About Us | Contact Us
View Cart

x’ or ‘a’=’a

By Dan Hadaway | Monday, September 27, 2010 - Leave a Comment

The Chronicles of Daniel Hadaway the Ungeek and Owner of Neville Bartholomew’s Credentials!


So I need to prepare for my demonstration, to start the IBA’s IT Security Conference, called Hack Attack Live.  Last year Matt Jonkman of Emerging Threats Pro blew away all the non-technical ISOs (and caused chuckles among the technicians) when he hacked into a website right before our very eyes.  Evaluations came in on his talk saying things like “that guy scares me” and “he really knew his stuff.”

So this year, as we tried to out-do last year’s excellent conference, the big question was:  “why not start the conference out with a Hack Attack Live?”  We collectively knew a lot of really smart geeks who would be able to wow us one more time, and doing so would serve a worthy purpose:  to set the mood for the conference that yes, there are still real vulnerabilities out there that we should be considering in our next risk assessment:  our marketing sites.

But there was one problem:  the hack-attack-live part of Matt’s presentation took a total of about 8 minutes.  Matt warned us last year that this would be the case, but he had a talk already prepared (about Surricata and Honeypots and Sandnets and all kinds of cool uber-geek stuff they’re working on at Emerging Threats Pro).

Finding a technical person who could speak, and who’d be willing to speak for only 8 minutes, seemed daunting.  That’s when I made the statement:  “If I can do this, we’re all in trouble!!!!”

In other words, if a non-technical guy like me can learn how to hack into a website, then boy, we need to take likelihood up a few notches.  Right?  And other than not wanting me to put that actual statement in the marketing flyer, for fear it would turn people off to the entire conference, the folks at the IBA said “let’s do it.  Sounds great!  Dan will learn to hack into a website without any help from his technical staff.”

Yeah!  Right on!  No help from the geeks!  All by myself.  Yahoo!

That was in May.

May was a big month for me . . . . it was the month I delivered my “Megaconference Talk.”  It was the month we started our 2010 risk assessment.  It was the month we completely revised our Vendor Management tool set for an IBA workshop and it was the month I bought tickets to five White Sox games.

I took on a lot of challenges that month.  I think it’s because of the spring weather or something.  But yes, I might have bitten off a lot more than I should have in May.

And I agreed to the clause:  without any help from the geeks!

Well I’m a firm believer that the best way to accomplish a task which starts off looking like a daunting task is to take the “salami approach.”  Instead of staring at this huge, unappealing hunk of meat, cut it down to smaller, more attractive, more manageable slices.

So by early June, I had home-paged the OWASP home page (www.owasp.org . . . . check it out if you are serious about information security.)   I figured that if OWASP loaded every time I launched my browser, I’d eventually find the time to learn how to hack into a website.

Without any help from the geeks.

By early July, I had found the Webgoat project, a REALLY COOL project that, if you take a “this-is-an-adventure-game” mentality with you, will teach you how vulnerabilities arise in a web application and, if you study hard, you can learn how to exploit those vulnerabilities (and mitigate them if you are a coder.)  Webgoat is a series of lessons intended to teach developers how to bring a security mentality into the software development life cycle.

But that’s all I did.  I made http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project my home page.

After a few weeks, I realized I was procrastinating.  So indeed, I tried to read the Webgoat page several times.

In fact, the Webgoat page seemed to raise more questions in my non-technical mind than it provided answers.  It had hundreds of links off-site.  I couldn’t understand half of what I was reading on it.  Each time I tried to read the Webgoat page, I finished a bit more scared than I was when I started.  It assumed I’d understand words like catalina and tomcat and apache and sql and injection and . . . . . all without any help from the geeks.

I have to admit, I became guilty of the one thing I hate:  procrastination.  The “salami approach” wasn’t working

Then on August 9th, the FFIEC examiners left our Kokomo office.  The “examination prep” phase of my busy year had officially evolved into the “IT Security Conference Prep Phase.”  So it was on August 9th that I rolled up my sleeves and tried understanding the webgoat page.  Boy did Wikipedia get a lot of hits that week!  But instead of gaining just a little bit of confidence, I found myself wondering (by Friday the 13th, in fact) whether I’d really be able to do this.

