Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Issue 28 – May 2012 | Page - 1
Issue 28 – May 2012 | Page - 2
Issue 28 – May 2012 | Page - 3 Notwithstanding, both steganography andStegan...
Issue 28 – May 2012 | Page - 4Steganography simply works this way: Steganography can be covertly implemented ...
Issue 28 – May 2012 | Page - 5Covert Channels location on the network. It’s here, now it...
Issue 28 – May 2012 | Page - 6are not aware of the packets nor do they (COLLBERG) One example of utilizing...
Issue 28 – May 2012 | Page - 7as the exploits and attacks increase to more and more as Homeland Security “criesu...
Issue 28 – May 2012 | Page - 8used to hide the message in the original implementation of CALEA was to assure lawcov...
Issue 28 – May 2012 | Page - 9Hiding Data in the Unused Header secret message, which could be, forFields ...
Issue 28 – May 2012 | Page - 10Initiative (CNCI), launched by President parsing network traffic. Directing dataGeo...
Issue 28 – May 2012 | Page - 11liberties of the law-abiding users of theInternet. (SINGL) These appliances canhandle a lar...
Issue 28 – May 2012 | Page - 12needs. DPI captures data for later are being collected and processed and why.e...
Issue 28 – May 2012 | Page - 13to run roughshod over the rights of the script kiddies, or unscrupulous broadbands...
Issue 28 – May 2012 | Page - 14liberty interests. It’s a taking of privacy, as the toll booth. There is softwar...
Issue 28 – May 2012 | Page - 15be used by anyone willing to utilize this http://dl.acm.org/citation.cfm?coll=GUIDE...
Issue 28 – May 2012 | Page - 16Problems. San Francisco: No Starch, 2008.Print.Shirali-Shahreza, Mohammad. "ImprovingMobile...
Issue 28 – May 2012 | Page - 17
Issue 28 – May 2012 | Page - 18Kautilya possibilities and quirks it could be...
Issue 28 – May 2012 | Page - 19 Force Browse ...
Issue 28 – May 2012 | Page - 20Assuming you are able to connect the device Connect to a hotspot and executedby some mean...
Issue 28 – May 2012 | Page - 21Is this a real threat?This is a question I am asked many timesduring my talks about Kautily...
Issue 28 – May 2012 | Page - 22HTTPS (Hyper between client and browser is encrypted ...
Issue 28 – May 2012 | Page - 23Asymmetric encryption has a lot ofoverhead so not feasible to use for entiresession.
Issue 28 – May 2012 | Page - 24Client first requests a HTTPS session toserver, then server sends back Certificatewhich has...
Issue 28 – May 2012 | Page - 25SECTION 66C - SOME OF THE INCIDENTSPUNISHMENT FOR ...
Issue 28 – May 2012 | Page - 26punished with imprisonment of either Acts covered (1) dishonestlyde...
Issue 28 – May 2012 | Page - 27 So, the onus is on the developer to ensureD...
Issue 28 – May 2012 | Page - 28 SQL Parameterized Queries: ...
Issue 28 – May 2012 | Page - 29create or replace procedure SELECT or the minimum required privilegeSE...
Issue 28 – May 2012 | Page - 30
Upcoming SlideShare
Loading in …5
×
Technology
1,605 views
Jun. 21, 2012

ClubHack Magazine Issue May 2012

We are now in mid of 2012. As predicted by many techno geeks, this year is phenomenal for IT related technologies including security, networking and web technologies. In April cloud war is started between two big rivals Microsoft & Google. Both making sure that its going to be secure and useful for smart phone users as well. With introduction of new such technologies we must ensure security over the web. Here HTTPS comes into picture and we brought this topic in CHMag's Mom's guide. Along with it topics like Steganography(Tech Gyan), a new toolkit - Kautilya(Tool Gyan), preventing SQL injections(Code Gyan) are covered.

If you have good write up and topic that you think people should know about it then please share with CHMag. Also if you have suggestions, feedback & articles, send it on info@chmag.in. Keep reading!!

no profile picture user

  • Login to see the comments

ClubHack Magazine Issue May 2012

  1. 1. Issue 28 – May 2012 | Page - 1
  2. 2. Issue 28 – May 2012 | Page - 2
  3. 3. Issue 28 – May 2012 | Page - 3 Notwithstanding, both steganography andSteganography Over cryptography can stand on their ownCovert Channels independent of the other. Cryptography encodes a message in plain sight that cannot be read with normal efforts. Steganography hides the information so outsiders are notSteganography and aware of its presence. It travels under theCryptography nose of the common man. Definition of SteganographySecurity and privacy have been a concernfor people for centuries. Whether it is Steganography is a method of hiding aprivate citizens, governments, military, or message. Steganography comes from thebusiness, it seems everyone has information Greek words (στεγανο-ς, γραφ-ειν) orthat needs to be kept private and out of the steganos and graphein which meanshands of unintended third parties. “covered writing”. (SINGH 5) When usingInformation wants to be free but it is steganography, the goal is not necessarily tonecessary to keep information private. That make a message unreadable, but to hide theneed has come about because governments fact that a message even exists. The hiddenhave sensitive information, corporations message is placed within the datasend confidential financial records, and boundaries of a digital file such as an email,individuals send personal information to mp3 music file, mp4 movie file,others and conduct financial transactions spreadsheet, MS Word document, text file,online. Information can be hidden so it pdf file, et. al. Any third party could look atcannot be seen. The information can also be or listen to the digital file that the messagemade undecipherable. This is accomplished is hiding in and not be aware that theusing steganography and cryptography. hidden message is present. When theThese two processes are closely related. digital file reaches the intended party, theWhile cryptography is about protecting the recipient should have the knowledgecontent of a message, steganography is necessary to extract the hidden messageabout concealing the very existence of the from the digital file.message itself. They can be combinedtogether to provide double protection.
