SQL injection Hacks Work

How SQL Injection hacks work and how to stop them

SQL injection is a common hack used to run statements on your database server. If a hacker gains access to your SQL database, he can steal, delete or insert information. SQL injection hacks are tedious and complex to fix, so it’s best if a website owner takes precautions before becoming a victim. Before you can protect a website, you need to know how SQL injection works.

 

Understanding SQL

 

Before you can understand how SQL injection works, you need some background on the SQL language. SQL is the language for MySQL, SQL Server, and Oracle. These three database engines have slightly different syntax, but all of them use four basic functions: INSERT, DELETE, SELECT, and UPDATE. Hackers can use any one of these functions to manipulate your data, so you must protect against any type of SQL injection.

 

Let’s take a basic SQL example. Take a look at the following code:

 

select * from customer

 

The above statement queries all records in the customer table and returns them all including every column in the table. Basically, this query returns all of your customer information. For most queries, you don’t want to return all records and columns. You use the SQL WHERE clause to filter records with only a specific set of values. For instance, the following SQL code returns all records where the customer’s first name is “Joe”:

 

select * from customer where first_name=’joe’

 

The above code returns only records where the first name is “joe,” and this type of statement is where hackers take advantage.

 

SQL Injection Syntax

 

SQL injection can be very complex, but let’s take a look at some simple examples. Once you understand simple concepts, you can dive deeper into more complex SQL injection attacks.

 

SQL injection usually happens through your form submissions. The following code is an example of a form that asks the user to enter a first name.

 

<form method=”post”>

<input type=”test” name=”first_name” id=”first_name”>

<input type=”submit” value=”Submit Form”>

</form>

 

Typically, you’d expect the user to enter a first name and submit the form. However, this is where hackers take advantage of poorly constructed website code. Suppose this form inserts a new record into your tables. The following SQL code is an example of an INSERT statement:

 

insert into customer (first_name) values (‘ + $_POST[“first_name”] + ‘);

 

The above code builds a SQL statement from the form’s first_name variable. Incidentally, the above syntax used is PHP, but this method works with any language. The semicolon terminates the statement and lets you place multiple SQL statements within the same line of code.

 

 

The trick to SQL injection

 

The apostrophe character opens and closes string values in SQL. Hackers prematurely terminate strings and run their own SQL statements. Suppose the hacker entered the following value into the form’s first_name input text box:

 

‘ ); select * from customer; —

 

This example would then build the following SQL statement and run it on your database:

 

insert into customer (first_name) values (” ) ; select * from customer; —

‘);

 

If you’re new to SQL, this can be difficult to understand. Notice that there are two apostrophe characters built in the INSERT statement. The hacker’s SQL statement inserts a blank value into the first_name column, but then the statement is terminated with a SELECT statement appended to the end. The SELECT statement then retrieves all the data in your customer table. The goal with this SQL injection hack is to steal your data.

 

Hackers can also delete data, which means you need to recover data from backups. The hacker can replace the SELECT statement with the following SQL code:

 

drop table customer;

 

Building the SQL statement, you now have the following code:

 

insert into customer (first_name) values (” ) ; drop table customer; —

‘);

 

The “drop table” statement completely wipes the table from your database. The only way to recover the data is to pull it from your backups. If your backup is a week old, you’ve just lost a week’s worth of data. This issue can be devastating to your business, especially if you work with orders.

 

How Do You Defend from SQL Injection Attacks?

 

Even developers who think they’ve protected a website from SQL injection can be surprised when a hacker finds a hole in security. The best way to defend against SQL injection is to use stored procedures. These are called “prepared statements” in PHP. Stored procedures are pre-designed SQL functions that you can reuse throughout your entire website code. They make it faster to create websites that use backend databases, because you don’t need to recreate SQL code for each page. Stored procedures take more time to set up initially, so most coders choose the faster way of development and build dynamic statements such as the one used in the SQL injection examples.

