Lost in Translation. Joaquim Espinhara & Rodrigo Montoro

Similar documents
RESEARCH ASSISTANCE. The Portal is also accessible to the general public but restricted to the free case law databases.

Remote Desktop Services Guide

LSI TRANSLATION PLUG-IN FOR RELATIVITY. within

Languages Supported. SpeechGear s products are being used to remove communications barriers throughout the world.

placing people first SALARY REPORT Summary of 2014 Bratislava

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Web Conferencing Comparison Guide

Immotec Systems, Inc. SQL Server 2005 Installation Document

Infor M3 Report Manager. Solution Consultant

AccuRead OCR. Administrator's Guide

LANGUAGE CONNECTIONS YOUR LINGUISTIC GATEWAY

INTERC O MBASE. Global Language Solution

Lesson 5: Network perimeter security

Novell Filr. Windows Client

USER GUIDE: Trading Central Indicator for the MT4 platform

MT Search Elastic Search for Magento

Contents. BMC Atrium Core Compatibility Matrix

TRADING CENTRAL INDICATOR FOR METATRADER USERS GUIDE. Blue Capital Markets Limited All rights reserved.

PRICE LIST. ALPHA TRANSLATION AGENCY

Who am I? BlackHat RSA

ABBYY FineReader 11 Corporate Edition

Table 1: TSQM Version 1.4 Available Translations

Cisco Unified Presence Server 1.0

Luxembourg-Luxembourg: FL/TERM15 Translation services 2015/S Contract notice. Services

ivms-4500 HD (Android) Mobile Client Software User Manual (V3.4)

HP Business Notebook Password Localization Guidelines V1.0

New Features SMART Sync Collaboration Feature Improvements

FRAX Release Notes Release (FRAX v3.10)

Luxembourg-Luxembourg: FL/SCIENT15 Translation services 2015/S Contract notice. Services

Quality Data for Your Information Infrastructure

Xerox Easy Translator Service User Guide

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

RIVRS User Manual. Template: WCT-TMP-RS Effective: 20-Apr-2016 Version: 1.0 Page 1 of 18

GET YOUR START MENU BACK IN MICROSOFT WINDOWS SERVER 2012

ivms-4500 HD (ios) Mobile Client Software User Manual (V3.4)

Mantis: Quick Overview

We Answer To All Your Localization Needs!

Internet sites for machine translation available language-pairs ** Part 1 direct translation sites

webcertain Recruitment pack Ceri Wright [Pick the date]

Cisco Unified IP Phone CP-6961 VoIP -puhelin

Reference Guide: Approved Vendors for Translation and In-Person Interpretation Services

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Tel: Fax: P.O. Box: 22392, Dubai - UAE info@communicationdubai.com comm123@emirates.net.ae

ViewSync ViewSync Wireless Presentation Gateway Dongle

Poliscript Installation Guide

Citi. Commercial Cards. Efficiency, control and business intelligence in one global solution

Trading Central Indicator for MetaTrader4 TRADER / USER SET UP & CONFIGURATION

Contents. BMC Remedy AR System Compatibility Matrix

Who We Are. Services We Offer

Yandex.Translate API Developer's guide

We Answer All Your Localization Needs!

Intel Sideband Fabric Device (Intel MBI) Driver

RELEASE NOTES. F-Secure Client Security Version build 309 (RTM) F-Secure Client Security Premium Version build 118 (RTM) 1.

SAP For Insurance A focus on Billing and Collections. Robert Schwartz Industry Principal

HP DeskJet 970C Series Printer Network Guide for Windows. English

Luxembourg-Luxembourg: FL/RAIL16 Translation services 2016/S Contract notice. Services

Live Office. Personal Archive User Guide

Knowledge of Foreign Languages in the Czech Republic

Installation Guide Command WorkStation 5.5 with Fiery Extended Applications 4.1

Speaking your language...

Trimble Office Synchronizer Release Notes. Version 1.68 November 2013

Translution Price List GBP

Personal Archive User Guide

Specifications SMART Bridgit software

Demographic Report. Prepared On: 5/19/2014 1:29:35 PM Page 1 of 10. Bloomington

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

TLP: GREEN FBI. FBI Liaison Alert System #M TT

Getting Started with BarTender

Client logo placeholder XXX REPORT. Page 1 of 37

Brasshouse Languages Course programme September to December 2016

SIN 382-1/1RC Translation Services SIN 382-2/2RC Interpretation Services Contract Number: GS-10F-034AA

Echo Backup Software. Quick Start Guide

REACH-IT Industry User Manual

Cyclope Internet Filtering Proxy. - User Guide -

nmap, nessus, and snort Vulnerability Analysis & Intrusion Detection

HP Backup and Recovery Manager

Quad Core Intel Xeon Processor E3. 12 x 3.5-inch SATA 6Gb/s, SATA 3Gb/s hard drive. 1. The system is shipped without HDD.

