About those half million SQL injection attacks
Nathan McFeters has written one of the best explanations I’ve seen about the latest rash of SQL injection attacks at my old security blog Zero Day. Nathan took the opertunity to point out another serious hole in the PCI (Payment Card Industry) standards which allow vendors to skip web application security audits if they simply buy a Web Application Firewall.
Categories: SQL, Security, Security news
Thanks for the shout out George!
Good to be able to bookmark your site again!
-Nate
Nate,
Your article is so high quality that it makes me cry. Your perspectives on PCI-DSS, including the infamous WAF argument — show character, determination, and serious clue. To see this is the near-mainstream media honestly makes me think that we can fight the PCI SSC, their mediocrity, and their corruption.
The most fucked up thing (now that I’m working with a few clients on meeting Requirement 6.66 aka "The Devil") is that a lot of clients already have near-perfect payment applications with their risk completely managed. The clients don’t want to have to spend extra cycles/money on code review or an app scan EVERY TIME they do a release — and they don’t want to incur the extra time/costs involved with working with their QSA to make sure Requirement 6.66 is handled properly from a code review / app scan perspective.
In other words, my clients who have well-thought out, well-planned, and well-tested applications are now being FORCED to implement a web application firewall (WAF) just because it’s [the easier/cheaper] part of Requirement 6.66. Fortunately, Mod-security and Port80Software.com’s ServerDefender (for IIS) seem to meet the requirement (as long as they are in blocking/protecting mode).
However, this still isn’t cheap! The costs and headaches involved with installation/configuring/troubleshooting/verifying WAF installations is enormous! Worse, vendors such as F5, Citrix, Imperva, Breach Security, etc — they’ve all jumped right into bed with PCI SSC!!! It’s like Qualys Guard and the PCI ASV approved tests all over again! This is corruption. This should be illegal and it probably is.
What should we do about it?
Now forgive me for quoting myself, but how can I state it any differently? Lifted from Talkbacks in Ed Bott’s latest ZDNet piece:
— rtk : Bozo filter
Normally I’d agree with you, but watching Nate McFeters kick around fr0thy2 yesterday @ http://blogs.zdnet.com/security/?p=1059 I might have changed my mind.
That was some of the best talkback threads I’ve read on ZDnet in a long time.
It’s great that bloggers like Nate and yourself continue to actively participate in the discussions, despite the bozos.
— klumper : Priceless
Having the balls to engage McFeters on his own turf: commendable. Watching the beat down that ensued: priceless.
At some point in the foray, the term "punch drunk" has to enter the equation. That or "shell shock."
By my calculation, fr0thy2 is lying in a warm bath today, filled to the brim with Epson salts. A whiff or two of smelling salts each hour upon the hour should further help with his post-mortem revival. As for the lucky spectators who witnessed that smack down, I suspect some are still cackling today.
Why he kept clinging to his own inflated nuts, while taking one roundhouse after another from Nate, is beyond me. At some point, the pain or embarrassment should have forced a let-go and tail-between-the-legs retreat. Generally speaking, extended pummeling induces fetal positioning (aka "turtling") in most mortals.
Could fr0thy2 be a machine, or perhaps a runaway script? Brings to mind that old Timex commercial from ages ago: "It takes a licking but it keeps on ticking" [and yet begs the question: does this apply even when the arms are rotating backwards?].
Ah well, if nothing else, we have evidence that the boys from the Baltics are tough as lug nuts. Perhaps not as bright as we once thought, but tick tick tick tough.
Correct my if I’m wrong but wouldn’t a WAF have prevented this SQL injection attack?
http://pcianswers.com/