Wednesday, March 19, 2008

Cool Technology of the Week

A few days ago, I received an email message that got my attention

"Hi John,

There is an Eastern European website/blog offering a set of sites that have been 'hacked' and are being sold to anyone who wants to 'take-over' the site for $7 to $10. One of your sites is on the list. You may want to scan this site for possible SQL injection vulnerabilities/attacks.

PS Other bloggers attest to the validity of the offer and the 'reliability' of this hacker. "

A SQL Injection attack occurs when a database-backed web application does not filter inappropriate user input and executes that input against the database. For example, suppose a phone directory application asks for last name as part of employee lookup. A hacker might type "Select social_security number from employees" instead of entering a last name and the query against the database, if correctly structured, could return confidential information.

I did not want to pass along my credit card number to a hacking site, so I asked our security consulting firm, Third Brigade to check it out.

The attacks noted on the Eastern European website started early in March and by Wednesday March 12, 2008, 10,000 Web pages were compromised. In the first step, dynamic web pages are infected with a link to a malicious JavaScript file. A file downloads and executes code that tries to install password-stealing software on the desktops of people who visit the sites. Users who visit one of these infected websites may unknowingly execute malicious code. This code attempts to exploit known vulnerabilities for which patches are available but may not have been applied to the victim's system. Once the code executes on the desktop, specific malware is downloaded which sends passwords and other sensitive information to the attacker.

Here's a diagram of how it's done:

Step 1: The attacker attacks the Web Site using SQL injection. This involves information gathering queries followed by the specific attack that injects the link. The link is injected into string fields of the database so that dynamic web page content generated from the database will contain the link.

Step 2: Once the attack is successful, the attacker injects malicious code to the Web Site.

Step 3, 4 and 5: Users visit the website and are redirected to a malicious site which attacks the desktop using known vulnerabilities in operating system, browser and ActiveX plugins.

Step 6: Once successful, the attacker connects to various other sites to download malware (keylogger, password stealer etc)

Step 7: The attacker has sensitive information and has complete control of the desktop

Here's a diagram of how to protect against it:

* At BIDMC, we chose to implement Third Brigade's Host Based Intrusion Protection software, the Cool Technology of the Week. Third Brigade’s SQL Injection smart filter provides generic protection against SQL Injection attacks.

* In addition, Third Brigade has released a specific exploit filter which identifies if a Web Site has been compromised and is serving malicious content to unsuspecting users.

*Third Brigade provides protection against these Web Site attacks that are highly sophisticated and in some cases encoded using evasive techniques like URI encoding, double encoding, mixed case and non minimal UTF-8 encoding.

* Install filters for known vulnerabilities in Browsers, Operating Systems and ActiveX Plugins

* Install filters which prevent the user from accessing sites serving malicious pages. In this case, we released a specific protection which detects if the user visits a site that has malicious javascript in it.

* Install filters which block domains which download the malware on the target machine.

* Install filters detecting existence of known malware on the machine.

We're deploying these Third Brigade agents on our web clusters and SQL clusters so that even vulnerable applications and operating systems will be protected against many types of attacks. As I've said before, security is a journey requiring constant vigilance. The Third Brigade Host based Intrusion Protection systems are important components that we'll incorporate into all our future application releases.


Unknown said...

If it's appropriate, would you please speak to why you chose Third Brigade over other security alternatives?

John Halamka said...

We've used Third Brigade as an ethical hacking firm to do penetration tests of our applications for the past 2 years. Their depth of knowledge of vulnerabilities and hacking techniques is quite impressive.

Tyler Krpata said...

Do you have a project in place to proactively scan your web applications for vulnerabilities (known or unknown)? I'm mostly thinking about automated scanning with something like Webinspect or AppScan, but I'd be interested in any thoughts on manual scanning/testing as well.

John Halamka said...

We've used a variety of vulnerability scanning tools in addition to active intrustion detection and prevention software.