MX Injection Testing Available

In reference to the previous post, our partner Syhunt has added MX injection testing capabilities to their Sandcat product. Of course, this is in addition to the thousands of other tests already being performed by the tool.

Sandcat is an excellent tool for performing checks of web servers, web applications and such for potential and known vulnerabilities.

MSI is proud to represent Syhunt in the United States, and we use Sandcat as a powerful addition to our toolkit. If you would like more information about Sandcat or MX Injection, please call your MSI account executive and schedule a time for a technical briefing with an engineer.

MX and other injection vulnerabilities are an emerging risk, and more information will be coming over the next several weeks and months as various tools, techniques and products in the security community begin to evaluate product lines and software applications common to most organizations. Stay tuned for more on this family of issues as it becomes available.

Injection Attacks – Not Just for SQL Anymore!

Over the last several months security researchers have been identifying more and more scenarios for performing injection style attacks against various applications.

What is interesting about this is that many of the new injection issues have little to do with SQL. In fact, protocols like LDAP and SSI along with various forms of command injections, code injections and response spoofing have proven to be targets for this family of input attacks.

In a recent article about a new version, called MX Injections, techniques for attacking and compromising various web-based mail applications are disclosed. Using these types of exploits could prove a serious danger to organizations – exposing their internal communications and data stores to attackers, or even allowing compromise of underlying systems (depending on what the data stores contain.)

Given the focus of attackers on new application layer techniques such as these, every organization should quickly identify their existing exposed applications and ensure that those systems have been appropriately tested for various injection issues. Additionally, since these techniques are continually evolving, a system of ongoing application testing is likely to be the most effective tool for protecting against these emerging threats.

Bugs

Last month over two dozen kernel bugs were published on a security researcher’s blog. Most of them were found using a file system fuzzer, which would create malformed file systems to try to crash each kernel. Not all of the MOKB bugs were file system related though. Some problems were found with Apple Airport drivers, Netgear wireless drivers, and Broadcom wireless drivers. Although, now more vulnerabilities are known that could be exploited, this fuzzing approach does improve the overall stability of software available to consumers.

What I wonder, though, is why don’t these big company engineering teams have a process to find all these bugs before the software is put into production? The same free fuzzing tools and techniques are available to the engineers as are available to the underground, so why aren’t they using them as part of their development process at each step along the way? They actually have the source code… so it should be easier!

Big companies have been cutting corners in development, and especially testing, in order to turn a bigger quicker profit for their shareholders. Then, the vulnerabilities always come back to bite them and the consumer who gets exploited.

Eventually, maybe hundreds of years from now, all code will be open source and properly tested. People will realize that it is the only way to have secure software, and better processess will be put in place to ensure stable code. Until then, MO_B’s (Month of ___ Bugs) will be one of the only checks and balances upon the undertested software products being released today. Love them or hate them, security researchers that find these flaws are doing the work that the engineering teams should have done pre-release.

Making Passwords Manageable

Recently, with the passing of the Thanksgiving holiday, many of us have paid closer attention to those things for which we are thankful. I, too, have just taken an assessment and realize I have a plethora of things for which I’m grateful, at home as well as at work.

I know this might sound trite, but in my work life, I am thankful for my password vault. I’m sure many of you know and use this simple software tool, but for those of you who do not, a password vault is a software application that stores a list of all of your many passwords. What sets this type of tool apart from the plain text Word file where I used to store all my passwords, is that this application provides encryption. Now, I need only remember one password in order to access all of the rest!

This new device has set me free! As well, it has enabled me to follow all of our corporate guidelines for password creation and updating. No longer do I simply change the number behind my bird’s name! And, I can easily change all my passwords every thirty days, whether a particular network requires it or not.

I know this has been a problem for more than just me. Often, as a part of security assessments, our staff will conduct a physical review of our client’s workplace. During this “walk through”, we often find post-it notes with passwords underneath mouse pads and on computer monitors themselves! I always said, I was more secure than that, since all my passwords were in a document on my hard drive. What I learned was that since my document was named “Passwords” and was in plain text, I was no safer than the person with the post-it note!

But, the number of passwords I needed to remember and the frequency with which they needed to be changed was ever increasing. I wasn’t sure what to do until someone suggested a password vault. There are many of them available now, both open source and as off the shelf products. All that I have seen are easy to install remain as an icon in your taskbar or on your desktop and are easy to use.

My message here is short and sweet. Get and use a password vault. You and your security team will both be glad you did!