But I stuck with it.  I was still daunted, but I started following all the links off of that page.  And little by little, the links that Webgoat sends you to started paying off.  I mean, there were pages defining all the terms that were used to define the terms that were on the Webgoat page.  There were MOVIES showing you how to successfully complete the labs.  There were entire websites written by enthusiasts showing how to set up an Apache Tomcat Server (which is required in order to take the lessons).

The whole time I was more or less a “lurker,” meaning that I was reading, not participating, and surely not loading anything onto my computer.   I was not going to do anything until I understood what I was doing.  At least that was my starting theory.  After a while, I realized that I was not going to completely understand what I was doing until I actually just did it.  In other words, I was going to have to learn by doing as well as by reading.

Then finally, on a warm Saturday morning (August 28th), I decided I was ready to play the game.  I felt confident enough that I’d at least be able to install the Apache Tomcat Server on my laptop.  So, following one of the policies that I swear was in place BEFORE we entered the FFIEC Examination program, I emailed Sean Waugh, CISSP, MCSA for permission to install the Webgoat Project on an Infotex Information Asset (my laptop.)  I sent him a link to the Webgoat page as well as a link to what I intended to download and launch.  I admit, I was hoping he’d say “no way are you going to install that on our assets.”  But he didn’t . . . .

His response was this:  “Yes, go ahead and install, just make sure it isn’t running all the time by default and only when you manually start the application.”

Huh?  Make sure what isn’t running all the time, by default?  Make sure what isn’t running?  The website?  Can you shut off a website?  Or was he meaning the server.  Is the Apache Tomcat Server something you can shut off?

Well, I would have liked to ask Sean all those questions, but that would be cheating.  Again, during Hack Attack Live I want to be able to say I learned this all by myself, by researching the web and NOT by asking my technical staff for help.  So instead of downloading the files that I had thought I should download, I went back to the drawing board.

Meanwhile, I decided that no matter what, I was NOT going to install something I didn’t really understand on my shiny new laptop.  So what I did was pull out the old laptop that the shiny new laptop replaced.  I reinstalled Windows XP on it (thinking the entire time, is Tomcat going to work on something this old?)  I even put Kaspersky on it, using one of my three licenses that I acquired when I installed Kaspersky on my shiny new laptop.  I wanted to be sure that I wasn’t introducing a vulnerability to the infotex system.  That would be really embarrassing.

Then I got the bright idea of disabling the wireless card on the laptop.  That way, if I couldn’t shut Tomcat off, big deal, right?  To this day I’m still a bit leery about what having this faulty website on my laptop will expose me to, so to play it safe, every time I fire up the old beast the first thing I do is check to make sure the wireless card is still disabled.  Remember, I’m a non-technical person.  I have no trust of technology.  I want to be sure that what I turned off doesn’t automatically turn on again.

And, I can’t ask my geeks for help.  Did I mention that?

Of course, getting Tomcat ON the laptop became a bit more problematic.  I can’t remember exactly why, but I eventually decided I needed to enable the wireless card, download the tar file (or was it 7z?) , then disable the wireless card again.

I actually had to do this very thing one more time, on September 21st, when I realized that I needed a plugin for Firefox in order to tamper with input data.  The plugin was actually called “tamper data.”  And it had a very simple end-user license agreement that I had to acknowledge before it would allow me to install the plugin.  That end-user license agreement is still scary to me.  So scary that I did a print-screen of it so I could show it during the preface to Hack Attack Live.  The end-user license agreement looked like this:

“This is a development and security testing tool, not unlike many others.

You are responsible for how you use it.”

Now I don’t know how it comes off to technical people, but to an Ungeek like me, that statement, as a license agreement, intimidates me.  “You are responsible for how you use it.”  Wow . . . .

I was tempted to ask Sean for permission to install it, but then decided that might be cheating because Sean would need to ask me why and the temptation was just too great that I would say, “I’m not sure, why would YOU install it?”

