Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

PayPal patches critical SQL injection hole on its platform

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

April 15, 2013

Internet security researchers have published a more complete report of a recently patched SQL injection hole discovered on PayPal's popular payment platform.

The Vulnerability Laboratory Research Team received a $3,000 reward after discovering a remote SQL injection vulnerability in the official PayPal GP+ Web Application Service.

The critical security flaw, which could have been easily and remotely exploitable, allowed hackers to inject commands through the vulnerable internet application and into the backend databases, potentially tricking them into coughing up sensitive data in the process, and potentially causing financial losses.

Based in Poland, the security researchers reported the security vulnerability to PayPal in early January. Vulnerability Laboratory produced a full-fledged, proof-of-concept demonstration to illustrate its many concerns when it reported the security flaw to PayPal.

The payment-processing company was successful in patching the flaw in late January, but wasn't reported in the media until doday.

There's no evidence that the security flaw was ever abused, which is just as well since its potential impact was very critical, as an advisory by Vulnerability Laboratory explains: "The vulnerability is located in the analysis all review module with the bound vulnerable page ID parameter listing. When a PayPal customer is processing to request the link to, for example on page 7, the server will include the integer value not encoded or parsed in the URL path. Attackers can exchange the integer page with their own SQL statements to compromise the application DBMS and all PayPal accounts."

The second issue is that the server is bound to the main site authorization which allows after a SQL and DBMS compromise via injection to exploit the bound PayPal services.

Attackers can access all database tables and columns to compromise the GP+ database content and disclose personal and financial information, deface the website, phish the account or extract database password or username data.

The security vulnerability can be easily exploited without user interaction but with a lower privileged user account to visit the restricted webpage. Successful exploitation of the vulnerability results in web application context manipulation via DBMS injection, website defacement, hijack of database accounts via DBMS extract, information disclosure of database content, data lost or a full blown DBMS compromise.

Benjamin Kunz Mejri of Vulnerability Laboratory led the research into the security flaw. An advisory by the Polish researchers suggests that the vulnerability could be patched by a "secure parse of the page parameter request when processing to list via the GET method" combined with changes to prevent the display of errors.

It's still unclear if PayPal followed this approach or identified a different way to fix the flaw, however. PayPal issued a brief statement confirming that the flaw was "not impacting our website" at the time the vulnerability became public today.

In other internet security news

Check Point said this morning that it will soon integrate cyber-espionage defense to its enterprise firewall line and gateway security products with the addition of sandbox-style technology.

To be sure, "threat emulation" software blades for Check Point firewalls will be available sometime in May or June and will add to other threat prevention layers, such as anti-virus and anti-bot technology launched last year.

All of these technologies were developed by Check Point itself. The latest strains of malware are designed to switch off if they detect that they are running in a virtual machine, as a means to thwart security analysis. Tom Teller, a security strategist at Check Point said that the emulator technology it's developing is a lot more difficult to detect than a virtual machine.

The threat emulation software carries out both static and dynamic analysis to figure out if a file is changing registry settings, altering other files or attempting to connect with blacklisted servers, among other things, before deciding if it ought to be blocked and quarantined.

Prior to putting the technology into its security appliances, Check Point has set up a microsite where files can be uploaded for emulating and checking.

The latest generation of cyber-attacks feature custom malware and spear-phishing which is something that Check Point wants to put a serious dent in. Teller is optimistic that IT vendors such as Check Point are coming up with technology capable of detecting and mitigating advanced malware attacks.

Even if the initial infection occurs, it might be possible to isolate compromised systems, prevent an attacker accessing corporate resources or extracting sensitive information.

"If you can break one of the layers of an attack then the whole attack fails," Teller said. Check Point also owns the Zone Labs line of personal firewall and security suite products.

However, Gabi Reish, head of product sales, said the only safe assumption in corporate security was to assume that an end-point might be compromised and to design corporate defenses appropriately. The anti-bot blade incorporated in Check Point's gateways is designed to block malware-infected zombies from phoning home.

The forthcoming emulation and existing anti-bot and anti-virus blades fit in with the "razor-and-blade" model introduced by Check Point more than four years ago.

The Israeli firm's security appliances and gateways are the "razors", while the "blades" are the software that customers buy and use to deliver different types of network protection.

For example, the App Control Blade manages social media apps, while the Mobile Access Blade secures employees' smartphones and tablets.