 

When a hacker attempts to use SQL injection and you use stored procedures, the apostrophe characters are sent as literals. This means that instead of terminating a string and executing malicious SQL, the database inserts the apostrophe as part of the data’s value.

 

Each programming language has its own form of stripping or escaping special characters in SQL statements. You must use these functions when you don’t use stored procedures in dynamically built SQL code. For instance, most WordPress developers use dynamically built SQL statements in their plugins. Poorly formed SQL statements are why WordPress is constantly a target of attack from hackers.

 

If you own a WordPress site

Update your WordPress installation often. New versions patch any current security issues. You should also update any plugins. Plugins are written by seasoned as well as new developers, so be wary of the plugin you install on your site. Even big plugin developers have found security flaws in their software. If the plugin developer does not keep up with the latest WordPress versions, you should probably choose a different plugin for website functionality.

 

You can also use penetration tools to help identify security holes such as SQL injection in a website. Most hackers use automated scripts that run through your forms and identify where you are susceptible. Decent PenTesters however, will do quite a bit more.  These penetration tools perform the same methods. Just make sure the penetration tools have several SQL scripts that identify simple and complex SQL injection vulnerabilities.

 

SQL injection is a serious security flaw on the web, so always make sure your site is secured. If you think you’re not a target, think again. Hackers just need to run scripts to automate a search on the web to find vulnerable sites. It doesn’t take much to protect from SQL injection, but it can take days or even weeks to recover if you are successfully hacked.

 

dark reading logo

Social Engineer Spills Tricks of the Trade

A preview by Dark Reading of the upcoming, closed-door presentation “How to Rob a Bank over the Phone” at Black Hat Europe in London. Actual audio from a commissioned penetration test.

Is your Wi-Fi secure?

At a time when we all have smartphones.  How secure is Wi-Fi?  PeopleSec CEO Joshua Crumbaugh gives advice.  Story by CBS affiliate in Huntsville, Alabama.

Cybersecurity is a booming industry & people are needed to fill positions

Local news coverage of the first annual Rocket Secure event in Huntsville, Alabama.  Describes need for qualified personnel in local industry.

How susceptible is my company to phishing?

Phishing – The “Unchartered” Territory

 

In today’s digital world, the risk presented by phishing is constantly increasing as the quantity and confidentiality of data stored electronically is rapidly increasing. Phishing is a growing threat and continues to be a pronounced problem for both companies and individuals. Despite being one of the oldest internet scams, the susceptibility of employees to phishing attacks within an organization to a great extent is mostly unknown.

 

Phishing is the attempt to pose as a reputable company, entity or person to obtain sensitive information like passwords, user names and other confidential information over the Internet in electronic communications predominantly for malicious reasons. Most organizations now have policies, security controls and procedures in place to respond and react quickly to a phishing attack; however, the efficacy to a genuine phishing attack is mostly inefficient especially if the attack goes unnoticed.

 

Recent reports have shown that the number of phishing sites detected in 2016 was an all time high. After briefly understanding the term ‘Phishing’ and its impact on individuals and organizations let’s now try to understand the risks posed by phishing attacks, the susceptibility and the impact it can have on our companies and how to measure and alleviate these risks. All these key points and insights will give you a better understand of phishing attacks and how to mitigate risks.

 

 

Is Your Company’s Security Stance Good Enough to Identify and Ward Off Phishing Attacks?

 

Although most organizations now have stringent security policies and controls for software, infrastructure and network threats, they often do not provide a clear understanding into the susceptibility of its employees to external phishing attacks.

 

 

 The following key points will help your company understand and evaluate security measures with respect to risks posed by phishing attacks:

 

  • Performing a controlled phishing attack regularly to assess and understand the impact on your employees and the company

 

  • Educate your employees about external threats including possible phishing attacks and how to react to such threats through security awareness programs

 

  • Understanding your company’s susceptibility to phishing attacks with respect to other organizations within the same market

 

  • Identifying which specific departments within your company are most susceptible to a phishing attack

 

  • Evaluate the number of employees who would possibly perform an action like clicking on a link within an email that would disclose sensitive information or download a malicious software

 

  • Would a phishing attack in your company go unnoticed or would there be an internal response?

