About Us | Contact Us
View Cart

x’ or ‘a’=’a

By Dan Hadaway | Monday, September 27, 2010 - Leave a Comment

The Chronicles of Daniel Hadaway the Ungeek and Owner of Neville Bartholomew’s Credentials!


So I need to prepare for my demonstration, to start the IBA’s IT Security Conference, called Hack Attack Live.  Last year Matt Jonkman of Emerging Threats Pro blew away all the non-technical ISOs (and caused chuckles among the technicians) when he hacked into a website right before our very eyes.  Evaluations came in on his talk saying things like “that guy scares me” and “he really knew his stuff.”

So this year, as we tried to out-do last year’s excellent conference, the big question was:  “why not start the conference out with a Hack Attack Live?”  We collectively knew a lot of really smart geeks who would be able to wow us one more time, and doing so would serve a worthy purpose:  to set the mood for the conference that yes, there are still real vulnerabilities out there that we should be considering in our next risk assessment:  our marketing sites.

But there was one problem:  the hack-attack-live part of Matt’s presentation took a total of about 8 minutes.  Matt warned us last year that this would be the case, but he had a talk already prepared (about Surricata and Honeypots and Sandnets and all kinds of cool uber-geek stuff they’re working on at Emerging Threats Pro).

Finding a technical person who could speak, and who’d be willing to speak for only 8 minutes, seemed daunting.  That’s when I made the statement:  “If I can do this, we’re all in trouble!!!!”

In other words, if a non-technical guy like me can learn how to hack into a website, then boy, we need to take likelihood up a few notches.  Right?  And other than not wanting me to put that actual statement in the marketing flyer, for fear it would turn people off to the entire conference, the folks at the IBA said “let’s do it.  Sounds great!  Dan will learn to hack into a website without any help from his technical staff.”

Yeah!  Right on!  No help from the geeks!  All by myself.  Yahoo!

That was in May.

May was a big month for me . . . . it was the month I delivered my “Megaconference Talk.”  It was the month we started our 2010 risk assessment.  It was the month we completely revised our Vendor Management tool set for an IBA workshop and it was the month I bought tickets to five White Sox games.

I took on a lot of challenges that month.  I think it’s because of the spring weather or something.  But yes, I might have bitten off a lot more than I should have in May.

And I agreed to the clause:  without any help from the geeks!

Well I’m a firm believer that the best way to accomplish a task which starts off looking like a daunting task is to take the “salami approach.”  Instead of staring at this huge, unappealing hunk of meat, cut it down to smaller, more attractive, more manageable slices.

So by early June, I had home-paged the OWASP home page (www.owasp.org . . . . check it out if you are serious about information security.)   I figured that if OWASP loaded every time I launched my browser, I’d eventually find the time to learn how to hack into a website.

Without any help from the geeks.

By early July, I had found the Webgoat project, a REALLY COOL project that, if you take a “this-is-an-adventure-game” mentality with you, will teach you how vulnerabilities arise in a web application and, if you study hard, you can learn how to exploit those vulnerabilities (and mitigate them if you are a coder.)  Webgoat is a series of lessons intended to teach developers how to bring a security mentality into the software development life cycle.

But that’s all I did.  I made http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project my home page.

After a few weeks, I realized I was procrastinating.  So indeed, I tried to read the Webgoat page several times.

In fact, the Webgoat page seemed to raise more questions in my non-technical mind than it provided answers.  It had hundreds of links off-site.  I couldn’t understand half of what I was reading on it.  Each time I tried to read the Webgoat page, I finished a bit more scared than I was when I started.  It assumed I’d understand words like catalina and tomcat and apache and sql and injection and . . . . . all without any help from the geeks.

I have to admit, I became guilty of the one thing I hate:  procrastination.  The “salami approach” wasn’t working

Then on August 9th, the FFIEC examiners left our Kokomo office.  The “examination prep” phase of my busy year had officially evolved into the “IT Security Conference Prep Phase.”  So it was on August 9th that I rolled up my sleeves and tried understanding the webgoat page.  Boy did Wikipedia get a lot of hits that week!  But instead of gaining just a little bit of confidence, I found myself wondering (by Friday the 13th, in fact) whether I’d really be able to do this.