So I didn’t.  Instead, I literally closed my eyes and pressed the “accept and install” button–

NO WAIT!

That’s not actually what I did.  I double-clicked on the wireless adapter icon and had it there ready for me to press disable as soon as the plugin was done installing, and THEN I pressed “accept and install.”  And then I immediately disabled my wireless card and as soon as the laptop beeped saying that the card was disabled, I checked it again just to be on the safe side.

So by September 21st I had learned to fire up an Apache Tomcat Server.  I had installed Java on the old laptop.  I had the ability to tamper with input data using my web browser.  I learned that I had to put my browser in “on-line mode” even though I was truly off-line.  I set up the webgoat website on my laptop.

And I had studied the SQL INJECTION lesson enough to know what I wanted to do.

And then I did it.  Taking advantage of an authentication page that didn’t properly sanitize input data (by stripping out the syntax), I was able to implement a string sql injection and log into the Goat Hills Financial Human Resources application as Neville Bartholomew!  Neville is the boss of that operation, and . . . . using the words of my geek friends . . . . I OWNED HIM.

Yes, I am ready for Hack Attack Live.  Yes, I was able to do it without any help from my geeks.

And yes, interestingly, I want to take more lessons and learn more about web application vulnerabilities.

OWASP, you guys are doing great work.  To teach a non-technical person like me how easy it is to hack into a poorly crafted website is a great thing in my book.  It helps me understand what my developers are going through, and it helps bridge that communication gap between my technical clients and their management team.

I’m not saying I learned everything I should have learned . . . . . yet.  I still don’t really know how to “discover” if a website has the type of sanitation problem that would allow me to implement my exploit.  However, I did try the exploit on every single authentication interface my company has exposed to the web.  (Fortunately, it didn’t work.)

And most importantly, this entire experience taught me a little bit beyond how to exploit a single vulnerability that I don’t really know how to find.  For one, it taught me that we are indeed all in trouble, if we don’t take application security more seriously.  (Remember:  If Dan can do it, we’re ALL in trouble.)  But the experience also taught me that we non-technical people CAN roll up our sleeves and start learning what the geeks wish we’d understand.  And it taught me that it doesn’t really take that much time to learn these things.  It seems daunting, but if you stick with it, you eventually will understand what you need to know.

And hey, it taught me that my old laptop isn’t dead after all!

Thank you, OWASP!


Dan’s New Leaf is a blog by:

Dan Hadaway, CISA, CISM, CRISC
President
infotex

Latest News
    Dan’s Semi-Retirement . . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . If you follow my blog, you may have already surmised that I am starting to get ready for retirement.  This is actually a result of a long process we have been […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS Dateline: Lafayette, IN, December 5th, 2022 infotex, the Managed Security Service Provider, announces that Dan Hadaway, Founder and Managing Partner of the company for the last Twenty-two years, plans to semi-retire at the end of 2023. Prior to founding infotex in 2000 to serve community banks, Dan Hadaway […]
    A new study highlights the benefits of looking at your network from the other side… An article review. If you were trying to attack your organization’s network, how would you start?  That’s a question you may not have asked yourself, but experts say it’s something that can help you strengthen your security.  That’s according to […]
    Google Ads, Gitlab and OneDrive have been used to distribute the BATLOADER malware… An article review. We’ve always believed that “watch where you click” has always been good advice when it comes to security online, however Microsoft is tracking the spread of malware that has been using legitimate websites to help facilitate its spread, counting […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    Thanks for being interested in our Technology Planning Webinars! The 2022 annual webinar update on technology planning includes a review of the previous years’ movies that are available, as well as alternative tactics that have arisen from recent conferences, forums, and industry experience. Feel free to invite your entire technology committee! Click the Button to […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    Microsoft, Cisco and Uber are among the companies hit by this new threat… An article review.  As more organizations adopt multi-factor authentication to help safeguard their systems hackers have adapted, and several major corporations have been among those hit by this new style of attack.  This new technique, called MFA Fatigue or Push Spamming, involves […]
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!