Feeds

Signatures no good at protecting databases, says Juniper

A cookie, a box, a stick and a string can trap attackers

Securing Web Applications Made Simple and Scalable

One of the most common forms of attack is the SQL injection, and although the vector is ancient and well-understood, it's notoriously difficult to defend against.

Kevin Kennedy, senior director of product management for Juniper Networks' security business unit, is in Australia to demonstrate Juniper's latest shot at defeating SQL injection – not with block-by-signature, but by trapping attackers. Spotlight Secure was first launched globally in February, 2013.

The idea behind Spotlight Secure is that signatures in web-application firewalls are no longer effective against the patient attacker, and input validation only goes so far.

Kennedy said it's been proven that input validation must fail at some point. There will inevitably be a collision between a genuine input that should be passed, and a malicious input that should be blocked.

It's also inevitable that even with a Web application firewall standing between the SQL server and the Internet, a patient attacker will find a combination of inputs that doesn't trigger a signature alert on the firewall – but does give an attacker an SQL injection vector.

It's not perfect – nothing is – but the idea is to make attacks slower and more expensive, while at the same time, using super-cookies to fingerprint the attacker.

To take a simple example of an attack on SQL, an attacker might first try changing parameters in a URL with the aim of generating errors that tell them things about the database behind the Website. From that starting point, the attacker then starts passing increasingly sophisticated parameters to the SQL engine with the ultimate aim of retrieving user Ids and passwords.

Rather than trying to create a perfect validation list, Juniper is instead slotting fake parameters into the URL – for example, offering database parameters such as columns that don't exist.

If someone tries to access a “trap” parameter, the system starts treating the user as a likely attacker. Rather than simply blocking that user's IP (which isn't particularly useful long-term), there are a number of actions available to the system administrator.

One is to slow down system responses to that user – a very simple way to make the attack more expensive. Another is the super-cookie mentioned earlier. The principles of super-cookies will already be well-known to regular readers of El Reg, but in short, they're harder to detect than the “standard” (for want of a better word) cookie, and they collect information to more accurately profile the machine they're installed on.

With enough data captured – the browser, the installed fonts, timezone, screen resolution, pointer device, camera type and so on – the system can capture a fingerprint of the attacking machine that might not be unique, but is a pretty useful characterisation of the attacker. Rather than watching for something easily changed, like the IP address, the system is now looking for the fingerprint of the super-cookie, and acting accordingly.

The aim, Kennedy said, is to track attackers rather than merely blocking them. “We want to change the economics of the attack,” he said. “Slow them down, waste their time, plant the cookie so we can recognise them.”

In most circumstances, Kennedy said, the characteristics that the super-cookie uses to build its fingerprint change incrementally and slowly. It's far more common for someone to replace a keyboard or buy a new screen than to configure a whole new machine.

And at the same time, since the ordinary user of a site is never going to try to get the SQL server to display the contents of the fake field, the company also hopes to address the false positive problem that makes even owners of Web application firewalls under-use the technology.

Is it perfect? Of course not: an experienced attacker will know how to protect themselves against super-cookies. However, Kennedy said, this doesn't invalidate the trap, since the attack will still be identified and logged.

Another example: you can't plant a super-cookie on a Linux machine booted from a USB stick with no write privileges. However, Kennedy said, the failure of the cookie will flag the machine as a likely attacker.

The Register asked Kennedy if the fingerprints collected by super-cookies wouldn't be more useful if they could be shared between security vendors. The answer: yes – if the challenges involved could be overcome.

“The model of sharing fingerprints is not useful in isolation,” he said. “But we believe that sharing is very important – this industry does not share well together.”

As a start, he said, Juniper Networks has a partnership announced with RSA, but broader sharing is “hard, because it requires that you have an active proxy using the fingerprints.” That, he said, is more complex than scoring the reputation of IP addresses.

“What should be shared is granular, enforceable information. But what we need is for other vendors to say 'yes, this is something we could do.' We're open to having that conversation.” ®

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you on YouPorn lately, perhaps? White House website?
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.