Check Point is pushing this technology to SMEs with the launch of its new 1100 appliances. The equipment, designed for branch and remote offices with up to 100 users, offers 1.5 Gbps of maximum firewall throughput and 220 Mbps of max VPN throughput.

Check Point is also offering the Software Blade Architecture on low-end hardware for the first time. 1100 Appliances, launched at Check Point's user conference in Barcelona earlier this week, starts at $599.

Multi-layered protection options include: Firewall, VPN, IPS (intrusion prevention system), application control, mobile access, Data Loss Prevention, anti-bot, identity awareness, URL filtering, anti-spam and anti-virus.

All but standard components cost extra but customers benefit from flexibility while Check Point resellers gain a better opportunity to sell extra add-ons.

In other internet security news

Independent security firm AV-Test has released a report for Windows 8 for the first time, and it once again found Microsoft's own software products were among the weaker performers when it comes to internet security.

The German security company tested its usual batch of 25 antivirus software for consumers, plus eight aimed at corporate users, during January and February of this year. It published its results on April 6.

Microsoft Windows Defender –the rebranded version of Microsoft Security Essentials that comes bundled with Windows 8– scored just 2 out of 6 in AV-Test's Protection rankings. Worse, Microsoft's enterprise-oriented System Center Endpoint Protection scored a paltry 1.5.

According to AV-Test, Windows Defender managed to spot just 82 percent of zero-day malware attacks during January, and 81 percent during February, based on 125 various samples. The industry average was 95 percent.

Windows Defender did a little better at detecting "widespread and prevalent" malware, catching 98 percent of samples thrown at it in January and 99 percent in February.

On the enterprise side, System Center Endpoint Protection caught a consistent 98 percent of widespread malware samples across both months. That was another subpar showing, though, given that on average, the other enterprise products identified all the samples.

And Endpoint Protection's track record for zero-day malware was even worse than Windows Defender's, spotting just 80 percent of the samples in January and 83 percent in February.

Both of Microsoft's products ranked fairly well in other aspects AV-Test looked at. In particular, both scored 6 out of 6 for usability, with no false positives spotted and no legitimate actions being blocked erroneously. Both offered reasonably good performance as well, although Endpoint Protection proved a notch above Windows Defender.

Many customers might argue, however, that high usability and fast performance aren't good when the product isn't so hot at what it purports to do: stopping malware.

Nevertheless, others are likely to disagree with AV-Test's assessment of Redmond's security products – not least of which is Microsoft itself. AV-Test has butted heads with the software giant over its testing methodology in the past, which Microsoft says uses malware samples that "don't represent what our customers encounter."

Several other products significantly outperformed Microsoft's on the Protection portion of this round of AV-Test's evaluations. Leading the pack in the consumer sector were products from F-Secure, G Data, Bitdefender, Kaspersky, BullGuard, and Trend Micro, all of which earned perfect scores.

In the enterprise segment, Kaspersky and F-Secure topped the list. The full results of AV-Test's January-February testing can be found on the company's website.

In other internet security news

Believe it or not, Windows XP is still being used by over 40 percent of all personal computers, including desktops used in large Fortune 500 companies. And now, with just one year left to go until Microsoft cancels its free support for that aging Windows version, if you don’t currently have a migration plan in place, it’s well time to start thinking about it.

Exactly one year from today, on April 8, 2014, Microsoft will stop fixing defective OS code and will no longer release security patches for free anymore for an operating system that has been in use since 2001.

From that date on, you’ll either have to put up with hackers, viruses and malware writers or you’ll be forced to premium-level paid Microsoft support.

Market research firm Gartner says that Microsoft will charge you $200,000 if you have a Software Assurance contract and $500,000 without a SA agreement.

With just twelve months until next April’s deadline, if you haven’t already started moving off Windows XP then there’s little chance you'll finish in time.

Adrian Foxall, chief executive of application migration specialist Camwood says that he fully expects his company will still be working with customers on migrations up to a year after next April’s deadline has passed.

Microsoft officially estimates a “successful” migration would take 18 to 30 months. “The next two years will be very busy for us,” Foxall said. “We’ve made great steps with a lot of customers, but for everyone that’s there, there are at least ten that haven’t done anything yet."

"Even if all those who were unprepared started to plan ahead, physically, there simply wouldn’t be enough people to get through all of that,” he added.

Over the years, Camwood has migrated business applications for many customers. Camwood says that just 42 percent of Windows XP customers have not yet started moving. He also noted that while an impressive 15 percent of IT decision-makers didn’t know about the existence of next year’s deadline, of those who are aware, 23 per cent blamed their colleagues on the business side for blocking migrations.

