How can TrendMicro Deep Security help me protect the Dynamic Data Center? How do I implement automatic authentication for InterScan Web Security Virtual Appliance using Active Directory? Hello and welcome to Trend Micro Tech TV. This series of podcasts is being brought to you by Trend Micro’s partner enablement and sales engineering team. Each episode will arm you with the real world knowledge and skills you’ll need to become true trusted advisers to your customers when it comes to TrendMicro’s strategic solutions. This podcast is part of our [xx] security series. Specifically, how to prevent a single injection exploit. It is narrated by Michael Lawson, senior security engineer. Thank you for downloading this video cast. The topic of today’s video cast is single injection attack. My name is Michael Lawson, and I am a senior sales and junior work trend micro. Today we’re going to be talking about SQL injection attacks. What are they? What companies have fallen victim and been victimized by SQL injection attacks. And most importantly, we’re We’re are going to do a demonstration where we can show that Trend Micro deep security product can not only detect this type of activity, capture the packet of data that they obtains the injection code and then we can inter show Trend Micro deep security product can prevent these types of attacks altogether. So what is a SQL injection attack? Well a SQL injection or insertion attack is a technique that exploits a security vulnerability incurring in the database [xx] [xx] an application. So what that really means is by inserting some code into an online form, a form on a website, or an online form. Basically user name and password entry field, like on your bank site, where it says user name password, that’s a form. And what a hacker will do is just go to bank website and see that form and put in, you know, just take a guess and put in a user name and password and insert some code there And that code will basically give them a clear channel of communications, or tunnel, directly to the database. Irregardless or respectively. Of any type of intrusion detection systems or network security equipment that has been installed before the physical database server. So a lot of companie put a lot of physical controls on information networks and information infrastructure and put a lot of firewalls and physical devices detect and prevent this type of information happening, SQL injection attacks [xx] It’s a specifically tricky type of attack because it’s actually occurring inside the application which has been granted access to the internet to start with. So it’s a little hard to permanent. [XX] actually properly identify and capture this type of activity. And that’s where trend micro deep security product has Vanish because it’s actually running on the server itself. It can detect this specific type of attack, which we’ll show a little bit later on in today’s video cast. So, is this a real attack? Is this really happening or is this just a security company hyping up an attack and doing some fear selling and getting people to come in? Well, it really is happening. Happens quite a bit, actually. It’s been happening, going back to about, I would say 2005 when data base. Databases really started coming online and some people said, “Its because Microsoft released SQL 2005 and it was one of their first Really best efforts in the database world really became popular. But these attacks can happen irregardless if you’re using a Microsoft database or another Type of database back in. So who gets hacked? Well, the register. That was a british UK website and they were compromised. Rise using SQL injection. And the homepage of the website was defaced, probably a little bit of reputation lost there. But, again it’s a newspaper. Let’s hope there wasn’t any other type of data loss, PCI or otherwise that was associated there [xx] has an online presence where hackers breached their database containing unencrypted usernames and passwords [xx] about 32 million users. Again they used a simple SQL injection attack to do that. The British Royal Navy, they were attacked. Compromised, their home page was [xx] causing a little bit of reputation lost there a little bit of embarrassment for, I’m sure, the Prime Minister to have to explain away. Seven Eleven the hotline payment systems, that is, a couple companies that were processing PCI information, so basically credit card information, credit cards and financial transactions that were being processed by 7-Eleven employees And [xx] payment systems. There was also a third company involved in this specific incident called Hanford (sp?) Brothers. This was in August 2009. and the hackers were able to get a hold of a hundred and thirty million credit card numbers using a simple SQL injection And at the time it was the biggest case of identity theft in American history. So a simple sql injection attack Out of thirty million credit card numbers. Wow. H.B Gary, this is a technology security firm. They were hacked by a online hacking organization and that caused by a significant amount of reputation loss for the one of the company’s officers. And again, proving that you know, [xx] based devices are enough when it