  4. 4. Issue 28 – May 2012 | Page - 4Steganography simply works this way: Steganography can be covertly implemented further in the timing channels of 1. Start with a secret message using a information varied by the fourth dimension previously agreed upon algorithm of time, or the side channels, such as the insert the secret message into a power bursts that our appliances and cover object creating the stego televisions subsists upon or the concurrent object. magnetic waves that emanate from various 2. Then the stego object is sent to the to household and commercial devices. These the receiver. are some of the covert channels of physical 3. The receiver accepts the stego object. hardware. 4. The receiver extracts the hidden message using the agreed upon Steganography and the Internet algorithm. Dynamic steganography can accomplishedPresent Day Steganography over the Internet using the medium referred to as the covert channels. NetworkSteganography preceded cryptography. steganography is a method of hiding data inBefore mankind was able to encode normal data transmissions on the modernmessages with cryptography, messages network of the Internet. These methods ofwould be hidden with steganographic hiding can be used for good or nefariousmeans. It would be hidden in wax tables, purposes, legal or illegal activities,under soldier’s hair, or with invisible ink. unapproved or sanctioned processes. AnyToday, hiding of data with steganography interception by a rival of the owner of thiscan be performed within the static medium hidden data, also known as stego-data,of the new digital technologies: pictures, could compromise the sending entity, causevideo and audio files, Word documents, a loss of information and resources and leadPowerpoint documents, Excel spreadsheets, to its downfall. There must be a goodmovie files, et. al. Almost any digital file on reason to go to such trouble and effort toa hard drive can have information hide data using these surreptitiousembedded into it without any apparent techniques. Today, sending messagespresence. This is static steganography and electronically is a common mode ofit occurs on the bit/byte level. Taking this a conveyance. Email, web documents, video,further step and one not apparent to the audio, file-transfer protocol, attachmentslayman, data can also be hidden in the such as legal documents are all used overmedium of the Internet, the layer that the the Internet to exchange information. Withdata flows over, in the packets that travel increasingly fast processors, intercepting,from computer to computer, over twisted detecting and deciphering messages haspair, Ethernet and optical connections, become easier, which means more securethrough firewalls and routers, from network means of hiding information is necessary toto network, untouched by the fingers of any overcome any detection. There are manytelegrapher or data technician, in the unique and creative methods of securingelectrical current that flows over the power communications with steganography and itstransmission lines. This is dynamic close relative: cryptography.steganography. This is the covert channel ofthe Internet.
  5. 5. Issue 28 – May 2012 | Page - 5Covert Channels location on the network. It’s here, now it’s there. If small amounts of insignificant bits In these modern and technologically or bytes are replaced, the effect on thesophisticated times, using covert channels moving vessel file should be fairlyhas become a means of transmitting unnoticeable to the casual viewer orinformation securely. How widespread its listener. (WAYNER 155) If the byte countuse is not known. A covert channel is a of the file changes, detection can be lesscommunication channel that allows two difficult to attain. Performing a checksumcooperating processes to transfer on the file will raise a flag and possible giveinformation in a manner that violates the up the embedding. The ability to detect thesystems security policy. (BERG) For hidden data is next to impossible as the datainstance, Internet appliances such as two streams over the wires in the midst of therouters could use these covert channels to billions of bits that now pass. All Internetpass information between themselves. This traffic would have to be monitored forinformation could be instructions to the hidden data, perhaps an insurmountableother appliance to use an alternate path, task.redo the last transaction, or increase thespeed of transmission. There are many The World Wide network of the Internet ismethods available to enhance and guide the the perfect medium for steganography toongoing and orderly operational exchange occur. Data can be hidden in web pages andof packets. the embedded images that pass over the Internet, a relatively easy task to perform Lampson introduced the concept of and perhaps just as easy to examine. Ancovert channels in 1973. (LAMPSON 613) even more surreptitious and unique way toIt is a means of communication that is not hide messages would be in the unused fieldspart of the original design of the system. of the TCP/IP packet headers. The(LLAMAS) It could even be said that a operation of the Internet runs on thecovert channel is a security flaw. It is a part Transmission Control Protocol and Internetof a program or system that can cause the Protocol (TCP/IP). The fields in the TCP/IPsystem to violate its security requirements. packet header help guide the movement asIt can be an electronic means of sending and they hop across the Internet and coordinatehiding messages. (OWENS) Covert the reassembly of these packets when theychannels can be a means of taking any reach their destination. These packets holdnormal electronic communications and all the overt data that travels over theadding some secret element that does not Internet: web pages, ftp data, video andcause noticeable interference to the original audio, email, images and pictures. Theseitem such as a picture, sound file or other Internet packets are directed to theirdigital communication medium. (WAYNER destination by the information contained in152) the fields of the header at the beginning of each packet. Because packets are so small,Covert channels occur in two states: static only 1024 bytes, it takes many, manyor dynamic. There is the static hiding of separate packets to convey all thedata in electronic files sitting on a hard information in a webpage or in any digitaldrive. When hiding data in a timing file. Unless specifically monitored withchannel, the difference is that the data is specific software or hardware, most usersdynamic, moving and always changing its
  6. 6. Issue 28 – May 2012 | Page - 6are not aware of the packets nor do they (COLLBERG) One example of utilizingever see them. Inside the packet are data watermarking is to embed a digitalframes where slices of the data reside. signature in a printed document forThese data slices make up over 80 per cent verifying authenticity. This signature isof each TCP/IP packet. Until they reach made up of information such as the serialtheir destination, the packets are number, the model and manufacturer of theincomplete and fragmented. Sometimes printer used, date of document printing,packets get lost and must be retransmitted. and author of the document. ThisA handshake and acknowledgement information is inserted into the initialinitiates a session, then a sending and characters of each page of a document. Thisreceiving of packets occurs like a dance, steganographic function, unknown to many,each participant performing their next step. is a common feature of many printers usedWhen they reach their ultimate destination, today on a daily basis. (MIKKILINENI)the packets are finally reordered and Music files sold over iTunes are alsoreassembled. The sheer volume of the encoded with watermarks that identify theInternet and the great number of the simple purchaser and host computer where thenetwork packets guarantees that covert audio files were purchased. This allowsmessages can be hidden in the unused