lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat May 27 18:44:06 2006
From: joel at helgeson.com (Joel R. Helgeson)
Subject: Application Security Hacking Videos

Mr. King,
On the contrary, I am not trying to besmirch Microsoft. I want people to 
understand that the Microsoft SQL video is proof positive that the Web 
Applications MUST provide the protection to the database and all back end 
services.  If your web application wasn't written to protect the back end, 
then it is facilitating the attack on the back end.  At which point, you 
have two choices, re-write the web application or put an application 
firewall in front of it.

I have made the video's and my website content available to all so that 
everyone, including management and non-technical people can better 
understand and appreciate these vulnerabilities, especially how easy they 
are to discover and to exploit.

Yes, I was hired to do a security audit for the college, part of which 
included the web server security assessment.
I performed the web assessment on day 1 of the audit, I showed the video to 
the college on day two, and by lunch time we had installed the WebScurity 
web application firewall and it is protecting the site to this day. They 
have agreed to be a reference for both Appiant and WebScurity.

Joel
----- Original Message ----- 
From: "Dave King" <davefd@...ewking.com>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Saturday, May 27, 2006 12:14 PM
Subject: Re: [Full-disclosure] Application Security Hacking Videos


> I'm not sure what the clips from Microsoft are trying to show. To me it
> seems like they're intended to show that microsoft doesn't have a good
> fix for the problem at hand. From what I gathered from the training they
> were trying to show some ways to seriously lock down a SQL Server 2000,
> which would help mitigate some risks, while causing some usability
> problems. Microsoft has been an advocate of strong server side input
> validation (ASP.Net even has some nice features to help you with this).
> The video was just showing another layer in a good layered security
> approach.
>
> Lastly, I'm of the opinion that ticks should be allowed in a password. I
> don't like restricting characters in a password. However best practices
> should be followed. If for example, in the video the college had been
> storing the password as a secure hash, then hashing the password that
> was input and comparing them (preferably using a stored proc to do the
> sql stuff), then the attack would have failed.
>
> Dave King
>
> http://www.thesecure.net
> http://www.remotecheckup.com
>
>
>
> Joel R. Helgeson wrote:
>> With college campuses being hacked into on a seemingly daily basis,
>> and student information being stolen and used for Identity Theft; I
>> thought you might like to see how the hacks are being done, and how
>> astoundingly easy they are. I have produced a video of a security
>> audit I performed on a local college website that shows how easy these
>> exploits are. There is also a brief training on the homepage that
>> introduces non-experts to SQL injection concepts in a fashion that
>> makes it easy to understand.
>> Below is the link to the video of me hacking into the college web site
>> using SQL injection:
>> http://www.appiant.net/exploit.wmv
>>
>> Other videos related to application security can be viewed from the
>> home page as well: www.appiant.net <http://www.appiant.net/>
>>
>> It?s not available from the web page, but if you want to see the video
>> of Microsoft?s response to application security by securing the database:
>> http://www.appiant.net/sql_security.wmv
>>
>> No, that video is not a fake; the entire video can be accessed from
>> Microsoft?s website ? the original is over an hour long, I just edited
>> it down to ~5 minutes so you could get the point in a shorter timeframe.
>> http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=31
>>
>> Any questions, feel free to ask?
>>
>> Regards,
>>
>> Joel R. Helgeson
>> President
>> Appiant, Inc.
>> 1402 County Road C2 W
>> Saint Paul, MN 55113
>> (952) 858-9111
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