In an earlier post, I mentioned the value of US-CERT’s bulletin of computer vulnerabilities. However, there is much more to this government site that just a table of vulnerabilities. It has a whole section on publications relating to computer security, and one sub-section has to do with technical issues. The articles here can mostly be read by educated laypeople, but the language can be highly technical. All of them can be valuable to anyone who repairs or maintains computer systems. For instance, do you know what class of vulnerabilities ranked first on the MITRE Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Software Errors list?
The answer is given in a 15-page annotated PDF file entitled Practical Identification of SQL Injection Vulnerabilities. The article includes a simple example of how an SQL vulnerability can be used to bypass an authentication check. References to the details of how this works are given both in “authoritative” and “gentle” formats (see the references in the article). Obviously being able to breach confidentiality with a few simple tricks could allow bad people to access private — and valuable — information for nefarious purposes.
I was surprised to learn that the common method used to find SQL vulnerabilities is “Detection Heuristics,” which essentially means supplying various types of bogus injections and observing the result and seeing if it differs from the expected result in a way that can be exploited. You would think that an expert could simply analyze the SQL formalism and predict behavior, but that is not always the case. The authors present some tools — sqlmap and ZAP — as part of a testing environment. The warning that comes with them is sobering.
WARNING: It is critically important that the type of testing described in this document be performed strictly in a testing or staging environment that accurately simulates a production environment. The tests that sqlmap and ZAP can perform against an application have the potential to be invasive and destructive depending on the nature of the underlying flaws, so testing should never be performed on production systems…
I would rather spend a pleasant afternoon with regedit.
That article is only one of the technical articles available in PDF format. Another one that should be of interest to people who repair or disinfect computers is Technical Trends in Phishing Attacks. Several of my clients over the years have fallen victim to phishing of one type or another. One distressing trend that seems implicit in the article is that even with improved security measures, creating a phishing endeavor is easier than it once was because criminals can easily assemble a full “Tackle Box” of high-level tools without actually knowing how to create them. A person bent on doing bad things does not need a sophisticated education to gather ready-made tools from both public and private areas of the Internet. If you are considering a career move to phisherman (phisherperson?), the barriers to entry are low, and the potential for reward high. You only need to know how to run some scripts. Of course, the potential for jail time cannot be ignored, but all professions have a downside.
(Another downside to making a living by theft is that you have to live with yourself. Everywhere you go: there you are, and you are still a thief.)
Some of the tricks phishers use are as simple as disguising an IP address by reporting it in hexadecimal (e.g. 192.168.1.1 à 0xc0a80101). This sounds laughably simple, but it does not have to work many times to wreak havoc in someone’s life.
Another simple trick is to use a domain name similar to one you want. A classic example from times past was the difference between whitehouse.gov and whitehouse.com. The first one took you where you expected; the second one took you to a porn site.
Not all phishing tricks are so simple. The methods developed to harvest data from online banking and sales are particularly sophisticated. In contrast to an individual assembling a toolbox to perform relatively minor theft, these methods are designed by highly skilled professionals. Why? The answer is simple: that is where the money is — and lots of it.
The conclusion of this article states this plainly: Phishing is a highly profitable activity for criminals…
I have only reviewed here two of the many articles available. All of them are well-documented with references to enable interested persons to dig deeper into all aspects of the technology of computer security, and they can be read for free!
If you have any experience with the topics in any of these security-related articles, or if you would like to see more about a related topic, let me know and I will try to feature your comments in a future post.