comes to protecting our computer systems. And protecting the information. Trend Micro has always preached layers layers of security. And this is where the Trend Micro deep security product really has an advantage over the competitors with it’s ability to detect and prevent these type of attacks. So, what is the attack? I keep calling it a simple thing. Really, what is it? Well, you know, it starts with a, you know, simple parentheses or one equals one, semi-colon, dash, dash. So if you go to Google or any of the online search engines, I want everyone to understand and I’m not giving away some malicious code here. I’m not opening up the Comodo so to speak for everyone to understand how to hack computers. This is stuff that’s publicly available you can search, on the internet for sequence and attacks and come up with these examples. So what this parentheses do, well, so basically let’s go back to the example that I was talking about. I want you to go a head and enter in, you’ve got a username and password field on a banking website. After I put in a username and I guess the password. I put in a single parenthesis. That’s n the previous line. Or that previous line is we’re asking, you know, does this username and password have access to this application. Single quote, end that line, or does 1 equal 1? And we’re asking SQL server does one equal one? Chances are it’s going to come back and say, “Yes, it does.” Then we are going to put a semi-colon in there, which is going to end that line, because, yes, true really the answer we want? And then this dash-dash,and the rest line is suppressing its comments, right? And it’s basically gonna suppress any type of areas that might get returned. Because during this authentication process, what I’m saying is, I don’t know what the password and user name password is and this probably will look a little [xx] in the demo, but I’m gonna go ahead and put in a fake username and password and I want SQL to come back with an answer of true, even though the username and password is not. And how do we do that? We do that with the injection attack. So were gonna go ahead and shift into the demo and show how this sequel injection attack can be detected and prevented by Trend Micro’s deep security product. So continuing on with our SQL injection attack video-cast. Here I’ve got a fake website I’ve set-up, Capitol Mortgage Consolidators here and this website for today’s purposes is being managed and protected by Trend Micro’s deep security product. And it is worth noting that for the first stage of this, that we’re actually going to have the Deep Security product into Detect Mode not Prevent Mode, so we simply want to detect malicious activity occurring in this web application and not prevent it. Makes a little bit better show if we detect it initially. So we have a bank website here and just to show you by clicking on these other tabs here that I really need to enter username and password to gain access. So I I don’t know what the username and password is. I’m just going to take a guess, and I’m going to say how about I log-on as J Doe and my password is 1 2 3 4 5 and try to log-on. Nope that authentication failed. So, I’m going to have to try something else. Well I could sit here and try and brute force hack my way in here, but brute force hacking, a lot of applications out there have ways of detecting if someone is guessing, right, so after three failed attempts they’ll lock the account and force the customer to call in or send an email to the customer’s web email address on record so they can then re-authenticate their computer and get back in. So I don’t know what the password is. This is where I’m going to actually use MySql injection script that we talked about earlier. And now we’re going to and this again is the parentheses or [xx] one. So now I’m going to type in Jay Doe and 1,2,3,4,5, again and I’m going paste in that or 1=1 statement behind there and I’m gonna log in. It says, “Hey, welcome back, John Doe.” and now I’ve got access to the rest of the website. Again this is a very simple website but imagine if this was your or credit card company site, your bank record or your company’s bank record. Now I have got access to a lot of information here and I could compromise it. I could either steal an identity or start you know, possibly making some withdrawals on your behalf so I can could go ahead and get my Christmas shopping done early, or I might just sell the fact that Oh-hey this company Capital Marks Consolidators is compromisable by SQL Injection attack. So I might try and sell that information to another company on the Internet or another group, organization, crime syndicate that’s willing to pay for that type of information, or I might steal the information and I try and blackmail Capital Mortgage Consolidators into paying me back for some information. So, that’s how a SQL injection attack works. Now we’re gonna go show, was Steves security actually able to detect that information and what type of login we would get back from it. As you see here, we have got the deep security manager up and running and I just got done running the SQL injection hack across Capital mortgage consolidator’s website and now we wanna