them to be used by the rightful purchaserheader fields of the packets containing all while preventing the illegal transfer of thesetransmitted information. It’s not as files to others. Apple’s iTunes softwaregranular as a molecular layer. Ross examines the sound files on iPods and usesAnderson said: “For covertness reasons, the hidden authorization codes toyoud probably want to hide your traffic in authenticate and allow legitimate use oftraffic thats very common." purchased music files. Similarly, DVDs(MCCULLAGH) Nothing is more common issued to members of the Academy ofthan the ubiquitous Internet TCP/IP packet. Motion Picture Arts and Sciences are tracked with watermarks to combat piracyUses of Steganography through media source identification.Steganography, in the form of media It has also been suggested that sendingwatermarking and fingerprinting, has been information requested by users in mobilefound to be useful for legitimate commercial banking system can be made more safe andapplications. Applications of steganography secure through the practice ofinclude not only covert communications, steganography. The indirect sending ofbut it can enable the tracing of the original information increases the security for userssource of pirated, stolen and illegal copies of in mobile-banking system. (SHIRALI-protected books, audio or video files. SHAHREZA)Watermarking provides the ability toidentify these copied files. The uses and methods to hide data are many and will continue to grow and expand.In a typical application of image The imagination of men and the manywatermarking, some message is encoded technical methods and rules of science willimperceptibly embedded into the host file only put limits on how data will be dealtlike a copyright notice identifying the with while traveling under our noses. Theintellectual property owner or rightful user. need to hide that data will be always present
  7. 7. Issue 28 – May 2012 | Page - 7as the exploits and attacks increase to more and more as Homeland Security “criesuncover and decipher information that does wolf” louder and louder. Steganographicor does not belong to the hacker. and encryption software is so powerful that it’s usage and export is regulated by law. It’sThis is not to say that steganography cannot usage can allow criminals, malcontents, andbe used for good. The user of any tool, a terrorists in addition to lawful actors tocorporation or terrorist, will determine operate and communicate through publicwhether the steganographic purpose is good channels practically unfettered. Suchor evil. Enslaved peoples can also use these software and encryption algorithms aretools to get their story out to the free world. categorized as weapons and cannot beUsing cryptography and steganography, exported outside the nation’s borders.people who have freedom of information There are many free and Open Sourceand speech are now able to receive the software packages available to anyone whostories and tales of others who do not, those wishes to hide data. Recent terroristwho should be able to enjoy the inalienable activity has been tentatively linked to therights that belong to all humans. The recent likely occurrence of steganography and isArab spring in Algeria, Tunisia, and Egypt seen by the usual governmental agencies ashas been attributed to use of the Internet to a likely method of sending covertovercome corrupt political regimes and information. (KELLEY) With the wide usesilence political dictators and despots. and abundance of the many powerful andSteganography can keep people free. free Open Source steganographic and cryptographic tools on the Internet, lawTerrorism on the Internet enforcement authorities should and do have serious concerns about detection ofIt is an invisible arms race. (GOTH) There questionable material and informationare often reports in the news of use of the through web page source files, images,Internet by terrorist groups operating audio, and video and other medium. Nowithin the U.S. Many of these encrypted doubt there is more effective in-housedigital messages might be passed by way of software developed by corporations andcovert channels, embedded within other governmental agencies to accomplishinnocent-looking files or in the covert undetectable steganography.channels that hide next to the overt pathwayof the Internet. (MANEY) A covert channel Steganalysis and Detectionis typically used when the participants knowthat they are being monitored in the usual Stegananalysis is described as the process ofmainstream and mundane communications detection and identification of hidden stego-channels of snail mail, financial records, data. There are many issues to betelephone calls and even electronic mail. considered when studying steganographicThe huge bandwidth of the world’s largest systems. While steganography deals withnetwork of the Internet offers an alternate the various techniques used for hidingmedium of covert channels from snail and information, the goal of stegananalysis is toemail, and messaging for transport of detect and/or estimate the presence of anyhidden data. potentially hidden information. This has to be done with little or no knowledge aboutThe process of using the Internet for the unknown steganographic algorithmterrorist activities has been in the news
  8. 8. Issue 28 – May 2012 | Page - 8used to hide the message in the original implementation of CALEA was to assure lawcover-object, if it does exist. enforcements ability to conduct lawfully authorized electronic surveillance whileOne way to track Internet steganography preserving public safety and the publicswould be to develop Internet appliances that right to privacy. Technology can providehave the capability to detect embedded the necessary tools that law enforcementdocuments in cover data in the data packet agencies must have to detect questionablefield and anomalies in any other packet activities. Such agencies such are the FBI,header field. Packet analysis is also the NSA and the CIA must be able to detectperformed using packet sniffers programs, questionable activities by both domestic andsuch as tcpdump, OmniPeek, and international malcontents. There do notWireshark. They capture raw network data exist rooms where real individuals listen toover the wire. (SANDERS) calls manually as there were during the early years of wiretapping telephone callsSpecialized hardware devices are, in fact for J. Edgar Hoover. There does existavailable, but are not openly marketed to certain specialized computers in serverthe general public and only available to rooms that do the automated interception,approved users such as law enforcement monitoring, and collection of data. There isand Homeland security agencies. These occasional eavesdropping and wiretappingdevices go beyond the capability and of lawful citizens, participants in thefunctionality of normal routers, firewallsand intrusion detection systems. These political process, and others who may be in violation of the serious legal guidelinesappliances are only available to law society refers to a laws. The mandate of theenforcement agencies and operate under the Federal law of Homeland Security andradar. These are called wardens and add to specific court orders authorizes wiretappingthe cybersecurity defenses already available. of phone calls or monitoring of InternetThere are three types of wardens: traffic. Such activities require and authorize specialized equipment be placed on the 1. A passive warden can only spy on main network pipeline of broadband the channel but cannot alter any Internet access providers (ISPs) and voice messages; over Internet protocol (VOIP) providers to 2. An active warden is able to slightly do that legal privacy override of examining modify the messages, but without electronic transmissions of all types. altering the semantic context; Internet service providers and 3. A malicious warden may alter the telecommunications carriers must assist law messages without impunity. enforcement in executing electronic (CRAVERS) surveillance pursuant to court order or other lawful authorization.CALEAIn October 1994, Congress took action toprotect public safety and ensure nationalsecurity by enacting the CommunicationsAssistance for Law Enforcement Act of 1994or CALEA. The objective of the
