Infigo - New Document

Whitepapers

Fri, 31 Mar 2006 10:44:03 +0200

Correct understanding of problems and terms related to information security is critical for global security awareness raise.

INFIGO IS publishes whitepapers to provide better understanding of specific terms and problems in the information security area. Depth and topics of published whitepapers varies from detailed descriptions of specific technical topics intended for security experts up to the general description of information security management systems intended for security managers and broad audience.

Whitepapers published on these pages are the sole property of INFIGO IS and can be used only in accordance with the Terms of Use.

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Wed, 17 Jun 2009 14:36:22 +0200

Title:	Advanced PostgreSQL SQL Injection and Filter Bypass Techniques
Date:	2009-06-17
Size:	156 Kb
Category:	Technical
Complexity:	*******
Summary:	According to the WhiteHat Website Security Statistics Report from 2009, SQL injection vulnerabilities make up to 17% of all web application vulnerabilities. Besides being very common, SQL injection vulnerabilities typically allow an attacker to read or even modify arbitrary data in the database used by the web application. This increases the risk resulting from such vulnerabilities. In order to increase the overall security of web applications, companies today often implement web application firewalls or filters. While web application firewalls can indeed stop certain attacks, they are not a complete solution to web application vulnerabilities. This document demonstrates advanced blind SQL injection vulnerabilities on PostgreSQL databases. The document is result of a penetration test performed on a real system, with real web application firewall protecting a vulnerable web application.

Analysis of a Banker Trojan

Mon, 22 Dec 2008 10:36:00 +0100

Title:	Analysis of a Banker Trojan
Date:	2008-12-22
Size:	371 Kb
Category:	Technical
Complexity:	*******
Summary:	The rise of criminal activity on the Internet has been evident quite some time. In the last couple of years, the criminals have started targeting Internet banking users. The increasing number of targeted malware calls for additional caution. Croatian banks have historically been neglected by various Trojan horses, probably due to two main reasons: a perception of a smaller return of invested to the attackers and relatively high levels of protection implemented in Internet banking services typically found in Croatia. INFIGO IS's security research team regularly tracks and analyses malicious activities on the Internet. For the first time, a Trojan horse belonging to the Banker family that amongst foreign banks also attacks Croatian banks has been identified. The two biggest Croatian banks, "Zagrebacka banka" and "Privredna banka" are targeted by the Trojan. These banks are especially attractive to attackers due to their large number of clients.

Scaling of Values of Multiplicative Method for Risk Evaluation

Tue, 09 Dec 2008 17:14:00 +0100

Title:	Scaling of Values of Multiplicative Method for Risk Evaluation
Date:	2007-06-01
Size:	157 Kb
Category:	Management
Complexity:	*******
Summary:	According to the multiplicative method of risk evaluation, risk is assessed as the product of resource values - AV (asset value), PT (threat probability) and IT (threat impact). This method allows arbitrary, independent value scales which all variables (AV, P, I) can assume, but the most common scales used in practice are identical, linear scales. The objects of this study are the possibilities of using nonlinear independent value scales for risk evaluation and their applicability in various practical situations. This paper will analyze the influence of nonlinear value scales in borderline cases when threat probability is considerably different than the threat impact.

Qualitative risk analysis method comparison

Tue, 09 Dec 2008 17:10:54 +0100

Title:	Qualitative risk analysis method comparison
Date:	2006-06-01
Size:	177 Kb
Category:	Management
Complexity:	*******
Summary:	Information security management is a business process part that is usually required by various regulatory laws. Security controls are defined by the business to ensure an adequate security level that is validated by a process called risk management. The risk management process allows the definition of strategy and goals in an organization’s information security. The most important part of this process, which is usually prone to errors, is the first step - risk assessment. Literature classifies risk assessment as qualitative and quantitative. Qualitative risk assessment calculates the risk level using plain judgment and assessor’s experience, while quantitative risk assessment depends on a numerical model (typically based on financial values). Although, in theory, quantitative risk assessment allows for a more detailed risk assessment, in practice this approach is usually not adequate, as an information resource’s value is based on its financial value (which does not show the true value of the information resource for a corporation). This is the main reason why a combination of qualitative and quantitative methods is preferred for risk assessment. As qualitative risk assessment is based on subjective judgment, it is prone to errors. This paper analyzes some qualitative (quantitative-qualitative) risk assessment methods. Special attention is given to the influence of various elements on risk assessment result and reliability.

Using fuzzing to detect security vulnerabilities

Mon, 03 Jul 2006 17:12:24 +0200

Title:	Using fuzzing to detect security vulnerabilities
Date:	2006-07-03
Size:	344 Kb
Category:	Technical
Complexity:	*******
Summary:	Most computer system intrusions are a result of security vulnerabilities in applications. Detection and identification of security vulnerabilities is an interesting process not only for security experts and system administrators, but also for intruders attempting to penetrate computer systems. In last couple of years, special attention was given to the technique called fuzzing. This method allows relatively fast detection of critical security vulnerabilities in various applications. Critical security vulnerabilities are usually variations of buffer overflow attacks, which allow an unauthorized user to overwrite critical parts of a vulnerable process memory. The result of exploiting this vulnerability is usually execution of a shellcode, a specially written code that was injected into a process by the unauthorized user in order to get access to the target system. This paper describes basic fuzzing categories and techniques. Several examples of fuzzing efficiency are also shown in the paper. Examples were produced by Infigo FTPStress Fuzzer tool against FTP protocol.