Friday, 9 September 2011

So, where did all the tools go?

If you've hit my blog looking for SQLBrute or one of the other tools that used to be hosted here, most (but not all) are now hosted at the Gotham Digital Science page on GitHub. If you're looking for something else, send me an email, or message me on Twitter (@connectjunkie) and I'll dig it out for you.

Tuesday, 27 October 2009

Another Couple of Great Reviews of SQL Injection Attacks and Defense

A couple of good reviews of SQL Injection Attacks and Defense have been posted to Amazon recently (both 5 stars). Firstly we have a review from Chris Gates which gives a good balanced review of the book and points out some things he'd have liked to see. I agree with all of the points, and if we ever get a chance to do a second edition, we can add those on the todo list.

Second and most recent was a review from Richard Bejtlich who was also very positive about the book and mentioned it may be in the running for his "best book of 2009"!.

Wednesday, 23 September 2009

Review of SQL Injection Attacks and Defense on Help Net Security

Just noticed a very complimentary review of SQL Injection Attack and Defense at Help Net Security this morning. Will have to remember to pass a link to this onto the author team :-)

On a related note, I met Mirko from Help Net Security at BruCon in Brussels, but didn't manage to get an interview sorted out. There is a link to a previous email interview we did from the book review above...

Tuesday, 1 September 2009

SQL Injection used in Heartland, 7-Eleven and Hannaford Breaches

This is a repost from the original on the GDS Security Blog

Having recently seen our book SQL Injection Attacks and Defense come out, it is very timely indeed to see in the news of the recent indictment of Albert Gonzalez that SQL Injection played a key part in the Heartland Payment Systems, 7-Eleven, and Hannaford Brothers breaches, as well as for two other unnamed victim companies.

So how can SQL Injection, which is an application level problem, be used as a vector for attacking an organization? In a number of ways. SQL Injection gives an attacker the ability to interact with the database, and therefore if something is possible on the database server it may well be possible through SQL Injection. Modern database systems such as Oracle, SQL Server and others provide a rich variety of functionality for their users - all too often though, some of this functionality can be abused by malicious individuals.

Making some assumptions, its likely that something like the following occurred:

  1. It was possible to interact with the underlying operating system in some way using SQL Injection. This could have been through the ability to execute operating system commands (such as through the well known xp cmdshell stored procedure on Microsoft SQL Server), or through the ability to stage content to the database server (or filesystem) and then have it compiled to executable content.
  2. With the ability to execute content at the operating system layer, access was consolidated by providing some form of alternative control channel or remote access to the database server.
  3. With consolidated access to the database server, the attacker uses the database server as a foothold to go further into the organization.

These types of hybrid attacks where one type of attack is dovetailed or launched over another are becoming increasingly common. Another SQL Injection hybrid attack of recent note was the SQL Injection mass attacks that started in early 2008. These used SQL Injection in another way - to inject links to JavaScript malware into thousands of unsuspecting vulnerable sites. It just goes to prove that even if a vulnerability is over 10 years old, it still has some new tricks to be seen.

Tuesday, 24 February 2009

SQL Injection Attacks and Defense

I now realise that I last posted on the topic of a forthcoming book in October last year. Well, the book has now gone to production and should be hitting the shelves in May of 2009. For those of you who haven't been denial-of-serviced with my LinkedIn status updates on the progress of the book, its called "SQL Injection Attacks and Defense", from Syngress.

I'm very happy with the great team of folks I managed to pull together for the book. The author list is as follows (in alphabetical order):

Hopefully we'll be able to see the proofs in the next couple of weeks, and see what the production folks have done with the 520-odd pages of code-heavy goodness we sent them :-)

Sunday, 19 October 2008

Upcoming speaking bookings

Quick note - I'm currently confirmed for the following speaking engagements. If anyone is attending any of these and wants to catch up, drop me an email.

Another forthcoming book

Quick announcement - looks like I'll have another forthcoming book coming out early next year - I have the contract from Syngress sitting on my dressing table right now.

More details to come (like what the book is on, who's involved in the project etc) will be forthcoming early next month as I have to get the full book outline completed first. What I will tell you all is it's a single topic book, is going to be very technical, and I have some great contributing authors lined up for it :-)