  9. 9. Issue 28 – May 2012 | Page - 9Hiding Data in the Unused Header secret message, which could be, forFields of the TCP/IP Packets example, a password sniffed by malicious software running on a compromisedOne possible steganographic method is to machine.use the network and transport layers of the A covert channel can be very hard to detect.TCP/IP protocol suite. These layers are That’s the idea. The packets used fornormally unavailable to not only the carrying the message can appear innocuouscommon Internet user but also the average and beyond suspicion. The idea of a covertsystem or network administrator. One channel seems very simple and unique, butapproach, for data hiding is to utilize the it must be carefully implemented so as tounused fields in TCP/IP packet header to not disturb normal user operations. Just astransmit a stego-message. Accomplishment covert channels can be implemented usingof this method would require specialized superior computing power so can detectionmodification of certain Internet appliances, be implemented to intercept and preventsuch as routers, filters, and firewalls within such surreptitious activity. Stealththe existing network hardware and technology is one of the methods used byinfrastructure. The treatment of these fields attackers to hide their malicious actionsby Cisco and Nortel routers is unknown. after a successful break-in. TakingThere are no guarantees that this data surreptitious control of a computer orwould remain unaltered through its path system, installation of backdoors, plantingfrom its initial transmission to its receipt at of a rootkit, alteration of the system’sits intended destination. This would have to operating system is an example of usingbe affirmed and tested for maintenance of chained exploits that work together.the data in its unaltered and undisturbed (WHITAKER) Rootkits can modify thestate as it moves over any network. operating system to insert a kernel moduleProtocols and operational safeguards would that can perform further exploits such ashave to be established to guarantee the steganography or a coordinated denial-ofavailability of data hiding at the TCP/IP service attack (DDOS). (TROST) There areprotocol suite. (AHSAN) Someone thought different approaches to detection and can bethis capability was useful because they supported using Open Source software onpatented the process (U.S. Patent Office, the receiving server. (RUTKOWSKA) ThisPatent No: US007415018B2 Aug `9.2008). involves detecting this kind of activity whileThe process of steganography over TCP/IP continuing to identify and develop newis patentable under current patent law offensive techniques to combat the newguidelines. Useful or not, this capability can steganographic technique.be dangerous in the wrong hands. Comprehensive National CybersecurityOne example of hiding data in a covert Initiativechannel uses software for craftingstegenographic data to be placed in certain Further government action has beenunused header fields of the Internet mandated recently. In May 2009, Presidenttransport data packet. This software uses Obama accepted the recommendations offields such as the Initial Sequence Number the Cyberspace Policy Review. The(ISN) or other appropriate field in the Comprehensive National Cyber securitypacket header. The new ISNs will carry the
  10. 10. Issue 28 – May 2012 | Page - 10Initiative (CNCI), launched by President parsing network traffic. Directing dataGeorge W. Bush in detailed those between portions of a network is therecommendations. President Obama primary purpose of a router. Therefore, thedetermined that the CNCI and its associated security of routers and their configurationactivities should evolve to become key settings is vital to network operation. Inelements of a broader, updated national addition to directing and forwardingU.S. cyber security strategy. These CNCI packets, a router may be responsible forinitiatives will play a key role in supporting filtering traffic, allowing some data packetsthe achievement of many of the key to pass and rejecting mal-formed or suspectrecommendations of President Obama’s packets. This filtering function is a veryCyberspace Policy Review. The CNCI important responsibility for routers; itinitiatives are designed to help secure the allows them to protect computers and otherUnited States in cyberspace. network components from illegitimate or hostile traffic.The existing EINSTEIN 2 capability enablesanalysis of network flow information to Intelligent Support Systems for Lawfulidentify potential malicious activity while Interception, Criminal Investigation, andconducting automatic full packet inspection Intelligence Gathering (ISS), holdsof traffic entering or exiting U.S. wiretapping conferences and seminars forGovernment networks for malicious activity the law enforcement community, military,using signature-based intrusion detection governmental agencies and homeland(IDS) technology. A planned EINSTEIN 3 security agencies. One featured company,initiative will expand these capabilities to Packet Forensics, was marketing Internetfoster safety and security on the wires, spying boxes to the feds at a recent ISSheading off any covert activities that may conference. (SINGL) The web site of Packetintrude on the nation’s communication Forensics lists the products available fromchannels. The goal of EINSTEIN 3 is to the company, though some pages areidentify and characterize malicious network restricted to authorized law enforcementtraffic to enhance cyber security analysis, and intelligence organizations only. Thesesituational awareness and security response. protected pages must describe defense and(NAKASHIMA) The government created the intelligence applications and hardwareInternet as part of a DARPA project over platforms too sensitive to release details toforty years ago. Its usage was expanded for the public. Generally, these Internetcommercial use and to include the general appliances automate the processes thatpublic in the 90s. The appropriate agencies allow observation and collection of data onneed to guarantee a mature Internet with Internet traffic and/or phone calls whenthe ability to deter and turn away any given the legal authority by either courtmalicious attacks, exploits, or intrusions. order or mandate provided by legal statuteEINSTEIN 3 is part of this effort. to do so. They can forward captured packets for storage and further analysis later by aNetwork appliances and system designed for extreme DPI. Thesesteganalysis detection Internet appliances perform lawful interception, investigative analysis andNetwork appliances such as routers and intelligence gathering, stealthily, whilefirewalls play a large role in handling and protecting the privacy rights and civil