see what was deep security actually able to capture and detect. So the specific module of deep security that does this type of detection and prevention is our deep packet inspection module. And this module actually runs if its a VM or virtualized machine it can run agent-less or if its a physical machine it can run on the machine itself. Regardless, the way this deep security behaves is it’s running on server and thus we’re able to [xx] this information as it’s being processed through the deep pack inspection. So when I the DPI events or deep packet inspection events, I see we’ve got some rules here that have been violated. And I can quickly double click one of these and it says “The SQL injection the generic SQL prevention rule was violated. I can say, you know, I can tell where did it come from, you know, what was the destination, so the source, where did this attack originate. And that’s great information if you’re trying to determine if this was an internal or an external attack. What type of tags or I can add a tag into it and I can say I can say validated and I have verified this attack and hit finish. So, you know, basically the ability to put tags on system events as they occur for a consolidated group of individuals to work together and make sure that we don’t do double work. And then the reporting engine we can actually sort search on these tags and then, you know, the data packet itself. What did it actually capture? what do we have here? Well, for those who have done any type of packet sniffing on a network, you know that this is exactly what we’ve done. We’ve actually captured the full-blown packet here then we’re gonna come down here and actually see, do we have the actual username and password? And here’s the username and password I put in so that we’ll be able to capture so we can tell. I used the credentials of J Doe and the password I used was jjj. And then I got 1=1 in here. And then we see the two dashes to suppress any type of comments, right? And that’s how we’re able to successfully compromise the website and get in. So we’ve got this datagram grabbed here. I can take this information. I can send this to my database developers and start how come, you know, our database in general is susceptible to this type of attack? Is this needed? Is there a way to programmatically prevent this. But most specifically, what I should be doing is calling Trend Micro and saying, “How do I prevent this?” And again, how do we prevent it? Very easy. We’re gonna the computer’s tab and click on the deep packet inspection module here and take it at detect mode and put spect the deep packet inspection segment of the target computers details screen here. We see that we are in mode. To put this in prevent mode we’re simply going to click here and the radio button for prevent. We’re going to hit save. I’m going to go up here to the home tab or page of the computer here and we’ll see that it’s going to go from managed online to updating will be the current status. There we go. So the current status of this computer is now updating where that rule set is being sent to the computer. One thing to notice or to note here is in the injection attack, when we had it set to detect only, the action, if it does we are in prevent mode. The action is to reset the connection. By resetting the connection, it’s basically going to tell the end user to try and re-attempt to connect to the website. lost connection that’s what the end user is actually going to see in their browser. And we’re going to demonstrate that here in a minute. One of the other features of the detect only mode is this is a way you know, as the Trend Micro deployment engineers are working to deploy this application in your environment, we can put rules in place and put them into detect mode only to make sure that it’s not gonna cause a problem and production. So we can go into tech mode only and capture events and validate that the rule set is a good rule and it’s not gonna do any harm. And if that’s the case then we can take it from detect to prevent mode. So by now our system has been updated. We’re back to managed online status we’re going to go ahead and close that. And I’m going to go here to the log-in and password of Capitol Mortgage Consolidators again and I’m going type-in and my username of John Doe, put in that password of 12345, and I’m gonna drop in the SQL injection script it. And as I mentioned before, the Internet Explorer, the application server has reset the connection. So this is what the hackers or the crime syndicate that’s trying to break in is gonna see. And This is very typical if you just lost internet connectivity. And this is deep security sending the reset back up. So, you know. shorter in closing, we’ve made the server a hard target using some state-of-the-art technology by Micro. And now this computer system is a hard target. The hackers are more than likely going to move on. They want softer easier, low-hanging fruit to grab. Thank you again for downloading and watching this videocast. You can watch this and many other videocasts at trendedge.trendmicro.com. Thanks for watching this podcast. We invite you to send your comments and suggestions to Tech TV at TrendMicro.com.