Camwood’s data comes from its survey of 250 strategic types initially released in March but published in detail with a migration white paper.

Factors blocking upgrades include lack of budget (25 percent) and hardware issues (27 percent). That’s a real issue because it means organizations have decided to upgrade as part of a business-as-usual process of buying new PCs to run Windows 7 rather than realizing they have to actually rewrite Windows XP apps.

Business types aren't forking over budget in part because of the parlous state of the economy, to see if they’ll still be around in a year’s time and in the belief the issues of today matter more than something that could happen twelve months from now, Camwood added.

Additionally, it seems that some corporate IT departments are out of shape on planning and executing Windows upgrades as well.

Many adopters of Windows XP later avoided Windows Vista since that OS has and continues to have so many problems, meaning that for many of those companies, it has been thirteen years and several working generations since their IT departments have had to managed a mass Windows upgrade program.

Since then, we’ve had a surge in home computing and a growing expectation that devices should update themselves automatically.

Camwood’s solutions architect Ed Shepley says that he’s talked to some customers who are complacent and simply don’t understand the scope of the work that’s looming.

“People are used to a Mac or an iPad updating by itself. Computer users have got used to easy IT solutions and they don’t recognize the security issues that are facing them until it's too late,” he says.

“When you run though the logistics, when they want to start the business engagement and pilot it in a reasonable manner, and then deploy it at large, and when you explain all of what it involves, you get that dear-in-the-headlights look," he added.

Foxall agrees: “In 2001 and 2002 when Windows XP was new, the office computer was better than the home PC. Now that culture of where 'It’s so easy to do at home so why should it be so hard to do in the office' - that little learning curve has become a dangerous thing.”

Among the several problems to consider are application compatibility with Windows 7 and 8 thanks to changes in Windows introduced in the years after Windows XP.

For example, Session 0 Isolation was introduced in Windows 7, User Access Control came with Windows Vista, and Windows XP’s GINA secure authentication and log-on services was replaced by Credential Provider in Windows Vista, two very incompatible applications.

Camwood’s advice now is to do what’s realistic in the time left before next April. That means managing a phased migration that moves groups of applications rather than try to move everything. This involves identifying specific apps that are the most important and moving these first, weeding out apps that are old or unused and dropping them, and keeping Windows XP apps that are really important off the web and working only behind the corporate firewall.

In other internet security news

An individual claiming to be No. 1337 hacker has removed several programming projects hosted by SourceForge.net. In other instances, other projects were either modified or compromised.

For example, web pages for the network utility 'Angry IP Scanner' and similar open-source software hosted by the online coding vault were altered by the same hacker.

The person responsible claimed that the websites were hacked using a backdoor, and then darkly warned he could have supposedly caused far worse damage had he wanted to.

Each vandalised project read: "This is a project whose homepage has been hacked with the SourceForge backdoor by a 1337 hacker! It is extremely lucky because this message is the only change I did. After I found this backdoor, being nice, I added this message to some SourceForge-hosted sites to warn them, instead of maliciously dropping their tables."

The truth is rather mundane: In a blog post, SourceForge's managers said each affected project had files that could be accessed by anyone on the web and that these documents contained usernames and passwords for editing the project.

In essence, anyone who knew where to look on a project's website could find, use and expose these sensitive credentials.

The SourceForge management staff responded: "Upon investigating, we found that the affected projects had configuration files (which contained database usernames and passwords) that were world readable. In other words, anyone looking in the right spot could get these usernames and passwords and have direct access to the database itself."

The "1337 hacker" commented on the SourceForge blog: "After checking 850 projects, I've hacked only 44, but you were lucky! I did this to notify the project owners so that they would fix this critial issue. If other hackers did this, they might not have been so nice as me. They might plant malicious scripts or even just delete your data for the sake of it."

Arguably, SourceForge.net should consider ensuring that no world-readable files are created by default. But coders must still carry a large part of the blame for not picking the right permissions in the first place.

SourceForge, which hosts more than 320,000 projects, explains how to set up proper file permissions on their site. It also explains how to reset project database passwords.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: The Vulnerability Laboratory Research Team.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

















Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer






Click here to order your new fully dedicated Plesk server with the Linux operating system.


Get your Linux or Windows dedicated server today.





Click here to order your new fully dedicated Plesk server with the Linux operating system.





Click here to order your new fully dedicated Plesk server with the Linux operating system.