  11. 11. Issue 28 – May 2012 | Page - 11liberties of the law-abiding users of theInternet. (SINGL) These appliances canhandle a large number of surveillancerequests while heading off any and allpossible terrorist exploits before they occur.These appliances can record and collect theevidence needed to convict the guilty. Thesedevices perform deep packet inspection,searching for thousands of different stringsdeep inside each packet. These productsare highly recommended to officials sodigital communication traffic can bescanned and examined. SSL encryption isbuilt into web browser software andprotects our web traffic. Such traffic cannotnormally be decrypted and read by anypacket-sniffing tool. SSL encryption isdesigned to protect users data from regulareavesdropping. Such SSL encryption is not Deep Packet Inspectionsafe from the products of Packet Forensicsand other powerful tools. They most likely Of billions of messages that roam thewill be able to overcome and decrypt most Internet, there must exist some messagesSSL algorithms. These devices provide for that are malicious, containing worms orregulatory compliance such as required by viruses, malware or spyware, whichCALEA, and comply with lawful intercept organized criminals, and terrorists utilize torequirements and meet the essential needs commit cybercrimes. Here, deep packetof law enforcement. Such devices can be inspection (DPI) comes to the rescue, sincepart of a packet processing and network it allows monitoring and filtering of packetscompliance platform. These particular wherever they happen to pass. DPI can alsoappliances can be linked together in closed meet other objectives in security, and legalnetworks called darknets to collect and compliance. This technology enablesshare real-time network intelligence. instant, ubiquitous monitoring of everythingPacket Forensics products are subject to the that travels the Internet.export control laws administered by theUnited and may not be exported outside the DPI is the next surveillance application thatUS without prior Federal government enters society unnoticed and available forapproval. Two of the products available for use by authorities to combat crime, evenviewing on the web site of Packet Forensics before it happens. Security and traffic(www.packetforensics.com) are LI-5B and cameras, miniature cameras, directionalPF.LI-2 (next picture). microphones, automated face and number- plate recognition, data mining, and profiling add to all the technologies used by Big Brother to watch over its citizenry. Ours is a database society with a great increase of data generation, processing, and storage
  12. 12. Issue 28 – May 2012 | Page - 12needs. DPI captures data for later are being collected and processed and why.examination and diverts it for messaging This does not mean that the governmentand analysis. This capability adds to the can have a phishing trip and examine alltools in the government surveillance toolkit traffic. Only specific individuals oruses as a beneficial observer. corporations can their traffic examined. The courts have deemed profiling illegal onOnce broadband providers and other numerous times. Independent authoritiescompanies embrace DPI, they can monitor should regularly review and check whetherand select passing traffic much more the government uses its powers correctlysophisticatedly than by merely scanning and legitimately.header information. This capacity canprove of great benefit to law enforcement Data protection is a key element. The legalagencies and intelligence services, using its framework for data protection has becomeexisting investigation powers to enlist the outdated. The assumption of preventingassistance of broadband providers. data processing as much as possible is noParticularly relevant is that DPI allows for longer valid in the current networkedreal-time monitoring, and hence facilitates a database society. Large-scale datapreventative approach as opposed to the collection and correlation is inevitableretroactive approach that law enforcement nowadays, and the emergence of DPI servestraditionally used. to emphasis this. Instead of focusing data protection on prevention in the dataDPI adds to the trend that broader groups of collection stage, it should rather be focusedunsuspected citizens are under surveillance: on better utilization of the data. Datarather than investigating relatively few protection is valuable not so much toindividuals on the basis of reasonable enhance privacy, but to ensure transparencyindications that they have committed a of government and non-discrimination.crime, more people, including groups, arenowadays being watched for slight While data protection can serve to regulateindications of being involved in potential the use of data, it remains to be discussedcrimes. This is profiling of the masses. The whether DPI should be allowed formovie Minority Report illustrated the use of government use in the first place. Here,data to predict the likelihood of a crime other elements of privacy come to the fore:occurring in the near future to justify the protection of the home, family relations,pre-emptive arrest of un-guilty parties. The and personal communications. Theseexplosion of data generation, inspection, elements are likely to be infringed by DPI.and storage enable the government to Since privacy is a core, though notcollect and use significantly more data about specifically stated, constitutional value tocitizens. This increase is not only safeguard citizens’ liberty and autonomy inquantitative but also qualitative. a democratic constitutional state, DPI should be critically assessed. The commonMore checks and balances are required to man is king of his castle and its borderssafeguard citizen rights and privacy. The should not be violated. DPI could beincreased government powers needs to be accepted as a necessary addition to thebalanced by additional checks and investigative tools used by law enforcementsafeguards. Citizens must know which data already if used properly. The power of DPI
  13. 13. Issue 28 – May 2012 | Page - 13to run roughshod over the rights of the script kiddies, or unscrupulous broadbandsuspected requires a fundamental providers. The good guys must deployrethinking of what legal protection is cryptographic technologies to protect theafforded here. Society needs substantial general public. But DPI can also benew checks and balances to counter-balance perceived as a bad thing and a possiblethe increase in government power over its threat to the privacy of individuals. It iscitizens. (JAAP-KOOPS) clear that DPI is potentially dangerous tool. (WILSON) The solution to the problem ofThe company Phorm uses DPI to peek into Internet privacy is not just legislationthe web surfing habits of end users in order making snooping illegal, but the industry-to serve targeted advertising. (PHORM) It wide adoption of cryptography by default.is suspected that the National Security Nothing will protect our privacy or securityAgency has inserted sophisticated DPI from deep packet inspection thanequipment into the network backbone of the encryption. (SOGHOIAN)Internet so that it can sweep up hugevolumes of domestic emails and Internet Broadband providers increasingly use deepsearches. While privacy activists and packet inspection technologies (DPI) thatcomputer geeks are up in arms, the vast examine consumers’ online activities andmajority of Internet users either don’t seem communications in order to tailorto care or don’t fully understand what is advertisements to their unique tastes.happening. Users of Google’s free Gmail email service find that the advertisements in the right sideWithout encryption, e-commerce wouldn’t reflect to contents of their email. Friendsbe possible. The cryptographic technology find the same is true with Facebook. It’s noof SSL is built into every web browser. The wonder that privacy concerns remainsecurity of Amazon, EBay, PayPal, and every despite the assurances that this data is notonline bank depends upon the consumer to collected and sold. Nothing preventsbeing able to make purchases and conduct providers from simply altering theirtransactions over the Internet confidently policies. DPI operates invisibly.and securely. Broadband providers can collect our online communications and sell them and theirMost web surfers do not realize how much contents, including medical data and privateof their information flows nakedly over the correspondence, to employers, insurancenetwork, nor how easy it is for others to companies, credit bureaus, and landlords.snoop on their web surfing. The They could become powerful data brokers ofpredecessor of the Internet, the Arpanet was our online communications.once a happy safe place, in the 60s and 70s,when the first packets were sent between Another concern is the government’s abilitygovernment contractors and research to subpoena the digital surveillance of ainstitutions. Those early hundreds of person’s online life from broadbandparticipants knew each other well and providers. Consumers deserve to be heardtrusted each other. It is no longer the case. before the disclosure of such information toIt is the wild west, unbridled and without a the governmental agencies or commercialsheriff to keep us safe. There are evil forces entities. The courts have held that DPI canout there, be they hackers, spies, under-age violate individual’s important property or
