presenting the results from the Spector project that I worked on while at Arbor Networks. After the talk, I will post a shorter article summarizing the Spector research that also includes comments from the questions and discussion at the conference. This should be a busy week with plenty of interesting blog posts, so stay tuned.

I was working on a project recently that involved creating a Java applet to select and upload files to a web server. After some investigation, I found that embedding such an applet in web browser required paying a certification authority $150 for a signing certificate. This fee does not include any sort of attestation that the applet is not malicious; it simply associates it with a known publisher (who is willing to pay $150) and prevents man-in-the-middle modifications. My next thought was: why don’t I just create a stand-alone executable? An executable is easier and cheaper to deploy, and it is more access to the system. From a security perspective this seems completely backwards. Not only should it be easier to safely deploy a simple program, such as one that uploads selected files, but there should also be more checks on anonymous executable downloads. The current web download trust model is broken, and this article shows how to fix it with user-generated feedback following the wiki model. Read the rest of this entry »

I saw this cartoon and just had to write a post about it. This is the first security-related cartoon/joke I have ever seen. I think it is quite funny, but you be the judge.

http://xkcd.com/327/

This past week at the Blue Hat security conference, Lurene Grenier from Sourcefire gave an impressive presentation about exploit and signature development. She rapidly creates proof-of-concept exploits following Microsoft’s patch release on the second Tuesday of every month. Thanks to years of experience, the whole process only takes a few hours. It would be exceedingly difficult for prospective hackers to create and use a weaponized exploit any faster than signatures are pushed out by intrusion detection system (IDS) vendors. However, it may be possible to create a working exploit that escapes detection entirely. This article takes a look at issues related to completeness of IDS signatures. Read the rest of this entry »

The 64-bit version of Microsoft’s latest operating system, Windows Vista, comes with a feature known as “PatchGuard.” PatchGuard will monitor “key resources used by the kernel or kernel code itself” (see Windows Vista Security – An Introduction to Kernel Patch Protection) to detect tampering. If it notices any writes to protected areas, it will immediately shut down the system. The goal of PatchGuard is to harden the kernel against malicious code. However, it also hardens the kernel against security software that does system call monitoring. This side-effect has stirred up unrest among vendors such as Symantec (see Assessment of Vista Kernel Mode Security). They argue that the inability to filter system calls make systems with PatchGuard less secure than systems that are only running their protection software. So who is correct in the kernel patching debate? This article argues that both parties are in the wrong, and suggests a better way that Microsoft can work with vendors to maximize overall security. Read the rest of this entry »