But I stuck with it.  I was still daunted, but I started following all the links off of that page.  And little by little, the links that Webgoat sends you to started paying off.  I mean, there were pages defining all the terms that were used to define the terms that were on the Webgoat page.  There were MOVIES showing you how to successfully complete the labs.  There were entire websites written by enthusiasts showing how to set up an Apache Tomcat Server (which is required in order to take the lessons).

The whole time I was more or less a “lurker,” meaning that I was reading, not participating, and surely not loading anything onto my computer.   I was not going to do anything until I understood what I was doing.  At least that was my starting theory.  After a while, I realized that I was not going to completely understand what I was doing until I actually just did it.  In other words, I was going to have to learn by doing as well as by reading.

Then finally, on a warm Saturday morning (August 28th), I decided I was ready to play the game.  I felt confident enough that I’d at least be able to install the Apache Tomcat Server on my laptop.  So, following one of the policies that I swear was in place BEFORE we entered the FFIEC Examination program, I emailed Sean Waugh, CISSP, MCSA for permission to install the Webgoat Project on an Infotex Information Asset (my laptop.)  I sent him a link to the Webgoat page as well as a link to what I intended to download and launch.  I admit, I was hoping he’d say “no way are you going to install that on our assets.”  But he didn’t . . . .

His response was this:  “Yes, go ahead and install, just make sure it isn’t running all the time by default and only when you manually start the application.”

Huh?  Make sure what isn’t running all the time, by default?  Make sure what isn’t running?  The website?  Can you shut off a website?  Or was he meaning the server.  Is the Apache Tomcat Server something you can shut off?

Well, I would have liked to ask Sean all those questions, but that would be cheating.  Again, during Hack Attack Live I want to be able to say I learned this all by myself, by researching the web and NOT by asking my technical staff for help.  So instead of downloading the files that I had thought I should download, I went back to the drawing board.

Meanwhile, I decided that no matter what, I was NOT going to install something I didn’t really understand on my shiny new laptop.  So what I did was pull out the old laptop that the shiny new laptop replaced.  I reinstalled Windows XP on it (thinking the entire time, is Tomcat going to work on something this old?)  I even put Kaspersky on it, using one of my three licenses that I acquired when I installed Kaspersky on my shiny new laptop.  I wanted to be sure that I wasn’t introducing a vulnerability to the infotex system.  That would be really embarrassing.

Then I got the bright idea of disabling the wireless card on the laptop.  That way, if I couldn’t shut Tomcat off, big deal, right?  To this day I’m still a bit leery about what having this faulty website on my laptop will expose me to, so to play it safe, every time I fire up the old beast the first thing I do is check to make sure the wireless card is still disabled.  Remember, I’m a non-technical person.  I have no trust of technology.  I want to be sure that what I turned off doesn’t automatically turn on again.

And, I can’t ask my geeks for help.  Did I mention that?

Of course, getting Tomcat ON the laptop became a bit more problematic.  I can’t remember exactly why, but I eventually decided I needed to enable the wireless card, download the tar file (or was it 7z?) , then disable the wireless card again.

I actually had to do this very thing one more time, on September 21st, when I realized that I needed a plugin for Firefox in order to tamper with input data.  The plugin was actually called “tamper data.”  And it had a very simple end-user license agreement that I had to acknowledge before it would allow me to install the plugin.  That end-user license agreement is still scary to me.  So scary that I did a print-screen of it so I could show it during the preface to Hack Attack Live.  The end-user license agreement looked like this:

“This is a development and security testing tool, not unlike many others.

You are responsible for how you use it.”

Now I don’t know how it comes off to technical people, but to an Ungeek like me, that statement, as a license agreement, intimidates me.  “You are responsible for how you use it.”  Wow . . . .