  14. 14. Issue 28 – May 2012 | Page - 14liberty interests. It’s a taking of privacy, as the toll booth. There is software,if their house was being searched. legitimate, and illegal, Open Source,Consumers may choose to curtail their shareware and freeware, and for free and foronline communications rather than give up sale, available for the performance of packettheir personal data. This would chill the capture. Such freeware or shareware suchdevelopment of our ideas and free speech. Open Source software includes Wireshark (ethereal), Metasploit or Nmap.Broadband providers hide notice of theirdeep packet inspection practices in the Packet Craftingdensely worded legalese of the privacypolicy boilerplate. If some providers switch Packet crafting describes the art of creatingto an opt-in approach or reject DPI entirely, and generating packets that can containconsumers still cannot totally control the stego-data. Packet crafting can be doneuse of DPI technologies by those with whom using the same software used for boththey communicate. Governments should legitimate purposes and the illegal andban the use of DPI for commercial benefit unauthorized reasons. Networkand create a “Do Not Track” list to protect administrators create and use such softwareconsumers. Broadband providers should be tools to test network devices such as routers,required to disclose their data collection firewalls, intrusion detection devices and topractices. DPI can be used for constructive audit network protocols and correct weakpurposes such as to combat spam, without implementations of network configurations.compromising consumer rights and privacy. Thus one must create packets and insert(CITRON) and alter data in specific fields. The packets must be sent onto the network at oneData is always in one of two states: at rest or location. Then the packets must bein motion. Data is at rest on a hard drive of intercepted and decoded and the contenta single computer. Data is safe when the must be analyzed and interpreted. Whetherhost computer and its network connections or not these packets were rejected orare secure from intruders. Data can be allowed to flow through a network is noted.secured further by encrypting it. Data that Vulnerabilities to exploits must be foundis in motion is traveling over a network. and eliminated to protect data andThis traveling data makes many hops and information residing on servers andtravels through numerous subnets, network personal computers.appliances, routers and IDS in its passage.This gives numerous instances ofinterception or capture of the TCP/IP Conclusionpackets at possible weak security points.The process of packet capture is turning There exists a hidden level ofdata in motion into data at rest by grabbing communications where data can be sent anddata that is moving across a network link received under the noses of the commonand storing it for parsing and examination. man. These covert channels exists unknownIt can be compared to the use of cameras by to the layman and can be used to protecttoll roads to verify the vehicle is assigned to electronic communications. This Internetthe transponder in that car by capturing the exploit exists to be used for good or bad.license plate as the vehicle passes through Until this channel is blocked it will exist to
  15. 15. Issue 28 – May 2012 | Page - 15be used by anyone willing to utilize this http://dl.acm.org/citation.cfm?coll=GUIDE&dlcapability. =GUIDE&id=362389 . Llamas, D, et. al. An Evaluation Framework forBibliography the Analysis of Covert Channels in the TCP/IP protocol suite. University of St. Andrews,Scotland, UK.Ahsan, Kamran. Covert Channel Analysis andData Hiding in TCP/IP . MS thesis. University Maney, Kevin. Bin Laden’s Messages Could Beof Toronto, 2002. 15 Mar. 2009 http://gray- Hiding In Plain Sight. USA Todayworld.net/papers/ahsan02.pdf . December 19, 2001.Wesley Professional, 2005. http://www.usatoday.com/life/cyber/ccarch/20 01/12/19/maney.htm .Berg, S. Glossary of Computer Security Terms.USA, National Computer Security Center, 1998. McCullagh, Declan, "Secret Messages Come in .Wavs." Wired.com. Wired News, 20 Feb. 2001.Citron, Danielle Keats; “The Privacy Web. 11 Feb. 2012.Implications of Deep Packet Inspection”; <http://www.wired.com/print/politics/law/newhttp://dpi.priv.gc.ca/index.php/essays/the- s/2001/02/41861>.privacy-implications-of-deep-packet-inspection/. Mikkilineni, Aravind K.; Chiang, Pei-Ju; Chiu, George T.-C.; Allebach, Jan P.; Delp, Edward J.;Collberg, C. S., Thomborson, C., and Townsend, “Data Hiding Capacity and EmbeddingG. M. 2007. Dynamic graph-based software Techniques for Printed Text Documents”.fingerprinting. ACM Trans. Program. Lang. Syst.29, 6 (Oct. 2007), 35. DOI= Nakashima, Ellen; “White House declassifieshttp://doi.acm.org/10.1145/1286821.1286826 . outline of cybersecurity program”; Washington Post; March 3, 2010.Craver, J. S., “On Public-Key Steganography inthe Presence of an Active Warden,” Proc. 2nd Owens, Mark. A Discussion of Covert ChannelsInt’l. Wksp. Information Hiding, Apr. 1998, pp. and Steganography. InfoSec Reading Room.355–68 . SANS Institute. 19 Mar. 2002. http://www.sans.org/reading_room/whitepaperGoth, G. "Steganalysis Gets past the Hype." s/covert/a_discussion_of_covert_channels_anIEEE Distributed Systems Online 6.4 (2005): 2. d_steganography_678 .Web. "The Phorm Files - The Register." The PhormJaap-Koops, Bert; “Deep Packet Inspection and Files - The Register. The Register, 29 Feb. 2008.the Transparency of Citizens”; Web. 05 Mar. 2012.http://dpi.priv.gc.ca/index.php/essays/deep- <http://www.theregister.co.uk/2008/02/29/phpacket-inspection-and-the-transparency-of- orm_roundup/> .citizens . Rutkowska , Joanna. “The Implementation ofKelley, Jack. Militants wire Web with links to Passive Covert Channels in the Linux Kernel”;jihad. USA TODAY. invisiblethings.org .www.usatoday.com/news/world/2002/07/10/web-terror-cover.htm . Sanders, Chris. Practical Packet Analysis: Using Wireshark to Solve Real-world NetworkLampson, Butler W. “A Note on the ConfinementProblem”; Xerox Palo Alto Research Center .
  16. 16. Issue 28 – May 2012 | Page - 16Problems. San Francisco: No Starch, 2008.Print.Shirali-Shahreza, Mohammad. "ImprovingMobile Banking Security Using Steganography."International Conference on InformationTechnology (ITNG07). (23007): Print.Singel, Ryan; “Law Enforcement ApplianceSubverts SSL”;http://www.wired.com/threatlevel/2010/03/packet-forensics ; March 24, 2010 .Singh, Simon. The Code Book: The Science ofSecrecy from Ancient Egypt to QuantumCryptography. New York: Anchor Books, 1999.Soghoian, Christopher; “Deep Packet Inspection– Bring It On”;http://dpi.priv.gc.ca/index.php/essays/deep- Hal Wigodapacket-inspection-%E2%80%93-bring-it-on/ . hal.wigoda@gmail.comTrost, Ryan. Practical Intrusion Analysis: Hal Wigoda is an IT professional ofPrevention and Detection for the Twenty-first over 40 years of experience. HalCentury. Upper Saddle River, NJ: Addison-Wesley, 2010. Print. currently specializes in Security of Open Systems and Mobile Devices.Wayner, Peter. Disappearing Cryptography:Information Hiding: Steganography &Watermarking. 2nd edition. Burlington, MA:Morgan Kaufmann, 2008. PrintWhitaker, Andrew, Keatron Evans, and Jack B.Voth. Chained Exploits: Advanced HackingAttacks from Start to Finish. Upper SaddleRiver, NJ: Addison-Wesley, 2009. Print.Wilson, Carol. "DPI: The Good, the Bad, theStuff No One Talks about." Penton Media, Inc.,2008. Web. 2011.<http://www.connectedplanetonline.com/iptv/0718_dpi>.