 

 

 

Understanding the Impact of Risks posed by Phishing to your company

 

A well-executed phishing attack can pose great security danger to an organization including the following:

 

  • Trick employees into clicking on malicious links to download software that the attackers can use to access the company’s network bypassing security controls

 

  • Access company’s resources, domain and password credentials including confidential information like financial data, sales information, budgets, corporate sales projections, employee data and more

 

  • Access files and sharing options to extract other corporate assets

 

  • Access and exploit client side softwares which can be later used to access the company’s network without the use of download links or other malicious softwares

 

A phishing attack not only poses a data security risk but also tarnishes the company’s reputation leading to loss of sales and revenue in the long term.

 

Is My Company Susceptible to Phishing attacks? And How to Measure and Alleviate Risks Posed by Phishing Attacks 

 

 

  • Perform controlled phishing attacks on a regular basis to measure the employee susceptibility to phishing attacks
  • Include a good sample of departments and employees to get better results from the controlled attacks
  • Review and Record information on how many employees:

 

  • Clicked on malicious links leading to phishing attacks
  • Downloaded malicious software and responded to attacks
  • Entered confidential corporate information into phishing sites

 

  • Educate and train employees based on results recorded to minimize risks to the company:
  • Let users know that they need to be cautious of anyone asking for personal information – ask them to verify with concerned people in the company
  • Check for legitimacy of an email and its content
  • Check for any unusual information in the message like software and system information which can be indicators of phishing attack

 

  • Was the security team able to review and identify all key areas that needed improvement after the controlled attack performed? This assessment will improve the efficiency and management of internal responses to control phishing attacks and improve the effectiveness of identifying and responding to future threats and attacks.

 

 phishing assessment

 

Based on recent reports, the overall susceptibility reduces with each controlled phishing assessment leading to a substantial decrease in susceptibility over a period of time; thereby, improving the company’s internal response system to external threats making it less vulnerable to phishing attacks. Reviewing, understanding and applying these key points and measures can considerably reduce the susceptibility of companies and individuals to possible phishing attacks.

Social Media Hacking

Social Media Safety

 

The Top 5 Social Media Threats ;

  1. Hidden URLs 

    – These are quite common, often times leading to a site that then asks for login information.

  2. Requests 

    – Someone may send you a warning or a request to take action or follow some link. Do not be fooled by these people, they will often try to manipulate emotions to get victims to react without thinking.

  3. Fake online surveys and contests 

    Take this quiz to find out X!” These sort of posts on social media are effective bait to lure users into unsafe sites, where cyber criminals may install malware, spyware, or gather your information to misuse.

  4. Fake customer service accounts – 

    Scammers on social media often pretend to represent legitimate organizations in order to steal sensitive information.

  5. Live Streams

    – Luring users to scammer ran websites with the promise of being able to view sports games, movies, etc…Once they have lured victims to their sites, they install malware, spyware, or get users to input credit card numbers. After all this they almost never even have the live stream they claimed to.

 

3 Real Life Ethical Hacker Stories About #PasswordFails

 

People are always asking me to tell “hacking” stories, since there are so many of them…I’m going to focus specifically on password related stories.   Here is a top 3 countdown to the craziest password story I have.   

#3 – Bad passwords

Yeah, yeah, yeah, I know everyone has heard this a million times, but let’s discuss it from a hacker’s perspective.   I’ll start by saying most password policies suck and here is why.   

Let’s examine a typical password policy.  

