US v Albert Gonzale...
 
Notifications
Clear all

US v Albert Gonzales

7 Posts
5 Users
0 Likes
393 Views
(@seanmcl)
Posts: 700
Honorable Member
Topic starter
 

This criminal case has enough in common with a civil case that I worked on that I thought that it was worth posting the link.

http//www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf

Interestingly, my case occurred many months later and used many of the same European hosting sites in much the same manner.

 
Posted : 12/09/2009 7:36 pm
(@Anonymous)
Posts: 0
Guest
 

Thanks for posting that link. It was an excellent refresher of a presentation I attended a couple months ago.

The US Secret Service sponsored Kevin Mandia to come to our State's Electronic Crimes Task Force meeting. Kevin's presentation was, essentially, 'The Anatomy of an SQL-Injection Exploit.'

Very detailed. Very sobering.

For those of us that also provide IA consulting services to e-commerce clients, this is essential information.

 
Posted : 12/09/2009 11:51 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

How is it in this day and age that people still don't properly range check their inputs to prevent an SQL Injection attack? This was old news when I took a hacking class in '05.

 
Posted : 13/09/2009 4:20 am
(@Anonymous)
Posts: 0
Guest
 

How is it in this day and age that people still don't properly range check their inputs to prevent an SQL Injection attack? This was old news when I took a hacking class in '05.

Maybe because most developers are self-taught and never learned secure coding… or bounds-checking… or input-validation?
Maybe because most developers aren't aware of the potential for disaster?
Maybe because most employers emphasize speed-of-delivery over security?
Maybe a few more high-profile exploits of this ancient vulnerability will get the message across once and for all?

Back when I managed a team of developers, I explained the issues to them and was often met with a deer-in-headlights stare. I then said, "Keep our company off of the 10 O'clock News. If we go down, you're out of work."

That got their attention.

 
Posted : 13/09/2009 5:40 am
(@bithead)
Posts: 1206
Noble Member
 

Maybe because most developers are self-taught and never learned secure coding… or bounds-checking… or input-validation?
Maybe because most developers aren't aware of the potential for disaster?
Maybe because most employers emphasize speed-of-delivery over security?

It is not only the developers that are self-taught or unaware of the consequences of improperly secured networks. In many cases if there is not a "wizard" that needs to be run, it just does not hit the radar for many IT people. Being self-taught in and of itself is not a problem, but when people stop advancing their knowledge or at the very least stop keeping up with current issues, that is a huge problem.

 
Posted : 13/09/2009 9:50 pm
(@seanmcl)
Posts: 700
Honorable Member
Topic starter
 

Being self-taught in and of itself is not a problem, but when people stop advancing their knowledge or at the very least stop keeping up with current issues, that is a huge problem.

Agreed. But the other factor is the increasing complexity of even simple systems. It can be very difficult to anticipate all of the possible ways in which a system can fail.

Consider the case of American Airlines Flight 191 which crashed shortly after takeoff from Chicago in 1979. The circumstances surrounding this crash were exceedingly complex, beginning with a failure of a mechanic to follow normal maintenance procedures coupled with design flaws coupled with the pilot's unfortunate reliance on the electrically powered controls which were lost when the engine severed from its piling.

The plane (DC-10) had been engineered to survive the physical loss of an engine but the designers had assumed that the failure would be at the point of attachment with the engine pylon. Instead, because of improper handling by the mechanic, the pylon attachment to the wing was weakened. When the engine (and pylon) tore off, they took the hydraulics and electrical power with them.

Subsequent studies showed that the airplane was recoverable, but that the pilots' training scenarios never anticipated the combination of factors that led to the failure and resultant events.

The problem is that designers typically operate according to what is known as the reasonable person principle (the Biblical "do unto others"). To be cost effective, designs almost necessarily have to assume that people are not going to do certain things.

When I was working in software development, we designed a pretty complex web application that contained almost 60,000 lines of code. To bullet-proof it, at least as best as we could using the knowledge of the day, required almost 40,000 more lines of code.

With many projects being on a strict budget and deadlines, sometimes security is sacrificed. In the long term, these decisions frequently cost more than doing it right, but that isn't often how decisions are made.

 
Posted : 13/09/2009 10:46 pm
 ddow
(@ddow)
Posts: 278
Reputable Member
 

How is it in this day and age that people still don't properly range check their inputs to prevent an SQL Injection attack? This was old news when I took a hacking class in '05.

If your boss doesn't consider it important you can have a difficult time explaining why you're doing additional processing. Until companies are held liable for bad software, there is little incentive to fix the core problem.

 
Posted : 13/09/2009 10:58 pm
Share: