JACADIS Thought

This post is prompted by an exchange with a client that develops and hosts web applications for customers.  A recent automated vulnerability scan performed by the developers, on behalf of their client, revealed that a possible blind SQL injection point had been located in an aspx file.  As clear as day, passing bad data caused an unhandled exception, which was visible in the browser due to custom error messages being enabled.   The error message included a stack trace, the name of the database table used to authenticate users, the directory where the application was located, and the specific lines of code where the exception occurred. 

Attempts by the client to exploit the injection point were not successful, so a heated discussion arose between the developers and the client.  It did not center around how to fix the issue, but whether or not the named vulnerability actually existed.  In this case, the text of the alert was "Possible Blind SQL injection", pointing to the aspx file and the variable used in the injection. 

Now the discussion over the scan result is understandable: is it really SQLi or not?  Can data be extracted from the table "tblUser" or not?  I get this.  But what about the bounty of data contained in the stack trace, confirming that bad data caused an exception?  SQLi, RFI, XSS, XSRF -- who cares what it is called?!?  The code, as written, faults when bad data is passed! 

Apparently, this was not enough to convince the client that a code level fix was required.  The solution? Disable custom errors.  The result? No more vulnerability detected by the scanner.

Despite my best efforts, a "clean scan" was more important than bug-free code.  I believe this mentality is caused by a growing "checkbox security" attitude which allows mediocrity to displace excellence.  A "D-" is now acceptable because it's not an "F" -- "At least we passed!"  This checkbox attitude lets stakeholders console each other with "We scanned the app according to PCI 6.6.  No errors.  CHECK!"  Never mind the fact that we all know there's a bug, but we've disabled the error messages that allow the  security tools to see it... 

Security through obscurity at its finest.

A security topic that never fails to captivate an audience is “social engineering.”  In its simplest form, social engineering happens when a person uses trickery to manipulate someone into doing something or sharing confidential information.  In today’s digital economy, it's easier and more efficient to use technology like email to facilitate the theft of identities and sensitive data. 

Electronic social engineering, also known as “phishing” usually arrives in your mailbox as SPAM; unsolicited, usually tasteless, and for many organizations, more frequently than you’d like.   The email is designed to grab your attention and evoke a knee-jerk reaction.  Popular topics include:

“We have $50 million dollars for you in a Nigerian bank…”

“I saw you on YouTube…”

“Your bank account has been breached…”

Some phishing emails are clearly bogus -- misspelled, atrocious grammar, and flat-out offensive.  These are easy to spot if they make it past your SPAM filter.  Other emails are very crafty – seasoned with enough fact to raise your curiosity and lure you into a trap.  Follow these tips to keep from getting hooked.

Stay alert.  If someone secretly put a scorpion in your filing cabinet, you’d be pretty stunned when you reached in for the Jenkins file.  After getting stung once, you’d be very cautious every time you went for a folder.  Others who heard about your incident would be cautious too, hesitant and suspicious as they peered into their cabinets.  As strange as this metaphor may be, there are also dangers lurking in your corporate or personal email box.

Employees are under constant attack from cyber criminals.  Often, they do get “stung.”  While there’s no physical pain involved, the impact of a personal or corporate data breach can be extensive.  Needed is a level of awareness that protects us from the very real dangers that secretly enter our mail boxes and wait to catch us off guard.      

Do not react.  Social engineering attacks are effective because they create an emotional response that surprises the victim and temporarily forces their common sense into neutral.  Stay calm and follow these tips to keep you safe:

· Legitimate correspondence is well written and courteous.  It should not make you irate, embarrassed, or scared. 

· If you don’t use PayPal, eBay, or other online services, do not respond to emails from them.  Simply clicking the link can infect your computer with information stealing software.  

· If you receive an alarming email from an organization with which you do conduct business, call the number printed on official correspondence like a bank statement.   Do not follow web site links, provide personal information, or open any attachments.

· Pay attention to the spelling of web site addresses.  There’s a big difference between “bancone.com” and “banc0ne.com” – one might have your money; the other one will steal your money after you’ve unintentionally given them your bank information. 

· Bookmark and refer to the Web sites you know you can trust. Do not follow links sent to you via email.

Verbally report the incident.   Whether you’ve been tricked by a social engineering attack or identified the scam and resisted, it’s critical to report the incident.   Follow these steps:

· Immediately contact your IT department by phone or in person. Voicemail is not sufficient – be sure someone knows. Your PC may need attention.  The faster you respond, the lower the impact.

· If you successfully caught the scam, you still need to contact your IT department as soon as possible.  Others in your organization may also have been targeted.  If you’re quick enough, IT can send an email to warn your co-workers.  

· Do not forward the phishing email to a group of people.  There’s always one curious recipient that has to know whether or not the scam is real. 

Phishing attacks are the tactic of choice for identity thieves focused on committing fraud in your name. At their worst, a phishing attack may allow a crime ring to penetrate your company and steal the identities of your clients. For a company that is breached, the negative publicity coupled with the poor economy could spell business disaster. Keep yourself and your organization safe by staying alert, not reacting, and reporting suspicious email immediately.