8+ Characters

3 or more of the following

  • Upper Case Letters
  • Lower Case Letters
  • Numbers
  • Special Characters

Password must be changed every 90 days

These types of password policies actually encourage easy to guess passwords that tend to be use by multiple users.   This gives me the ability to easily extrapolate your most common passwords based on what I know, and use this to break into your corporate network.   Here is how it works:

 

Employees like to use predictable passwords and bad guys use this to perform password guessing attacks against a large group of users.  This is an extremely common vector that still works against almost all companies.   The basics are this, we enumerate users (generally through linkedin and google)…then find a login portal most users are all likely to have access to and guess 1 password against all of the users.  Traditional brute force techniques one one-user-at-a-time, cause the user to get locked out and trip alarms. Good hackers avoid alarms. A reverse brute force or password spraying attack tends to evade detection and provide almost guaranteed access to most networks.

 

One time we identified a few passwords we felt most likely to get us access to this network.   (In this case we were performing the attack against Outlook Web App) – This particular time we guessed 1 password (it was something like Summer16) and used it against 800 user accounts. We logged onto about 50 user accounts with this exact same password.    Of those users, we identified 15 with VPN access, and 2 with local admin access.   We were able to use the VPN access to compromise the 2 machines with local admin access, dump the local admin credentials.  This company was reusing local admin passwords across multiple systems.   This gave us the ability to spread to key user systems to gain domain admin rights–control over the domain controller.    Game Over – The entire attack from start to domain admin took less than 3 hours.   

The moral of this story is that weak or guessable passwords are a major cause of data breaches and tend to be an easy way into any network that doesn’t enforce multi-factor authentication.  Password length is significantly more important than complexity.   My advice is to forget about password complexity and just make all of your passwords longer.   Use a phrase and keep it over 15 characters.    

Don’t let the possibility of dictionary attacks [link to definition] overshadow their real world frequency. Those that neglect the human factor get burned by their own tech. Passphrases yield greater assurance without the unintended human consequences.     

One other moral – Never reuse local admin passwords – this a guaranteed way to turn an isolated incident into a domain breach.   Check out the Microsoft LAPS tool if you need help managing unique local admin passwords.   

 

#2 – Phishing 4 Passwords

Phishing is a guaranteed way to get users to give up passwords, one-time passcodes, infect their computers or hand over countless other forms of sensitive information.   This is every hacker’s go-to move to gain access into your organization’s networks.   Not only do they gain access to your network, but they gain the level of access the user’s they phished have.   This single attack can bypass most of the organization’s security controls designed to keep hackers out.   

So, here is how I get your users to give me their credentials and a backdoor into their employer’s network in a single attack.   

First, I craft an email telling your users about some technology upgrade that was performed the previous night and tell them that they can access it and check out the new tech if they choose.   I’ll then provide them with a web page that looks very real like login.microsoftweblogin.com (I actually own microsoftweblogin.com). At this website I’ll clone a legitimate login page and put a keylogger on the page.   Now when the user types their username and password I’ll see what they type as they type it.   Next I add a nice application addon that prompts the user to open run it.   This application might be called something like “Microsoft Web Essentials”.    So the browser asks them something to the regard of:  “Would you like to run Microsoft Web Essentials?”  When the user clicks run I have a backdoor on their system.   From this point it’s only a matter of time until we get complete control of your networks and systems.  

 

#1 – How to get domain admin over the phone

This story is hilarious, but a cautionary tale nonetheless.     During our assessments we test human weaknesses as well as computer weaknesses.    As part of this testing we make phone calls to get information, (such as password policy) or to get users to go to our site and run our custom malware that gives us backdoor access to their machine.   On one such occasion I called up hoping to get a help desk technician to go to my site that hosts my malware.   This is where it gets interesting.  

This is a law firm – So obviously I call in pretending to be a Partner in the firm.   I tell them about how I’m trying to run this analytics software a stock market analyst buddy of mine shared with me and how it won’t run.   (We had already discovered that application whitelisting security software was preventing unknown, unapproved software from running on their endpoints.)  At this point the helpdesk employee interrupts my plea for help and says “It’s okay, just use my account”  –He proceeds to give me his username and password over the phone.   