Ariba Supplier Mobile App Quick Start Guide

`````````````````SIRE QUICK START GUIDE

Interactive product brochure :: Nina TM Mobile: The Virtual Assistant for Mobile Customer Service Apps

Install Notes for Plantronics Hub for Windows v3.7

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Storming SIP Security Captions

SAP BusinessObjects Document Version: 4.1 Support Package Dashboards and Presentation Design Installation Guide

Open Cloud Store. End-user manual. For

Liquid OS X User Guide

Release Notes MimioStudio Software

usa gen_$ multilingual perfection on time, anytime, every time

Media labels and their contents

Novell Filr. Mobile Client

Deployment of Snort IDS in SIP based VoIP environments

Intel Core i processor. 8 x 3.5-inch SATA 6Gb/s, SATA 3Gb/s hard drive. 1. The system is shipped without HDD.

EMC SourceOne. Products Compatibility Guide REV 54

`````````````````SIRE USER GUIDE

Transcription:

Lost in Translation Joaquim Espinhara & Rodrigo Montoro

$ whois @jespinhara Senior Security Consultant at Trustwave Author of 0 patent pending technologies BJJ enthusiast Triathlete Dad (of dog)

$ whois @spookerlabs Senior Security Administrator at Sucuri Security Author of 2 patent pending technologies Researcher Open Source enthusiast Triathlete Dad

Motivation ERROR 1045 (28000): Acesso negado para o usuário 'spooker'@'localhost' (senha usada: SIM)

Note We are not talking about specific products only, all demos are to prove our idea that probably affects any vendor / product.

ages Source: http://www.bbc.co.uk/languages/guide/languages.shtml

Native English countries Map of nations using English as a de facto or official majority language (dark blue) or an official minority language (light blue) Source: http://en.wikipedia.org/wiki/list_of_territorial_entities_where_english_is_an_official_language

Products

How detection works

Offensive Tool Prepare Request based on services Send request to device Service process request Tool process response Tool receive response Service send response

Defensive Tool Prepare Request based on services Send request to device Service process request Defensive Tool Tool process response Tool receive response Service send response

Attack sample

What kind of problems?

Non-Detection aka False Negatives Offensive Defensive

Compliance bypass

Stealth backdoors / problems

Changes on the fly... mysql> select @@@version; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@version' at line 1 mysql> SET lc_messages = 'pt_br'; Query OK, 0 rows affected (0.00 sec) mysql> select @@@version; ERROR 1064 (42000): Você tem um erro de sintaxe no seu SQL próximo a '@version' na linha 1 mysql>

Proof of Concepts (PoC)

Offensive Tools Acunetix W3AF Qualys Free online version

Acunetix

Acunetix Demo

w3af

Qualys Free Scan

Defensive tools Snort / Sourcefire (Cisco) OSSEC (Trend Micro) WAF Parser

Snort / Sourcefire (IDS or IPS) alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"et ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:" 02 "; offset:3; depth:4; content:" 15 04 Access denied for user"; fast_pattern:only; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:2;) alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"gpl SQL sa brute force failed login attempt"; flow:from_server,established; content:"login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:4;) alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"et SCAN Multiple MySQL Login Failures, Possible Brute Force Attempt"; flow:from_server,established; content:" 15 04 "; depth:64; content:" 32 38 30 30 30 Access denied for user 20 "; fast_pattern:only; content:"using password 3A 20 "; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:3;)

Snort / Sourcefire

OSSEC (HIDS)

Logtest OSSEC

WAF Parser

Offensive & Defensive

Desktops

Future / Mitigations

Not easy fix, just talking about MySQL By default, mysqld produces error messages in English, but they can also be displayed in any of several other languages : Czech, Danish, Dutch, Estonian, French, German, Greek, Hungarian, Italian, Japanese, Korean, Norwegian, Norwegian-ny, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, or Swedish. 20 languages

Improve ASV tests for PCI scanners

Work more with code errors (when available) mysql> select @@@version; ERROR 1064 (42000): Você tem um erro de sintaxe no seu SQL próximo a '@version' na linha 1 mysql> select @@@version; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@version' at line 1

Possible attack surface Something we couldn t measure yet, need tests and more tests.

Engine to detect language (not that easy) 000): Você tem um erro de sintaxe no seu SQL próximo a '@vers

Contacts && Thank you! Rodrigo Montoro rodrigo.montoro@sucuri.net @sucuri_security @spookerlabs http://www.sucuri.net Joaquim Espinhara jespinhara@trustwave.com @spiderlabs @jespinhara http://www.trustwave.com