I was tempted to ask Sean for permission to install it, but then decided that might be cheating because Sean would need to ask me why and the temptation was just too great that I would say, “I’m not sure, why would YOU install it?”

So I didn’t.  Instead, I literally closed my eyes and pressed the “accept and install” button–

NO WAIT!

That’s not actually what I did.  I double-clicked on the wireless adapter icon and had it there ready for me to press disable as soon as the plugin was done installing, and THEN I pressed “accept and install.”  And then I immediately disabled my wireless card and as soon as the laptop beeped saying that the card was disabled, I checked it again just to be on the safe side.

So by September 21st I had learned to fire up an Apache Tomcat Server.  I had installed Java on the old laptop.  I had the ability to tamper with input data using my web browser.  I learned that I had to put my browser in “on-line mode” even though I was truly off-line.  I set up the webgoat website on my laptop.

And I had studied the SQL INJECTION lesson enough to know what I wanted to do.

And then I did it.  Taking advantage of an authentication page that didn’t properly sanitize input data (by stripping out the syntax), I was able to implement a string sql injection and log into the Goat Hills Financial Human Resources application as Neville Bartholomew!  Neville is the boss of that operation, and . . . . using the words of my geek friends . . . . I OWNED HIM.

Yes, I am ready for Hack Attack Live.  Yes, I was able to do it without any help from my geeks.

And yes, interestingly, I want to take more lessons and learn more about web application vulnerabilities.

OWASP, you guys are doing great work.  To teach a non-technical person like me how easy it is to hack into a poorly crafted website is a great thing in my book.  It helps me understand what my developers are going through, and it helps bridge that communication gap between my technical clients and their management team.

I’m not saying I learned everything I should have learned . . . . . yet.  I still don’t really know how to “discover” if a website has the type of sanitation problem that would allow me to implement my exploit.  However, I did try the exploit on every single authentication interface my company has exposed to the web.  (Fortunately, it didn’t work.)

And most importantly, this entire experience taught me a little bit beyond how to exploit a single vulnerability that I don’t really know how to find.  For one, it taught me that we are indeed all in trouble, if we don’t take application security more seriously.  (Remember:  If Dan can do it, we’re ALL in trouble.)  But the experience also taught me that we non-technical people CAN roll up our sleeves and start learning what the geeks wish we’d understand.  And it taught me that it doesn’t really take that much time to learn these things.  It seems daunting, but if you stick with it, you eventually will understand what you need to know.

And hey, it taught me that my old laptop isn’t dead after all!

Thank you, OWASP!


Dan’s New Leaf is a blog by:

Dan Hadaway, CISA, CISM, CRISC
President
infotex

Latest News
    Welcome Cybersecurity Conference Attendees! Thanks for joining us for the Cybersecurity Conference today! We have created this page for you to have access to the deliverables from Dan’s talk.  
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Why It Rhymes With SEEM (And its Not the I Before E Rule) Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . It’s the Gestalt. The idea that the whole is greater than the sum of it’s parts. That’s not something that is often brought […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Questions about China’s new disclosure laws only highlight the uncertainty about disclosure in general… An article review. China recently made waves in the security world by announcing a new set of data security laws, one of which has added new fuel to a long running debate: how and when should security vulnerabilities be disclosed…and to […]
    Four Conditions … …For Why a Network Can be Anything But a Network! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . I have to admit that infotex is being called into engineering meetings with larger organizations these days that are NOT community based banks.  We […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    If Zero days need Zero clicks, are there any secure devices in the mix? Tanvee Dhir explores the Pegasus spyware. Another technical post, meant to inspire thought about IT Governance . . . . Introduction Over the past couple of weeks, we have seen multiple stories regarding a powerful piece of spyware called Pegasus sold […]
    Our Lead Non-Technical Auditor takes a look at the new AIO Guidance… Architecture, Infrastructure, and Operations (AIO) is the latest booklet released by the Federal Financial Institutions Examination Council (FFIEC) in their line of  IT Examination Handbooks. It is an update to their 2004 Operations booklet and, as the name implies, expands into the areas […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]