Facepalm! – His password was Password1

Next, I take those credentials and I log into the VPN that we discovered during our recon where we learn everything we can about the company and what it has on the internet.    Voila – the credentials work.   Now I am on the network and we use the credentials to compromise the machine of the helpdesk employee we were talking to and immediately discover that these credentials were in the “Domain Admins” group and that we just compromised the entire domain “Over the phone!”

This is an extreme example with the obvious lessons: don’t give passwords over the phone; don’t even share them with your everyday peers.

But the less obvious lesson, hackers don’t just exploit human trust. We also exploit fear. I’m confident this person had been bullied many times by VIP’s in that law firm. So, this is yet another example where tech burns those failing to account for human weaknesses. Worse, this non-technical root cause is just the sort of thing executives excel at fixing. The C-suite must ensure that all employees, especially themselves and other VIP’s, know that the C-suite has the backs of all those that enforce cyber policies.

This example also illustrates another lesson. The help desk person violated policy.  Policies atrophy to uselessness if they are not exercised, measured, and reported. The law firm assumed its policies were consistently enforced. Our pen test proved otherwise. Our client learned something useful before something catastrophic happened. BTW, if your organization relies only on traditional pen tests to test your organization’s human readiness, then it’s not cyber ready. I’ve love to see a good survey on this. I’d be shocked if more than 10% of enterprises exercise, measure, and report the human readiness underlying more than a few of their cyber policies.

 

PenTesting

Wifi Hackers

There are numerous WiFi hacking tools available on the web today that are capable of helping anyone hack into wireless networks. Some of the most popular wireless hacking tools include Aircrack, CoWPAtty, AirSnort, and Kismet.

 

The most popular WiFi protocols are WEP, WPA, and WPA2 systems. WPA2 systems are typically the most secure system, however most WiFi systems installed over five years ago are likely to run on WPA. WiFi hacking is far easier than it seems, and organizations are advised to either take massive steps to boost WiFi security or rely on more secure wired connections for security purposes.

 

You literally only need a basic laptop to hack a WiFi network

 

The most common types of Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) networks are hacked within a matter of minutes with a simple laptop and free software that can be easily downloaded off the net. These old networks use a smaller key that reduces the strength of data encryption in comparison to a WPA2 network. For example, with Aircrack-ng or AirSnort, a hacker can rapidly recover the encryption keys of a WEP network in minutes.

 

WiFi protocols have become progressively secure

 

The WPA was developed to address the problems with WEP and it initially achieved this by relying on TKIP. It added a few security features such as key mixing function and a re-keying mechanism to increase the strength of WiFi networks. However, by 2009, this network was no longer secure, and WPA2 had make significant inroads in the market, having been released in 2004.

 

Security flaws in the WPA2 led to the development of WiFi Protected Setup (WPS) in 2006. WPS was created for home users to setup secure networks without being bogged down by technical details. Unfortunately, WPS added security flaws to wireless networks and made it easier for hackers to bypass and access WPA2 networks. WPS is susceptible to brute force attacks as well as the presence of pre-shared keys passes on the vulnerabilities. One of the only remedies is to turn off the WPS, which is not always feasible.

 

Features of Good WiFi Hacking Tools

 

Most good WiFi hacking tools actually share a great deal of similarities. Legit software is able to hack all protocols and is safe to buy from reputable vendors. If you seek to download WiFi hackers, be extremely careful about the type of hackers you are downloading. Avoid the dark web as malicious hackers may include unwanted viruses adversely affecting security.

 

With software such as AirSnort and WireShark, you can easily capture live packets and analyze network traffic at the micro-level. You may require some degree of technical knowledge to hack a normal home network. However, you will certainly need good technical knowledge to attack a secure, corporate network. Networks that run over Ethernet, may opt for software such as Fern to determine the viability and security.

 

This post is meant for educational purposes only, it is illegal to hack equipment you do not own without written authorization.

Owasp

What is OWASP?

