Archive for May, 2008

SQL Injection

Otros | Universidad / IT 0 No Comments

From the desk of Samy,

I didn’t want to post anything more today until next week… But this is almost compulsory! My fucking god, sometimes there are websites that make me freak out… How the hell can a so popular website have such a vulnerability?

Talking about SQL Injection is in my blog list now.

What do you think I could do with the following information I’ve just received after sending a VERY SIMPLE attack to the website?

Failed on select title.text, mistake.title, mistake.timecode, media, mistaketext.text, if((mistake.modified3) < (now() – interval 1 year),’yes’,’no’) as yearold, date(mistake.modified3) as date, mistake.type from title, mistake, mistaketext where mistake.id = ” or 1=1′ and mistaketext.id = mistake.id and mistake.title = title.id

Yes… You are right. EVERYTHING.

Reminding that all information (including admin password and so on) is stored in the website DataBase…

Have fun…

…SaMy*^30

From the desk of Samy, I didn’t want to post anything more today until next week… But this is almost compulsory! My fucking god, sometimes there are websites that make me freak out… How the hell can a so popular website have such a vulnerability? Talking about SQL Injection is in my blog list now….

... sigue leyendo

Bruce Schneier’s speech: IT’s impact on the world economy

Conferencias | Universidad / IT 0 No Comments

Bruce SchneierFrom the desk of Samy,

Fortunately, the other day I had the opportunity to attend another conference (I’m getting used to it): Bruce Schneier came to ETSE (my faculty, in UAB) in April, 24. A brief introduction about who Bruce is:

Bruce Schneier (born 15 January 1963) is an American cryptographer, computer security specialist, and writer. He is the author of several books on computer security and cryptography, and is the founder and chief technology officer of BT Counterpane, formerly Counterpane Internet Security, Inc.

Bruce is an internationally renowned security technologist and author. Described by The Economist as a “security guru,” Schneier is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.

Now that we know a little bit more about him, let’s start! I hadn’t the foggiest about what he was going to tell us and it surprised me: The IT impact on the world nowadays, very close to security matters.

From now on, I’ll write this post according to Bruce, reproducing what he said.

First of all, we can make a word association:

Cryptography + Mathematical Security (algorithms) —> Computer Sec. —> Network Sec.

This means that cryptography is possible thanks to maths, that all together makes possible computer security and by extension, network security.

Since Sept 11 (bad day to remember…), general security has been considered a lot more than before. Airlines, trains station, etc., are very sensitive and information is gold. With this single and representative example (9/11), we can have a general vision of how security matters and indeed, how it affects the economy.

Bruce has just released his latest book, Beyond fire, talking about this, about how economy affects security and so on. More information at the bottom.

There are 10 trends/facts about how human beings deal with security:

  1. Information is becoming more and more valuable. And its growth is exponential. 10 years ago, we hardly could do more than buy a domain in Internet and upload our page. Now, we’ve got google earth, we can buy a book,…
  2. Networks are becoming critical. It can sound weird but lost data can be more important than the newer due to their possible consequences.
  3. Information is controlled by third parties. For instance, our mail information is stored in google, a third party. There was a well-known case: the mobile phone of Paris Hilton was once hacked… Or it seemed so, everybody had access to Paris Hilton’s sms and so on. But the problem wasn’t her mobile phone but the servers where information was stored.
  4. A undeniable fact is that each tech improvement is better than the previous one, but security is worse because it becomes more complex.
  5. Criminals and hackers. At first, hackers were those people whose hobbie was to learn as much as possible in the computer’s field. They weren’t criminals. Now, they are.
  6. Worms. It is very complex, but we can split them: There are criminal worms, those which break your system, and there are hacker worms… Innofensive, they don’t damage your PC.
  7. Patching. Vulnerability problems are easier to solve than years ago. Now we can patch sth within days, it means that your system can be patched very quickly. Years ago, we needed months in order to release a patch. However, nowadays, if we need a patch extremely urgently (a back-door in our system, etc), it arrives very fast but not very well-tested, because there is no time for doing it. So, it’s not as secure as it was before when our patches were very well-tested and normally, released without problems. An example of how important it is, we’ve got Microsoft: At the very beginning, Microsoft released a patch every few days… And it was very unreliable. Now, MS$ just releases one patch per month, that is to say, more security granted. The problem is that there is a bigger window exposure because you need a patch because you’ve got a vulnerability.
  8. Cryptography. Security is based on cryptography and all networks and communications are encrypted (more, or less). So, the real risks are at the end points, when there ain’t cripto. We can assume that if the end-points are unsafe, the sec. no longer matter. The problem is that it’s very difficult. The best way to improve security is by regulation.
  9. Our computing is being more and more outsourced. For instance, Canada doesn’t wanna share information with USA.
  10. Sorry, I missed this one :(

Nowadays, security relies more in the plan the science has than technical problems.

We can make a list (it seemed that Bruce loves lists…) of costs and benefits of IT in the economy field.

  • In the future, it is getting harder to protect, that is to say, more expensive.
  • If we can understand economycs, we can understand science computers. Otherwise, it will be confusing!
  • The more people using a software, the more valuable it becomes. For instance, now, a lot of people are using windows CE so, there is more support, more features and so on.
  • Prices of software. We can fix a price for a chair. We say that a chair has a fixed cost( X ). And if we buy two chairs, they cost 2X. But what happens with software? The first copy of it, it’s very expensive. Maybe millions of dollars. But a copy of it (the same software) costs almost zero. And the third, the fourth… So, companies wanna fix the price of its soft in order to have a fixed cost for each program they sell.
  • Economic switching. If you don’t like a water brand, you can switch to another without problems. Or at least, almost. But this is more difficult if the product is a software. It’s more difficult to switch to another country if the object is a software (a program…) Switch your company to another soft company is very expensive.

After that, Bruce gave us a brainstorm.

Security is very important as we have just seen: People affects the software companies. The software affects information. And information is gold. But, even though it’s a very delicate matter, people are not security aware. This is why it’s so important to build a security structure. Remember that the way to solve security problems is by regulation.

A typical example, your system has been infected by a virus but you had your PC well-protected. It had been your mother, who wasn’t security aware, who lowered the security system in order to do sth. You’ve been affected by a third party even though you were ready for worms and so on.

It’s a liability to make regulations because laws affect all and it means, eco + computers… What we need to be safe.

Another security problem is that we always buy the cheapest product. Then, security fails. If we had spent a little bit more, security would have been more efficient. But no, our pockets have to have a lot of money. Nevertheless, when security fails we have to spend more money repairing the consequences. What would happen if we had spent this money at the beginning? We would spend the same money but we wouldn’t have problems. There has to be a balance between security and money spent on it.

He added that free software allows people to learn more and protect themselves better, so everybody should uses it.

This was his speech. If you wanna know more about security (in the economics field) you can take a look at his latest book, Beyond Fire: Thinking Sensibly About Security in an Uncertain world.

His blog is also very well-known, and he himself updates it regularly with a lot of important matters related with security. Click here if you want to access to it. Or here if you wanna see his webpage. You can subscribe to his weekly newsletter too.


…SaMy*^28

From the desk of Samy, Fortunately, the other day I had the opportunity to attend another conference (I’m getting used to it): Bruce Schneier came to ETSE (my faculty, in UAB) in April, 24. A brief introduction about who Bruce is: Bruce Schneier (born 15 January 1963) is an American cryptographer, computer security specialist, and writer. He…

... sigue leyendo