The SIGiST, Security Testing and HBGary

I attended a meeting of the Gauteng Special Interest Group in Software Testing (SIGiST) at 105 West Street (Nedbank) yesterday.

The SIGiST is a subgroup of the Computer Society of South Africa, which is the third oldest national computer society in the world. Only the US and British computer societies are older, and the British Computer Society is older by only a few days. According to Tony Parry, the CSSA’s representative, the SIGiST is the most active Special Interest Group in the CSSA.

The speaker at the meeting, Harry Grobbelaar, presented “Software Security Testing: Keeping up with new attacks”. It was a fascinating look at how cracking used to occur – e.g. John Draper using a whistle to hack AT&T’s phone system – and how things have changed since 2006 when criminal gangs commercialised malware.

What was also fascinating was a demonstration of various attacks – including SQL Injection – and tools. The attack done with Browser Exploitation Framework (BeEF) was really good.

After the presentation I stayed behind and asked Harry about Security Testing Tools. I had guessed that there were tools that weren’t generally available. Harry confirmed this, and told me he couldn’t tell me anything about them as even that is illegal.

If you’re into computers, you’ve probably heard that digital security company HBGary was recently cracked, and private emails from the CEO and others were published. On its own, it wasn’t shocking that HBGary was breached. What was shocking was that the breach was as a result of a SQL Injection attack.

I mentioned above that Harry Grobbelaar actually demonstrated a SQL Injection. All it basically involves is putting a URL containing a SQL query into a browser. Play around a bit with the query, and you can get access to a SQL Server attached to the website. It’s a very simple attack, and there are ways to defeat it. As a digital security firm, HBGary should not have been compromised by a SQL Injection. It’s like learning that Ellen Fein, coauthor of the book “The Rules”, got divorced. It makes you question their advice.

The CEO of HBGary has resigned. As far as I’m concerned, the entire board AND the CSO should have resigned with him.

Advertisements

About autismjungle

I am a Software Test Analyst. Shortly before I turned 21 I was officially diagnosed, although I had long suspected I was autistic. Welcome to my blog
This entry was posted in Life, Software, Work. Bookmark the permalink.