Hi, I've recently started a new role where I'm joining a team whose main work is investigating credit card compromise of merchant's web servers/databases. SQL injection seems to be the m.o. of the majority of these attacks.
My question is do any members have any experience in this field and if so, could you recommend and suitable reading material/apps, etc to get me up to speed as I am new to this particualr niche of forensics.
Thanks in advance.
Jonathan
Google spi dynamics. On their site you'll have a selection of white papers in internet vulnerabilities. While they offer products to assess a web site for vulnerabilities, they are more than willing to share information about the techniques involved.
IMHO, they are the leaders in researching (and sharing info about) SQL injection. There may be some others out there that also publish, so I'd also like to hear from others about sites explaining the techniques.
Another thought might be to hook up with your local ISSA chapter. Fair chance they'll have a speaker a year (or more) that will talk about SQL injection. If not, it just cost just a phone call to see how active they are.
Of course, all the CEH related texts will be helpful too. Enjoy your new job, you're living the dream life. )
I've got some experience with these types of investigations. If you focus solely on SQL injection, you're doing your clients a disservice.
If there is a web server involved, particularly IIS, it's a fair bet that searching for "xp_cmdshell" in the web server logs will give you quite a bit of information about what you're looking for.
When performing these investigations, there are three basic questions
1. Was the machine compromised?
2. Was the machine used to process or store sensitive data?
3. If both 1 and 2 are "yes", then what is the likelihood that the data was compromised or exposed?
Thanks for the replies; ddow, the SPI Dynamics site is an excellent resource, many thanks for that.
Harlan, SQL injections aren't the only compromise method being looked at, it just seems to me (at this very early stage) that they seem to be quite a common technique. Thanks for the tip re 'xp_cmdshell', will read up on it.
I'd quite agree xp_cmdshell is a vulnerability and should be disabled unless its required (good ol M'soft have it enabled default)
I assume the SQL is the back end of an ERP system, is it using IIS/Apache etc? check the web logs on those. Install an IDS.
One thing I'd recommend is to enable C2 auditing, this audits every transaction on SQL and produces profiler type log files of approx 200Mb a piece - one thing to be aware of is these should be archived off elsewhere on a regular basis otherwise your servers disk will fill (and as a security feature of C2 logging if the disk fills SQL server stops)
DB intrusion is a highly specialised area and as far as I know there's no M'soft courses on database fraud detection.
I assume your client is aware of PCI DSS and has relevant security procedures in place?
Also, a word of warning, be wary of taking verbatim advice from security consultants - I've had first hand experience of one who is highly qualified but knew little of SQL other than using a hacking tool to test the server (no doubt I’ll get flamed here).
There's a lot more to cover in this area, I'd suggest signing up to relevant newsgroups.