±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36006
New Yesterday: 0 Visitors: 132

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

US v Albert Gonzales

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

seanmcl
Senior Member
 

US v Albert Gonzales

Post Posted: Sep 12, 09 19:36

This criminal case has enough in common with a civil case that I worked on that I thought that it was worth posting the link.

www.wired.com/images_b...nzalez.pdf

Interestingly, my case occurred many months later and used many of the same European hosting sites in much the same manner.  
 
  

AWTLPI
Senior Member
 

Re: US v Albert Gonzales

Post Posted: Sep 12, 09 23:51

Thanks for posting that link. It was an excellent refresher of a presentation I attended a couple months ago.

The US Secret Service sponsored Kevin Mandia to come to our State's Electronic Crimes Task Force meeting. Kevin's presentation was, essentially, 'The Anatomy of an SQL-Injection Exploit.'

Very detailed. Very sobering.

For those of us that also provide IA consulting services to e-commerce clients, this is essential information.
_________________
MSc, CISSP 
 
  

Patrick4n6
Senior Member
 

Re: US v Albert Gonzales

Post Posted: Sep 13, 09 04:20

How is it in this day and age that people still don't properly range check their inputs to prevent an SQL Injection attack? This was old news when I took a hacking class in '05.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 
  

AWTLPI
Senior Member
 

Re: US v Albert Gonzales

Post Posted: Sep 13, 09 05:40

- Patrick4n6
How is it in this day and age that people still don't properly range check their inputs to prevent an SQL Injection attack? This was old news when I took a hacking class in '05.


Maybe because most developers are self-taught and never learned secure coding... or bounds-checking... or input-validation?
Maybe because most developers aren't aware of the potential for disaster?
Maybe because most employers emphasize speed-of-delivery over security?
Maybe a few more high-profile exploits of this ancient vulnerability will get the message across once and for all?

Back when I managed a team of developers, I explained the issues to them and was often met with a deer-in-headlights stare. I then said, "Keep our company off of the 10 O'clock News. If we go down, you're out of work."

That got their attention.
_________________
MSc, CISSP 
 
  

BitHead
Senior Member
 

Re: US v Albert Gonzales

Post Posted: Sep 13, 09 21:50

- AWTLPI
Maybe because most developers are self-taught and never learned secure coding... or bounds-checking... or input-validation?
Maybe because most developers aren't aware of the potential for disaster?
Maybe because most employers emphasize speed-of-delivery over security?
It is not only the developers that are self-taught or unaware of the consequences of improperly secured networks. In many cases if there is not a "wizard" that needs to be run, it just does not hit the radar for many IT people. Being self-taught in and of itself is not a problem, but when people stop advancing their knowledge or at the very least stop keeping up with current issues, that is a huge problem.  
 
  

seanmcl
Senior Member
 

Re: US v Albert Gonzales

Post Posted: Sep 13, 09 22:46

- BitHead
Being self-taught in and of itself is not a problem, but when people stop advancing their knowledge or at the very least stop keeping up with current issues, that is a huge problem.


Agreed. But the other factor is the increasing complexity of even simple systems. It can be very difficult to anticipate all of the possible ways in which a system can fail.

Consider the case of American Airlines Flight 191 which crashed shortly after takeoff from Chicago in 1979. The circumstances surrounding this crash were exceedingly complex, beginning with a failure of a mechanic to follow normal maintenance procedures coupled with design flaws coupled with the pilot's unfortunate reliance on the electrically powered controls which were lost when the engine severed from its piling.

The plane (DC-10) had been engineered to survive the physical loss of an engine but the designers had assumed that the failure would be at the point of attachment with the engine pylon. Instead, because of improper handling by the mechanic, the pylon attachment to the wing was weakened. When the engine (and pylon) tore off, they took the hydraulics and electrical power with them.

Subsequent studies showed that the airplane was recoverable, but that the pilots' training scenarios never anticipated the combination of factors that led to the failure and resultant events.

The problem is that designers typically operate according to what is known as the reasonable person principle (the Biblical "do unto others"). To be cost effective, designs almost necessarily have to assume that people are not going to do certain things.

When I was working in software development, we designed a pretty complex web application that contained almost 60,000 lines of code. To bullet-proof it, at least as best as we could using the knowledge of the day, required almost 40,000 more lines of code.

With many projects being on a strict budget and deadlines, sometimes security is sacrificed. In the long term, these decisions frequently cost more than doing it right, but that isn't often how decisions are made.  
 
  

ddow
Senior Member
 

Re: US v Albert Gonzales

Post Posted: Sep 13, 09 22:58

- Patrick4n6
How is it in this day and age that people still don't properly range check their inputs to prevent an SQL Injection attack? This was old news when I took a hacking class in '05.


If your boss doesn't consider it important you can have a difficult time explaining why you're doing additional processing. Until companies are held liable for bad software, there is little incentive to fix the core problem.
_________________
Dennis 
 

Page 1 of 1