Full Disclosure mailing list archives
Re: Application Security Hacking Videos
From: Dave King <davefd () davewking com>
Date: Sat, 27 May 2006 11:14:32 -0600
I'm not sure what the clips from Microsoft are trying to show. To me it seems like they're intended to show that microsoft doesn't have a good fix for the problem at hand. From what I gathered from the training they were trying to show some ways to seriously lock down a SQL Server 2000, which would help mitigate some risks, while causing some usability problems. Microsoft has been an advocate of strong server side input validation (ASP.Net even has some nice features to help you with this). The video was just showing another layer in a good layered security approach. Lastly, I'm of the opinion that ticks should be allowed in a password. I don't like restricting characters in a password. However best practices should be followed. If for example, in the video the college had been storing the password as a secure hash, then hashing the password that was input and comparing them (preferably using a stored proc to do the sql stuff), then the attack would have failed. Dave King http://www.thesecure.net http://www.remotecheckup.com Joel R. Helgeson wrote:
With college campuses being hacked into on a seemingly daily basis, and student information being stolen and used for Identity Theft; I thought you might like to see how the hacks are being done, and how astoundingly easy they are. I have produced a video of a security audit I performed on a local college website that shows how easy these exploits are. There is also a brief training on the homepage that introduces non-experts to SQL injection concepts in a fashion that makes it easy to understand. Below is the link to the video of me hacking into the college web site using SQL injection: http://www.appiant.net/exploit.wmv Other videos related to application security can be viewed from the home page as well: www.appiant.net <http://www.appiant.net/> It’s not available from the web page, but if you want to see the video of Microsoft’s response to application security by securing the database: http://www.appiant.net/sql_security.wmv No, that video is not a fake; the entire video can be accessed from Microsoft’s website – the original is over an hour long, I just edited it down to ~5 minutes so you could get the point in a shorter timeframe. http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=31 Any questions, feel free to ask… Regards, Joel R. Helgeson President Appiant, Inc. 1402 County Road C2 W Saint Paul, MN 55113 (952) 858-9111 ------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Application Security Hacking Videos Joel R. Helgeson (May 26)
- Re: Application Security Hacking Videos Dave King (May 27)
- Re: Application Security Hacking Videos Joel R. Helgeson (May 27)
- Re: Application Security Hacking Videos pagvac (May 27)
- Re: Application Security Hacking Videos Joel R. Helgeson (May 27)
- Re: Application Security Hacking Videos Dave King (May 27)