[nsp-sec] Questions about Prevention, Detection and Education surrounding the ASP SQL injections

Lawrence Baldwin baldwinl at mynetwatchman.com
Thu May 29 14:19:09 EDT 2008 

Puck stripped it.

Here's a link:

http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt


Lawrence.

-----Original Message-----
From: Nicholas Ianelli [mailto:ni at cert.org] 
Sent: Thursday, May 29, 2008 10:11
To: Lawrence Baldwin
Subject: Re: [nsp-sec] Questions about Prevention, Detection and Education
surrounding the ASP SQL injections

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

There isn't anything actually attached or inline within this email.

Nick

Lawrence Baldwin wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> ----------------------------------------------------------------------
> --
> 
> Attached is the document that I found most helpful in getting my SQL 
> Injection knowledge somewhat improved....probably raising me from a 2 
> to a 5 ;(
> 
> It appears to outline the exact "playbook" that the miscreants I am 
> investigating took their techniques from.
> 
> Note: I am NOT investigating the IFRAME injectors, but rather the 
> miscreants using SQL inject to accomplish many of the high-profile 
> data breaches of 2008.
> 
> The sad part is that this document is from 2005 so it can hardly be 
> classified as 'adavanced' any more...despite this it appears to still 
> provide effective means to inject, even against realitively 
> high-profile entities.
> 
> Regards,
> 
> Lawrence.
> 
> 
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Zot 
> O'Connor
> Sent: Wednesday, May 28, 2008 19:16
> To: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Questions about Prevention, Detection and 
> Education surrounding the ASP SQL injections
> 
> ----------- nsp-security Confidential --------
> 
> We've gotten a few responses, and they are helping target documents.  
> Of course I want many more ;)  And some folks have asked, I will keep 
> any and all information shared confidential.  I prefer having 
> sanitized data to share with folk, but even compiling responses is very
helpful.
> 
> We have recently gotten some info, which we think is wrong, that the 
> SQL attacks are putting malware on the attacked system (vs. inserting 
> IFRAMEs in the DB to another server, which may or may not be 
> attacked).  Has any seen this?
> 
> Thanks!
> 
> 
> Zot O'Connor
> MSRC Ecosystem Strategy Team
> Partner Outreach
> (425) 722-7575
> 
> 
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Zot 
> O'Connor
> Sent: Wednesday, May 28, 2008 12:08 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Questions about Prevention, Detection and Education 
> surrounding the ASP SQL injections
> 
> ----------- nsp-security Confidential --------
> 
> Howdy!
> 
> We are currently working on providing guidance to customers who are 
> dealing with the SQL injections that are attacking ASP pages.
> 
> As you are probably already aware, the injections do not attack via a 
> vulnerability, but attack via weaknesses in configurations and 
> software running on the servers.
> 
> We are trying to compile a list of suggestions, ideas, tools, and 
> experiences for dealing with the SQL injections.
> 
> If you could please take a few moments and answer the following 
> questions, it would greatly help us, and our mutual customers.  Even 
> if you have not dealt with the attacks, if you have prior experience 
> or thoughts on this, it could greatly assist us.
> 
> The following outline reflects our thoughts.  We are looking for ideas 
> on Detection, Prevention, Education, and future requests.
> 
> 
> 1.       Detection
> 
> a.       Have you detected attacks?
> 
>                                                                i.      Was
> the attack successful?
> 
>                                                              ii.      What
> was the impact?
> 
>                                                             iii.      What
> was the cause of the weakness?
> 
> 1.       Was is home grown configurations or software?
> 
> 2.       Was it part of a package or SOP?
> 
> b.      How are you doing detections?
> 
>                                                                i.      Are
> you watching logs?
> 
>                                                              ii.      Are
> you monitoring your web sites?
> 
>                                                             iii.      Are
> you using search engines?
> 
>                                                            iv.      Are
you
> looking at incoming or outgoing requests?
> 
> c.       Did you have packet traces or logs you can share?
> 
> d.      Tools
> 
>                                                                i.
Which
> tools are effective?
> 
>                                                              ii.
Which
> are ineffective (that you might think would have worked).
> 
> 2.       Prevention
> 
> a.       Have you deployed defenses for the attacks?
> 
>                                                                i.      Are
> you using any tools?
> 
> 1.       Filters
> 
> 2.       Firewalls/IPS
> 
> 3.       Host based programs
> 
> 4.       Do you scan for weak systems?
> 
> 5.       Do you scan for weak code?
> 
>                                                              ii.
> Configuration Changes
> 
>                                                             iii.      What
> do you use for guidance for going this?
> 
> b.      Did previously deployed defenses help you?
> 
> c.       Have any SOPs helped?
> 
> 3.       Education
> 
> a.       Are customers aware of the problem?
> 
> b.      Are they taking action?
> 
> c.       Are they successful in detection or prevention?
> 
> d.      Where are they going for their information?
> 
> e.      What information helps them the most
> 
> 4.       Requests for Microsoft
> 
> a.       Are there specific tools or features you think Microsoft could
> create or change that would help?
> 
> b.      What form of advice would help your customers?
> 
> Thanks for your time!
> 
> Zot O'Connor
> MSRC Ecosystem Strategy Team
> Partner Outreach
> (425) 722-7575
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 
> ----------------------------------------------------------------------
> --
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
> _______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFIPrlhi10dJIBjZIARCEIGAKCNOiTXaGq74bPQIdFFy6q+6SCPhwCg7Kk4
j0xWutcRbknotEb9FBCZlk4=
=LpkV
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list