[nsp-sec] Questions about Prevention, Detection and Education surrounding the ASP SQL injections

Thu May 29 08:58:45 EDT 2008

Attached is the document that I found most helpful in getting my SQL
Injection knowledge somewhat improved....probably raising me from a 2 to a 5
;(

It appears to outline the exact "playbook" that the miscreants I am
investigating took their techniques from.

Note: I am NOT investigating the IFRAME injectors, but rather the miscreants
using SQL inject to accomplish many of the high-profile data breaches of
2008.

The sad part is that this document is from 2005 so it can hardly be
classified as 'adavanced' any more...despite this it appears to still
provide effective means to inject, even against realitively high-profile
entities.

Regards,

Lawrence.

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Zot O'Connor
Sent: Wednesday, May 28, 2008 19:16
To: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Questions about Prevention, Detection and Education
surrounding the ASP SQL injections

----------- nsp-security Confidential --------

We've gotten a few responses, and they are helping target documents.  Of
course I want many more ;)  And some folks have asked, I will keep any and
all information shared confidential.  I prefer having sanitized data to
share with folk, but even compiling responses is very helpful.

We have recently gotten some info, which we think is wrong, that the SQL
attacks are putting malware on the attacked system (vs. inserting IFRAMEs in
the DB to another server, which may or may not be attacked).  Has any seen
this?

Thanks!

Zot O'Connor
MSRC Ecosystem Strategy Team
Partner Outreach
(425) 722-7575

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Zot O'Connor
Sent: Wednesday, May 28, 2008 12:08 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Questions about Prevention, Detection and Education
surrounding the ASP SQL injections

----------- nsp-security Confidential --------

Howdy!

We are currently working on providing guidance to customers who are dealing
with the SQL injections that are attacking ASP pages.

As you are probably already aware, the injections do not attack via a
vulnerability, but attack via weaknesses in configurations and software
running on the servers.

We are trying to compile a list of suggestions, ideas, tools, and
experiences for dealing with the SQL injections.

If you could please take a few moments and answer the following questions,
it would greatly help us, and our mutual customers.  Even if you have not
dealt with the attacks, if you have prior experience or thoughts on this, it
could greatly assist us.

The following outline reflects our thoughts.  We are looking for ideas on
Detection, Prevention, Education, and future requests.

1.       Detection

a.       Have you detected attacks?

                                                               i.      Was
the attack successful?

                                                             ii.      What
was the impact?

                                                            iii.      What
was the cause of the weakness?

1.       Was is home grown configurations or software?

2.       Was it part of a package or SOP?

b.      How are you doing detections?

                                                               i.      Are
you watching logs?

                                                             ii.      Are
you monitoring your web sites?

                                                            iii.      Are
you using search engines?

                                                           iv.      Are you
looking at incoming or outgoing requests?

c.       Did you have packet traces or logs you can share?

d.      Tools

                                                               i.      Which
tools are effective?

                                                             ii.      Which
are ineffective (that you might think would have worked).

2.       Prevention

a.       Have you deployed defenses for the attacks?

                                                               i.      Are
you using any tools?

1.       Filters

2.       Firewalls/IPS

3.       Host based programs

4.       Do you scan for weak systems?

5.       Do you scan for weak code?

                                                             ii.
Configuration Changes

                                                            iii.      What
do you use for guidance for going this?

b.      Did previously deployed defenses help you?

c.       Have any SOPs helped?

3.       Education

a.       Are customers aware of the problem?

b.      Are they taking action?

c.       Are they successful in detection or prevention?

d.      Where are they going for their information?

e.      What information helps them the most

4.       Requests for Microsoft

a.       Are there specific tools or features you think Microsoft could
create or change that would help?

b.      What form of advice would help your customers?

Thanks for your time!

Zot O'Connor
MSRC Ecosystem Strategy Team
Partner Outreach
(425) 722-7575

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________