Second and most recent was a review from Richard Bejtlich who was also very positive about the book and mentioned it may be in the running for his "best book of 2009"!.

On a related note, I met Mirko from Help Net Security at BruCon in Brussels, but didn't manage to get an interview sorted out. There is a link to a previous email interview we did from the book review above...

Having recently seen our book SQL Injection Attacks and Defense come out, it is very timely indeed to see in the news of the recent indictment of Albert Gonzalez that SQL Injection played a key part in the Heartland Payment Systems, 7-Eleven, and Hannaford Brothers breaches, as well as for two other unnamed victim companies.

So how can SQL Injection, which is an application level problem, be used as a vector for attacking an organization? In a number of ways. SQL Injection gives an attacker the ability to interact with the database, and therefore if something is possible on the database server it may well be possible through SQL Injection. Modern database systems such as Oracle, SQL Server and others provide a rich variety of functionality for their users - all too often though, some of this functionality can be abused by malicious individuals.

Making some assumptions, its likely that something like the following occurred:

1. It was possible to interact with the underlying operating system in some way using SQL Injection. This could have been through the ability to execute operating system commands (such as through the well known xp cmdshell stored procedure on Microsoft SQL Server), or through the ability to stage content to the database server (or filesystem) and then have it compiled to executable content.
2. With the ability to execute content at the operating system layer, access was consolidated by providing some form of alternative control channel or remote access to the database server.
3. With consolidated access to the database server, the attacker uses the database server as a foothold to go further into the organization.

These types of hybrid attacks where one type of attack is dovetailed or launched over another are becoming increasingly common. Another SQL Injection hybrid attack of recent note was the SQL Injection mass attacks that started in early 2008. These used SQL Injection in another way - to inject links to JavaScript malware into thousands of unsuspecting vulnerable sites. It just goes to prove that even if a vulnerability is over 10 years old, it still has some new tricks to be seen.

I'm very happy with the great team of folks I managed to pull together for the book. The author list is as follows (in alphabetical order):

• Justin Clarke - i.e. me
• Dave Hartley - author of Bobcat
• Joe Hemler - colleague and fellow contributing author to Network Security Tools
• Alexander Kornbrust - CEO of Red Database Security and Oracle security guru with hundreds of Oracle bugs to his name
• Rodrigo Marcos - author of TAOF
• Haroon Meer - Technical Director at Sensepost, and well known speaker and researcher
• Gary Oleary-Steele - author of Automagic SQL Injector
• Alberto Revelli - author of sqlninja
• Marco Slaviero - primary author of Squeeza
• Dafydd Stuttard - AKA Portswigger, author of Burp Suite and the Web Application Hackers Handbook

Hopefully we'll be able to see the proofs in the next couple of weeks, and see what the production folks have done with the 520-odd pages of code-heavy goodness we sent them :-)

• British Computer Society, London, 22 October 2008
• iSAFE conference, Dubai, 29-30 October 2008
• OWASP London Chapter, London, 4 December 2008
• ISACA London Chapter, London, June 2009

More details to come (like what the book is on, who's involved in the project etc) will be forthcoming early next month as I have to get the full book outline completed first. What I will tell you all is it's a single topic book, is going to be very technical, and I have some great contributing authors lined up for it :-)

• Nitesh Dhanjani (although I don't think you could call Nitesh an alumni anymore... here is a link to his blog
• Brian Holyfield, who is also at Gotham Digital Science
• Nate McFeters - you can find his blog here
• Billy Rios - his blog is here
• Kevin Stadmeyer
• And of course, me

First of all, I got my turbo talk to Blackhat USA in Las Vegas accepted, so I'll be speaking there again for the first time since 2004. The paper is called "SQL Injection Worms for Fun and Profit", and appears to be even more timely than I expected when submitting it considering what is still an ongoing problem. I'll be in Vegas for both Blackhat and Defcon if anyone wants to plan a catch up.

On other news, I've made little progress on rewriting SQLBrute in .NET due to a lack of time. I am, however, going to release SQLBrute 1.1 in Python in the not too distant future - I'm adding Sybase support, and cleaning up a few of the routines. Also, check out the port of Microsoft's AntiXSS library to Java - you can check it out on the GDS Tools page.

Thats all for now - more news and happenings soon!

Check out Nitesh's site, or Billy's site, check out the interview they did with Help Net Security, and see them talk about it at Black Hat Federal 2008 in DC on the 20th of February.

Although there isn't a lot there at the moment, we're going to be putting up a lot of tools we've been working on as time permits.

Check out the blog for interesting technical content, including lessons learned and tips from our source code review/application vulnerability remediation work, as well as for some of the tools we'll be releasing in the coming weeks.

The change in the law, which went into effect on August 10, criminalises the production, distribution, possession, and sale of tools that can be used to commit cybercrimes. Unfortunately, a strict interpretation of the changes would make possession of tools that could be used maliciously (such as nmap or Nessus for instance) illegal. While in reality, legal opinions are that the courts would differentiate between a cracker and a security researcher based on their intent, noone (unsurprisingly) seems to want to be the first test case.

The content for a number of projects have all but disappeared, such as the recent Month of PHP bugs, and the well known THC (The Hackers Choice) group, as well as smaller projects such as BtCrawler. Others are saying farewell to Germany and reestablishing themselves elsewhere such as the KisMac wifi scanner for OSX and the Phenoelit group.

All in all a hard strike against a country which has produced much valuable security research and expertise.

The reason for this is that in Windows XP Service Pack 2, Microsoft introduced a number of Network Protection Technologies for mitigating the spread of malware. One of these limits the number of simultaneous incomplete outbound TCP connection attempts to 10, with additional attempts being queued and potentially dropped. This impacts the reliability of at least port scanning, and possibly other security checks.

Unfortunately the scenario I was working with required me to be running Nessus through a VPN client (never ideal), in reality requiring me to be on XP. Tenable does, however, have some recommendations for running Nessus as reliably as possible on XP:

• Max number of hosts: 10
• Max number of security checks: 4
• Max number of packets per second for port scan: 50

The maximum hosts/security checks setting is standard in all of the Nessus clients I've used, however the packets per second setting seems to only be available within the client shipped with the Windows Nessus server. If you, like me, are using the new NessusClient 3.0 beta for Windows, you need to make the following change to the Nessus server's configuration to ensure that 50 is the default value:

• Go to the "config" directory in your Nessus server installation. By default this is C:\Program Files\Tenable\Nessus\config
• Open config.default.xml for editing - just use Notepad if you don't have an XML editor
• Find the SYN Scan:Max number of packets per second for port scan node, and edit the value (the CDATA bit) from 500 to 50

This value should now be the default for all new scans.

This worked well for me, however needless to say that running a Nessus scan in VMWare (slowdown factor one), over a VPN link (slowdown factor two), over a transatlantic Internet connection (slowdown factor three), the scan took quite a while to complete...

If setting the environment variable, on the Windows command line you can do this:

set http_proxy=myproxy:8080

Which should point it to your proxy. The same works for Unix/Linux with whatever export or set command is relevant for your shell.

The proxy support in urllib2 doesn't support authentication so if you have a proxy with authentication you might want to chain SQLBrute through your favourite local proxy (i.e. Burp, Paros etc) and have that handle the authentication for you. Enjoy!