The Open Web Application Security Project (OWASP) is an online, open source, and non-profit organization that specializes in creating tools, methodologies, articles, and documentation about web application security. All of this information is freely available and the information is renowned to be practical and unbiased in nature. It also assists firms in developing, maintaining, and buying web applications based on the application’s level of trustworthiness. The OWASP is comprised of a pool of experts in various fields related to web application security across the globe.

 

OWASP seeks to decrease security risks

 

The OWASP primarily seeks to teach developers, businesses, and web designers about the numerous risks as well as vulnerabilities of common web applications. It serves as an interconnected forum where IT experts can develop expertise and reach a consensus on critical issues. Anyone can join the OWASP, and the organization publishes a series of documents on a periodic basis that are seen as vital markers in the field of web application security. The most famous of these documents is the OWASP Top Ten.

 

The OWASP Top Ten

 

The Top 10 is a document that represents a broad or universal consensus on critical security flaws in web applications. The Top 10 consists of errors that are common occurrences and are quite easy to exploit. They can often lead to malicious elements, stealing vital information, or damaging security systems due to minor flaws in a system. The top 10 list will be updated in August 2017 to reflect the latest threats to the security of web applications.

 

Here is the current list of the Top Ten in the order as listed by the OWASP:

 

Injection:

SQL injections and LDAP injections are possible when unvalidated data is received by an interpreter as an aspect of a query. These injection attacks are among the most common on the web.

 

Broken Authentication and Session Management:

This essentially refers to flaws in the security system protecting user authentication tools such as passwords, cookies, and keys. Attacks in this avenue can be used to takeover user identity.

 

Cross-Site Scripting (XSS):

XSS flaws spring out when any application relays unverified data to a web browser. This form of attack is carried out via the user’s browser.

 

Insecure Direct Object References:

A direct object reference typically arises when an IT professional exposes a particular reference to some form of internal implementation. Attackers can use these references to target sensitive data.

 

Security Misconfiguration:

With security settings for applications, web servers, platforms, database servers, and other relevant tools misconfigured, the system is weak. Always change defaults and update regularly.

 

Sensitive Data Exposure:

Data such as net-banking details and tax Ids is sensitive in nature and normally requires a greater degree of protection as most web applications do a poor job of protecting such data.

 

Missing Function Level Access Control:

Web applications must carry out access control checks on individual servers in order to verify requests. Failing to do so can lead to forged requests.

 

Cross-Site Request Forgery (CSRF):

CSRF hacks typically force a user’s web browser to transmit forged or duplicit HTTP requests to an under threat application. During this attack, the vulnerable application is duped into thinking that these requests are legitimate.

 

Using Components with Known Vulnerabilities:

Poorly secured components such as frameworks typically function with all possible privileges. Hacking known vulnerabilities is after all how criminals conduct some serious attacks.

 

Unvalidated Redirects and Forwards:

Applications commonly relay webpages to and from users and on some occasions, such forwards then lead to unsafe places. Webmasters should properly validate redirects.

 

scam phone call numbers

Recent Scam Phone Call – Numbers

Below is a list of some the most recent numbers associated with a scam phone call. If you are wondering whether or not to trust a phone number then Do Not Trust It.

 

Here are a few of the most reported scammer phone numbers recently;

  •  (844) 809 – 6672
  • (844) 887 – 8082
  • (888) 489 – 3458
  • (888) 610 – 5078
  • (844) 573 – 4073
  • (855) 760 – 8955
  • (866) 357 – 4326
  • (855) 366 – 2200
  • (855) 225 – 7470
  • (866) 357 – 4326

 

Pretending to be Tech Support;

  • (800) 480 – 5091
  • (844) 573 – 4073
  • (530) 564 – 0926
  • (888) 725 – 1822

 

Also, these guys are pretending to be the IRS;

  • (347) 709 – 6173

 

This type of phishing is known as Vishing and is when a scammer uses a telephone to tries to trick you into giving up sensitive information.

 

Suspect a recent phone call was from an illegitimate source?  Leave it in the comments and we would be glad to investigate  🙂