AASecure

Official Website

1. SQL INJECTION: How Evil it Can Be?

A study of 228 web servers examined in year 2016 in Tanzania indicated that 102 ( »45%) servers can be SQL injection exploited. The vulnerability observed could allow data exfiltration such that it was possible to list tables and dump user accounts, emails and passwords. Some of the tables were found to contain administrative user accounts and easily crackable passwords enabling an attacker to take total control of the victim server. Consequences of SQL Injections attacks (SQLIA) are evil as they can allow an attacker to delete entire contents of a victim database or shut it down [1]. As such, SQLIA are important weapons in cyber warfare. Two SQL injection techniques which were successful in locating vulnerable points during this research are Blind Text Injection Differential and Error based Exploitation. Both techniques are a result of poor web server (online database server) design especially in the selection of error messages (or answers) they display to website users if something goes wrong. Through examination of error messages (error codes) we can precisely know the backend Database Management System (DBMS) type and version. Also, we can know what parameters (variables) can allow us to “illegally” inject codes (a SQL query). This paper presents SQLIA cases and their impacts in Tanzania cyber space. It will also suggest for possible mitigation ways.

Keywords

SQLIA; Code Injection; Cyber warfare; SQLMap.

Researcher: Geofrey Appolinary Kilimba

Research Year: 2016

To Obtain a Copy of its Technical Advance, contact us at secure@aasecuretz.com

2. How Flash Disk Can Be Used For Cyber Spy Operations: Know its Hidden Secrets.

An Information Security Awareness Paper

Abstract

Activities we do on computers leave traces behind. These traces are usually found on computer hard drives, log files, and in certain storage locations in some application programs. Depending on security weakness a particular application has, it is possible to illegally find credentials used for accessing privileged information stored in such applications or computer hard drives. There many ways used to exploit these traces; one of the most successful technique is to configure a flash disk with tools that perform password recovery, log file information extraction and automatic document copying. All these are configured to be done secretly, silently and very fast.

This paper introduces some of the tools which are used to configure a flash disk perform such an “evil” task. At the end of this paper, possible mitigation ways are suggested. The threat to this problem is real – most users are using their computers in way that put them at a high risk of being exploited and attacked.

“Be silent when you don’t have all the facts” – Proverb 18:13

Researcher: Geofrey Appolinary Kilimba

Research Year: 2017

For Technical Details on How To, Contact us secure@aarsecuretz.com or info@aasecuretz.com

Not Just Average Design Agency, We Make Beautiful Things