  17. 17. Issue 28 – May 2012 | Page - 17
  18. 18. Issue 28 – May 2012 | Page - 18Kautilya possibilities and quirks it could be a reallyIntroduction nice pwnage device.One liner about Kautilya - Kautilya is atoolkit which makes it easy to use USB During a penetration test, you generally doHuman Interface Device (like Teensy++), in not have enough time to learn how tobreaking into a system. Now let’s program a device. Although, programmingunderstand what does that mean. Teensy is really easy (that is why I am able to do it ;)), it would be wonderful if someone First let’s understand Teensy++ (I will use program a tool which gives a ready to useTeensy for Teensy++ from now on). It is a payload for Teensy. This is exactly whatUSB HID which could be used as a Kautilya is designed for. You just need toprogrammable keyboard, mouse, joystick select a few options and a sketch isand serial monitor. What could go wrong? generated which could be then compiledImagine a programmable keyboard, which and uploaded to the device. Kautilya iswhen connected to a system types out written in Ruby and is named aftercommands pre-programmed in it. It types Chanakya.faster than you and makes no mistakes. Itcan type commands and scripts and could As of this writing it contains twentyuse an operating system against itself, that payloads for Windows 7 and three for Linuxtoo in few seconds. If you can program the (tested on Ubuntu 11).device properly keeping in mind most of the
  19. 19. Issue 28 – May 2012 | Page - 19 Force Browse This payload opens up a hidden instance of Internet Explorer and browses to the user provided URL. An ideal use case could be hosting an exploit of msf or a hook of BeEF on the given URL. The payload is able to execute on a normal user privilege and is very silent. Screenshot 1: Kautilya version 0.2.2Using Kautilya in a Pen testHere is the step by step process (assumingyou have a Teensy with you): 1) Download Kautilya Screenshot 2: Generating a payload using 2) Select your payload, select options Kautilya and an output payload will be generated. 3) Compile and upload this payload to Teensy using Arduino + Teensyduino. (A step by step guide on installation and configuration of Arduino could be found on my blog ) 4) Connect the device to victim, either directly if you have physical access or by using Social Engineering. 5) Enjoy the pwnage :)Let’s have a look at some of the payloadswhich could be helpful in a Pen Test. Screenshot 3: Compile and load the payload to Teensy
  20. 20. Issue 28 – May 2012 | Page - 20Assuming you are able to connect the device Connect to a hotspot and executedby some means to the victim. Below is what codea victim will see on his desktop. Note the This payload connects to a hotspotsmall command window which writes dark controlled by you (assuming you are theblue on black background. attacker), downloads a meterpreter exe in text format, converts it back to executable and executes it. The testing of this payload was done using a HTC Android phone and kWS web server on the phone. You need to manually convert the executable to text format using a powershell script exetotext.ps1 in the extras directory of Kautilya. This script exetotext.ps1 is based on a blog by Matt at his blog exploit Monday. Screenshot 4: Victim desktopAfter a few seconds if you look at yourmsfconsole. Screenshot 6: Using the "connect to hotspot and execute code" payload This payload is ideal for a scenario when there is a restricted or no internet connection on the victim and you are reasonably near to the victim. A drawback of this payload is the victim will get disconnected from other existing WiFi networks. The output of this payload will be same as above under default behavior. You can easily modify this payload as per the needs and it could be used for much more.Screenshot 5: A meterpreter session
  21. 21. Issue 28 – May 2012 | Page - 21Is this a real threat?This is a question I am asked many timesduring my talks about Kautilya, is this a realthreat? Yes. If you are doing pen testingeven for few months, you will feel a need ofsomething which could be used withoutactually exploiting something. You wouldlove using the features and built in tools topwn a system as this raises less or no flags.How to use this in a pen test is up to yourwisdom, use it actively by connecting ii to anunattended system during internal pen testsor hide the device inside mouse or pen drive Nikhil Mittaletc for Social Engineering attacks. nikhil_uitrgpv@yahoo.co.inConclusion Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area ofAs long as those defending the systems and interest includes penetration testing,those breaking the systems do not realize attack research, defence strategies andthe risk pwning a system using HID will be post exploitation research.very easy. I have never seen anyenvironment where HIDs are blocked He specializes in assessing security risksduring large number of Penetration Tests at secure environments which requirewhich I have carried out for clients of my novel attack vectors and "out of the box"firm PricewaterhouseCoopers. No approach. He has worked extensively oncountermeasure or antivirus flags it as a using HID in Penetration Tests andthreat. Some company marketed that they powershell for post exploitation. He iscan do it, but it turned out to be false . USB creator of Kautilya, a toolkit whichHID threats are here to stay. makes it easy to use Teensy in penetration tests. He has spoken/trained at Clubhack’10, Hackfest’11, Clubhack’11, Black Hat Abu Dhabi’11, Troopers’12, PHDays’12 Shakacon’12, GrrCon’12 and Black Hat Europe’12.
  22. 22. Issue 28 – May 2012 | Page - 22HTTPS (Hyper between client and browser is encrypted using SSL.Text Transfer SSL works at the transport layer of Transmission Control Protocol/InternetProtocol Secure) Protocol (TCP/IP), which makes the protocol independent of the application layer protocol functioning on top of it. SSL is an open standard protocol and isIntroduction supported by a range of both servers andHypertext Transfer Protocol (HTTP) is a clients.protocol where communication happens inclear text. To ensure authenticity, SSL works in three phases:confidentiality and integrity of messages  Authentication - AuthenticationNetscape designed HTTPS protocol. checks the server who they claimHypertext Transfer Protocol Secure they are.(HTTPS) is a combination of the Hypertext  Encryption - Encryption with theTransfer Protocol (HTTP) with the SSL key exchange creates a secure tunnel(Secure socket layer)/TLS (Transport layer and doesnt allow unauthorizedsecurity) protocol. It provides encrypted person to make sense of data.communication and secure identification of  Integrity - Checks that anya network web server. unauthorized system cannot modify the encrypted data.HTTPS encrypts and decrypts the page SSL handshake uses asymmetric andrequests and page information between the symmetric encryption. Asymmetricclient browser and the web server using a encryption is used to share the session keyssecure Socket Layer (SSL). HTTPS by and symmetric key algorithm is used fordefault uses port 443 as opposed to the data encryptionstandard HTTP port of 80. URLs beginningwith HTTPS indicate that the connection
  23. 23. Issue 28 – May 2012 | Page - 23Asymmetric encryption has a lot ofoverhead so not feasible to use for entiresession.
  24. 24. Issue 28 – May 2012 | Page - 24Client first requests a HTTPS session toserver, then server sends back Certificatewhich has its public key embedded in it.Only server has access to this private key noone else.Now client authenticates certificate againstlist of known root CAs (If a CA isunknown/self-signed, then browser givesuser an option to accept certificate at usersrisk). Client will then create a session keywhich only he knows and will encrypt it withthe public key received from the server andthen it will send across the internet to theserver. Server will decrypt that session keywith its private key. Now server and clientboth know the session key. Rohit Parab.Once the SSL handshake is completed and rohit.parab9@gmail.comsession key is exchanged with theasymmetric encryption. Now the rest of thesession is encrypted with the symmetric He is the Bachelor of Computer Science.session key. He is Freelancer Software Developer and Independent Security ResearcherWe use symmetric encryption because its (Mumbai Area).quicker and uses less resources. Symmetricencryption is used to encrypt the sessiondata.
