ISC StormCast for Friday, May 31st, 2024

ISC StormCast for Friday, May 31st, 2024

Update: 2024-05-31
Share

Digest

This episode of Sands and its Storms covers several important security topics. First, the episode discusses a vulnerability in Checkpoint devices that allows attackers to access sensitive information, including hashed passwords. The vulnerability is a directory traversal flaw that allows attackers to access files on the web server, which is running as root. The episode then discusses a large attack against Windstream ISP, which resulted in the takeover of 600,000 end-user devices. The attack was likely carried out using weak passwords and involved loading malicious firmware updates onto the devices. Finally, the episode features an interview with Michael Duncan, who discusses his research on Cypher injection attacks against graph databases. Duncan explains that Cypher, a query language used for graph databases, is vulnerable to injection attacks similar to SQL injection. He also discusses his research on developing snort rules to detect Cypher injection attacks and the challenges of preventing these attacks. The episode concludes with a discussion of best practices for preventing Cypher injection attacks, including using prepared statements and parameterizing input.

Outlines

00:00:00
Introduction and Security News

This Chapter introduces the podcast and provides an overview of the latest security news. The episode begins with a discussion of a vulnerability in Checkpoint devices that allows attackers to access sensitive information, including hashed passwords. The vulnerability is a directory traversal flaw that allows attackers to access files on the web server, which is running as root. The episode then discusses a large attack against Windstream ISP, which resulted in the takeover of 600,000 end-user devices. The attack was likely carried out using weak passwords and involved loading malicious firmware updates onto the devices.

00:04:53
Interview with Michael Duncan on Cypher Injection Attacks

This Chapter features an interview with Michael Duncan, who discusses his research on Cypher injection attacks against graph databases. Duncan explains that Cypher, a query language used for graph databases, is vulnerable to injection attacks similar to SQL injection. He also discusses his research on developing snort rules to detect Cypher injection attacks and the challenges of preventing these attacks. The episode concludes with a discussion of best practices for preventing Cypher injection attacks, including using prepared statements and parameterizing input.

Keywords

Checkpoint
Checkpoint is a cybersecurity company that provides a range of security solutions, including firewalls, intrusion prevention systems, and endpoint security. The company is known for its strong security products and its focus on innovation. In this episode, a vulnerability in Checkpoint devices is discussed, which allows attackers to access sensitive information, including hashed passwords. This vulnerability is a directory traversal flaw that allows attackers to access files on the web server, which is running as root.

Windstream
Windstream is an American telecommunications company that provides a range of services, including internet, phone, and television. The company primarily serves rural areas in the United States. In this episode, a large attack against Windstream ISP is discussed, which resulted in the takeover of 600,000 end-user devices. The attack was likely carried out using weak passwords and involved loading malicious firmware updates onto the devices.

Cypher
Cypher is a query language used for graph databases. It is inspired by SQL and has many similar elements, but it also includes ASCII art as a component of the language. Cypher is vulnerable to injection attacks similar to SQL injection, which can allow attackers to execute arbitrary code on the database server. This episode discusses the research on Cypher injection attacks and the development of snort rules to detect these attacks.

Graph Database
A graph database is a type of database that stores data in the form of nodes and edges. This structure allows for efficient querying of relationships between data points. Graph databases are often used for applications that require complex data relationships, such as social networks, recommendation engines, and fraud detection. This episode discusses the vulnerability of graph databases to Cypher injection attacks.

SQL Injection
SQL injection is a type of web security vulnerability that allows attackers to execute arbitrary SQL commands on a database server. This can be used to access sensitive data, modify data, or even take control of the database server. SQL injection is a common vulnerability, and it is important to take steps to prevent it. This episode discusses the similarities between SQL injection and Cypher injection attacks.

Snort
Snort is an open-source network intrusion detection system (IDS) that can be used to detect malicious activity on a network. Snort works by analyzing network traffic and looking for patterns that indicate malicious activity. Snort can be used to detect a variety of attacks, including SQL injection, cross-site scripting, and buffer overflows. This episode discusses the use of Snort to detect Cypher injection attacks.

Intrusion Detection System (IDS)
An intrusion detection system (IDS) is a security system that monitors a network or system for malicious activity. An IDS can detect a variety of attacks, including network scans, denial-of-service attacks, and malware infections. This episode discusses the use of an IDS to detect Cypher injection attacks.

Machine Learning
Machine learning is a type of artificial intelligence that allows computers to learn from data without being explicitly programmed. Machine learning is being used increasingly in cybersecurity to detect and prevent attacks. This episode discusses the potential use of machine learning to detect Cypher injection attacks.

Prepared Statement
A prepared statement is a SQL statement that is pre-compiled and stored in the database server. This allows the database server to execute the statement more efficiently and securely. Prepared statements can help to prevent SQL injection attacks by ensuring that user input is not interpreted as SQL code. This episode discusses the use of prepared statements to prevent Cypher injection attacks.

Parameterizing Input
Parameterizing input is a technique for preventing SQL injection attacks by ensuring that user input is treated as data rather than code. This is done by using placeholders in SQL statements to represent user input. The database server then substitutes the actual user input into the placeholders before executing the statement. This episode discusses the use of parameterizing input to prevent Cypher injection attacks.

Q&A

  • What is the vulnerability in Checkpoint devices that was discussed in this episode?

    The vulnerability is a directory traversal flaw that allows attackers to access files on the web server, which is running as root. This allows attackers to access sensitive information, including hashed passwords.

  • What happened in the large attack against Windstream ISP?

    The attack resulted in the takeover of 600,000 end-user devices. The attack was likely carried out using weak passwords and involved loading malicious firmware updates onto the devices.

  • What is Cypher injection?

    Cypher injection is a type of attack that targets graph databases. It is similar to SQL injection, and it allows attackers to execute arbitrary code on the database server.

  • What are some of the challenges of preventing Cypher injection attacks?

    One challenge is that Cypher is a relatively new language, and there are not as many tools and techniques available for preventing injection attacks as there are for SQL injection. Another challenge is that Cypher is a more complex language than SQL, which makes it more difficult to develop effective detection and prevention mechanisms.

  • What are some best practices for preventing Cypher injection attacks?

    Some best practices include using prepared statements, parameterizing input, and using a database security scanner to identify vulnerabilities.

Show Notes

Comments 
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

ISC StormCast for Friday, May 31st, 2024

ISC StormCast for Friday, May 31st, 2024

Dr. Johannes B. Ullrich