Thursday, July 17, 2008

Registered for CISSP Exam


I have registered for CISSP Exam on August 2nd in Bangalore. Putting my all efforts to read the (ISC)2 CBK. Hmm. Its really a good book ... Happy reading Bala ...

Till then ... Enjoy ....

Tuesday, July 15, 2008

Joke Time !

A Man was walking down a street when he heard a voice from behind, “If you take one more step, a brick will fall down on your head and kill you.” The man stopped and a big brick fell right in front of him. The man was astonished.

He went on, and after a while he was going to cross the road. Once again the voice shouted, “Stop! Stand still! If you take one more step a car will run over you, and you will die.” The man did as he was instructed, just as a car came careening around the corner, barely missing him.

The man asked. “Who are you?”

“I am your guardian angel,” the voice answered.

“Oh, yeah?” the man asked “And where the hell were you when I got married?”

I loved this joke like anything ....Good laughing stuff ...

Wednesday, July 9, 2008

Some Interesting blog I saw on Information Security !

Hai all,

I saw this blog today morning. It has more interesting stuffs, PPTs and articles.
Just a sample !

Thursday, June 26, 2008

You Are "A Security Idiot" If ...... you:

1) Misspell both HIPAA and SOX (how the f does one misspell SOX?)
2) Confuse "risks" and "threats"
3) Think that "Trojan is a vulnerability" AND "DoS is a vulnerability"
4) Quote "Insiders are 80%" without thinking for one darn second
5) Think that a loss of "$20 million is catastrophic to any company"
6) Talk about "NIST compliance"
7) Consider IDS a network security control
8) Shout that "perimeter is dead"

Explore more there ...


Wednesday, July 2, 2008

Good News !

I am back in form again. Will be definitely giving some useful hints in Information Security and Digital Forensics daily. Also will share some views on my preparation for CISSP too ... Cheers !

My Life !

Now-a-days I am too busy !Preparing for CISSP. Attended a crash course from Intellisecure in Chennai from Jun19-22 for 4 days. Ok It was. Nothing much I can say. Only advantage I had seen is a glance on all ten domains which will give u a trigger to complete the certification soon. Daily dedicating 2 Hrs in night. Thanks to my wife for her wonderful support and constant encouragement through this learning phase....Work is going fine.....

An article about recent microsoft patch for SQL Injection Attack

SQL Injection Attack targeting websites using MS ASP & ASP.NET Technologies

This document is to explain an overview about the Security Advisory-954462 note from Microsoft.

What is this alert?

Microsoft has released Security Advisory 954462 – Rise in SQL Injection Attacks Exploiting Unverified User Data Input - on 24 June 2008.

Summary by Microsoft:-

Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.

The purpose of Security Advisory 954462 is to assist Web site administrators in identifying possible issues with their Web application code being susceptible to possible SQL injection attacks and to provide a stopgap solution to mitigate SQL injection attacks against the server while the applications are being fixed.


We need to understand that if we are following the best practices for secure web application development having control over user data input; this is not at all a threat to us. This is applicable to only those web applications which are developed using Microsoft ASP & ASP.NET technologies. My attempt is to put the best explanations made by Microsoft for your easy reference and If you require more I can work on this topic in detail.

The first one is detecting the presence of the vulnerability. The second is to defend the same by installing a tool. Microsoft also developed a tool for ASP developers for detecting the susceptibility for SQL Injection attacks. This tool is for only those whose use ASP not ASP.NET

Microsoft's Suggested actions:-

I) Detection – HP Scrawlr
Hewlett Packard has developed a free scanner which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at Finding SQL Injection with Scrawlr at the HP Security Center.
Detailed description:
The tool will be a black-box analysis tool (i.e. no source code required). The user will input a starting URL, and the tool will:

1) Recursively crawl that URL for hyperlinks in order to build up a site tree.
2) Test all discovered links for verbose SQL injection by sending HTTP requests containing SQL injection attack strings in query string parameters.
3) Examine the HTTP responses from the server for SQL error messages that would indicate SQL injection vulnerability.
4) Report any pages found to be vulnerable to the user, along with the associated input field(s). For example, the tool might report that the fields “username” and “password” on page “foo.asp” are vulnerable.

II) Defense – UrlScan version 3.0 Beta
UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the Web application on the server. UrlScan 3.0 will install on IIS 5.1 and later, including IIS 7.0. UrlScan 3.0 can be found at URLScan Tool 3.0 Beta.

Detailed Description:
UrlScan version 3.0 is a tool that will allow you to implement many different rules to better protect Web applications on servers from SQL injection attacks. These features include:
1) The ability to implement deny rules applied independently to a URL, query string, all headers, a particular header, or any combination of these.
2) A global DenyQueryString section that lets you add deny rules for query strings, with the option of checking un-escaped version of the query string as well.
3) The ability to use escape sequences in the deny rules to deny CRLF and other non-printable character sequences in configuration.
4) Multiple UrlScan instances can be installed as site filters, each with its own configuration and logging options (urlscan.ini).
5) Configuration (urlscan.ini) change notifications will be propagated to worker processes without having to recycle them. Log settings are an exception to this.
6) Enhanced logging to give descriptive configuration errors.

III) Identifying – Microsoft Source Code Analyzer for SQL Injection
A SQL Source Code Analysis Tool has been developed. This tool can be used to detect ASP code susceptible to SQL injection attacks. This tool can be found in Microsoft Knowledge Base Article 954476.
Detailed Description:
The Microsoft Source Code Analyzer for SQL Injection is a standalone tool customers can run on their own ASP source code. In addition to the tool itself, there is documentation included on ways to fix the problems it finds in the code it analyzes. Some key features of this tool are:

1) Scans ASP source code for code that can lead to SQL Injection vulnerabilities
2) Generates an output that displays the coding issue
3) This tool only identifies vulnerabilities in classic ASP code. It does not work on ASP.NET code

Some of the other urls I have referred and find useful details in related to this topic are:

1) - This link tells you some basic thumb rules for preventing SQL Injection Attacks.
2) - This link tells you the methods to find and fix SQL Injection vulnerability in ASP Technology.
3) - This link tells you the methods to find and fix SQL Injection vulnerability in ASP.NET Technology.


The suggestions provided by Microsoft are more comprehensive based on reading the procedures. It seems to be practically possible though I have not tested anything. The HP Scrawlr tool is the simplest tool to carry out the testing in test environment. Further urlscan and Microsoft source code analyzer will give ways for prevention.

Best Regards,