  25. 25. Issue 28 – May 2012 | Page - 25SECTION 66C - SOME OF THE INCIDENTSPUNISHMENT FOR  The CEO of an identity theft protection company, Lifelock, ToddIDENTITY THEFT Daviss social security number was exposed by Matt Lauer on NBC’s Today Show. Davis’ identity wasIntroduction used to obtain a $500 cash advanceThe term identity theft was coined in 1964. loan.However, it is not literally possible to steal  Li Ming, a graduate student at Westan identity so the term is usually interpreted Chester University of Pennsylvaniawith identity fraud or impersonation. faked his own death, complete with aIdentity Theft is a form of stealing forged obituary in his local paper.someones identity by pretending to be Nine months later, Li attempted tosomeone else typically in order to access obtain a new driver’s license with theresources or obtain credit and other benefits intention of applying for new creditin that persons name. cards eventually. PUNISHMENT FOR IDENTITY THEFT Whoever, fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be
  26. 26. Issue 28 – May 2012 | Page - 26punished with imprisonment of either Acts covered (1) dishonestlydescription for a term which may extend to /fraudulentlythree years and shall also be liable to fine using someone’swith may extend to rupees one lakh. electronic signature/passwor d or any otherComments uniqueThis section applies to cases where identificationsomeone who dishonestly or fraudulently featuredoes the following – (2) dishonestly  makes use of electronic signature of retaining stolen any other person, or computer resource  makes use of password of any other or communication person, or device  makes use of any other unique Investigation Police officer not below identification feature of any other authorities the rank of Inspector person. Controller of Certifying Authorities or a personIllustration authorised by himVivek and Rajan were business partners. Relevant courts Judicial Magistrate FirstFew months back they had a fight over Class Court of Sessionsome issues and then parted their ways. Cognizable/Baila Yes/YesVivek opened a new firm which into the blesame line of business as of Rajan. In nextfew months Vivek took over most of theRajan’s clients.Disgruntled by this, Rajan decided to takerevenge. Rajan managed a fake ID proof andaddresses proof in the name of Vivek andapplied for a digital signature certificate. Hethen digitally signed documents and emailsto enter into electronic contract on Vivek’s Sagar Rahurkarname and solicited his clients by presuming mailto:contact@sagarrahurkar.comto be Vivek. Sagar Rahurkar is a Law graduate, aRajan can be held liable under this section. Certified Fraud Examiner (CFE) and a certified Digital Evidence Analyst. He specializes in Cyber Laws, Fraud examination, and Intellectual Property Law related issues. He has conducted exclusive training programs for law enforcement agencies like Police, Income Tax.
  27. 27. Issue 28 – May 2012 | Page - 27 So, the onus is on the developer to ensureDon’t Get Injected that the application’s integrity and reliability is preserved.– Fix Your Code SQL Injection: An ExampleWhen I began doing security review for web Consider the below login page which acceptsapplications, one common issue that I a username and password and lets the userencountered was ‘SQL Injection’. log in.Developers used to pose several questions atme saying that their software is secure asthey had followed several measures tomitigate this insidious issue.The main mitigation adopted was to useStored Procedures or input validation.While this does reduce certain type ofInjections, It doesn’t prevent all. In thisarticle, I will explain what SQL Injection is Let’s assume that the below query isand what one can do to prevent it. executed when one tries to log on to the database.SQL Injection: In this case, the query would look like:-SQL Injection attacks occur in all databasedriven web applications. There is a risk in SELECT * FROM USERS WHEREevery web application that accepts an end USERNAME=’celia’ AND PASSWORDuser’s input and uses it to send database =’password’;queries to an underlying database. A hackercan manipulate the user input and send While a naïve user would only provide themalicious queries to the database. The correct password and proceed to access theimpact could range from stealing user’s business functionality of the application, ainformation, taking control of the server to hacker wouldn’t. Now, consider the samecomplete wipe out of the database. form but with input shown as below.
  28. 28. Issue 28 – May 2012 | Page - 28 SQL Parameterized Queries: Never use string concatenation to build your queries dynamically. Always use place holders or parameterized statements to build your queries. An example is given below. String query = "SELECT * FROMThis is how the query will take shape now. USERS WHERE username=? And password=? ";SELECT * FROM USERS WHERE PreparedStatement prepStmt =USERNAME=’1’ or 1=1--’ AND PASSWORD con.prepareStatement(query);=’password’ prepStmt.setString(1, username); prepStmt.setString(2, password);As you would see, this will let the user login ResultSet rs =even when he doesn’t know the username prepStmt.executeQuery();and password. This is a very simple case ofSQL Injection. An argument when passed through the above statement, will be automaticallyMitigation: escaped by the JDBC driver.The steps suggested here are absolutely Stored Procedures:needed if you want to mitigate SQLInjection. They are not just Stored procedures by themselves do notrecommendation. help in mitigating SQL Injection. By using a stored procedure, type checking is  Always validate your input for the automatically available for the parameters. right size, format, type and range. Hence, when one uses this method in  Use SQL parameterized Queries combinating with parameterized  Use Stored Procedures statements, one can minimize SQL injection  Give the least minimum privilege to to a great level. Consider the same SQL the database user account that is written as a procedure call. executing the queries. CallableStatement stmt =Input Validation: conn.prepareCall("{call SELECT_USER (?,?)}");It is very important for your application that stmt.setString(1, username);it should know what input to expect, what stmt.setString(2, password);data type it can contain, the format of its stmt.execute();input and the minimum and maximumlengths. Though it is bit difficult/time The procedure that executes in the back endconsuming to implement these validations might look similar to below.for all input fields, it is a fool proof approachif you want your application to be reliablefor a long time.
  29. 29. Issue 28 – May 2012 | Page - 29create or replace procedure SELECT or the minimum required privilegeSELECT_USER( user IN varchar2, to use the application. This will prevent thepass IN varchar2, userid OUT database getting corrupted or wiped outNUMBER,tablename IN varchar2) IS should an attack occur.BEGINSELECT USERID from users where So, Start following these simpleusername =user and requirements in your applications and youpassword=pass; can be sure that you wouldn’t have aCommit; security consultant coming to you andEND; asking you to fix your code.One point to note here is to not use exec@sql or dynamic sql inside a stored Celiaprocedure. If one does that, the advantage Celia has been with Infosys for the past 5of using stored procedure is reduced and years and has been associated withSQL Injection will be possible. Check out Internet Application Security sincethe below vulnerable code. This code does August 2010. Her expertise includesmake the use of Stored Procedures but uses Product Development, Secure Codedynamic SQL. This code is still vulnerable to Development, Penetration Testing andSQL Injection. Secure Code Analysis. She is a Certified Ethical Hacker and is currently engagedcreate or replace procedure in application security consulting.SELECT_USER( user IN varchar2, pass INvarchar2, userid OUT NUMBER,tablenameIN varchar2) ISBEGIN@query= SELECT * FROM USERSWHERE || username = || user || AND password = ||password || ;Exec @query;Commit;END;Likewise, Stored Procedures should be usedin conjunction with input validation. Justbecause type checking is done, it doesn’tmean that one can get away withoutvalidating their user input.Minimum Privilege:Last but not the least, always ensure that thedatabase user executing the queries has only
  30. 30. Issue 28 – May 2012 | Page - 30

×