Slashdot Mirror

← Back to Stories (view on slashdot.org)

SQL Injection Turns BusinessWeek Into Viral Replicator

Posted by CmdrTaco on from the glad-it's-not-us dept.

martins writes "The website of popular magazine BusinessWeek has been attacked via SQL injection in an attempt to infect its readership with malware. Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected."

10 of 116 comments (clear)

  1. Malic or incompetence? by Scutter · · Score: 4, Insightful

    Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers' scripts are still present and active on their site.

    It's bad enough to have an insecure site, but to ignore the break-in for a week or more is just unconscionable.

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
  2. ATTENTION WEB DEVELOPERS by Anonymous Coward · · Score: 5, Insightful

    HAI!

    Just a friendly reminder - your Database Admin will be more than happy to set up multiple users for you with different permissions. For instance, a user with "write" privileges that can be used by the website backend page that the editors use, and a user with "read only" permissions that the public facing web server(s) will use when presenting the page to the public.

    That is all.

    1. Re:ATTENTION WEB DEVELOPERS by Anonymous Coward · · Score: 3, Insightful

      Multiple DB users, proper escaping, you know it's not actually an either-or situation. If the only way you know to set up a database is through phpMyAdmin, then you need help reading the manual.

  3. Re:' UNION UPDATE `users` SET karma='godlike';-- by NoisySplatter · · Score: 2, Insightful

    If you're going to do something malicious for profit you should make it look like nothing ever happened. While swapping the headlines would be funny it would definitely lessen the amount of time the flaw went unnoticed.

    --
    In Soviet Russia meme tires of you!
  4. AND I don't mean ... by BitterOldGUy · · Score: 4, Insightful
    to disparage education. It's just that the days of getting more education to advance in your career, at least in corporate America, are gone. All you need are the basics; which usually is a BS in your field. It's who you know. And even then, if thy're snobs who don't associate with "your kind of people" it doesn't matter either. We're rapidly becoming a downwardly mobile society.

    I'm just ... look at my user name...

  5. Re:MBA students, appropriate. by jellomizer · · Score: 4, Insightful

    To be a good Architect you often need a strong business knowledge. Yea Yea You know how to program you so smart (being that I learned to program at 6 years old) it doesn't take a genius to program. But in reality being able to be a good programmer doesn't mean you can design or create solutions that solve real business problems. I have been in the industry for a long time too. Working as a consulting I was actually the top database developer for multiple companies, including many fortune 500 companies. However I found that creating the code is a piece of cake, however the hard part is trying to understand the business process, then filtering out what is needed and not for the code to run successfully without having to run extra work, as well understand what is happening so in a case the software fails (or hardware) you can come up with a quick workaround solution for the employees until you can get a working version. Business knowledge is a key area. If you are working in a business environment getting Masters in computer science wouldn't be as useful as getting an MBA.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  6. Re:more economic woes by flyingfsck · · Score: 2, Insightful

    You made me snort my coffee... but it is so true. The other problem is that MBAs are very unlikely to know how to fix their machines once they are fscked up. In every place I worked, most viruses were spread by the top brass.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  7. Re:' UNION UPDATE `users` SET karma='godlike';-- by 10101001+10101001 · · Score: 2, Insightful

    Seriously? Why is it that these people always point to their site? wouldn't you figure that, with a bit of injection, they could put the damn thing in the database? It's never made any sense to me. Anyone have any insights?

    1. Inject a database to gain access
    2. Insert barebones code to bootstrap from an updateable external source
    3. Patch the database so no one else can remotely take over your newly pwned database

    In short, it's because the people who do this want to make money and insure that they can update the malicious code as needbe without worrying that someone else will come along and tie down the system with their own crap. Now, if said people knew when the site was going to be cleaned and had all the necessary code already created for that circumstance, I'm sure they'd do a one-time injection without any external references. But, if so few coders in the legit market can manage it and almost all need the ability to patch code months or years in the future, I'm pretty sure most black market scammers are going to be in the same boat.

    And like the other poster pointed out, the point isn't to draw attention. That just increases the odds of decreasing the money making period. Not to mention that questionable headlines might make people shy away from the site under realization that it's hacked.

    --
    Eurohacker European paranoia, gun rights, and h
  8. SQL Injection? At this hour? by brian.aspx · · Score: 2, Insightful

    I can't believe in this day and age something as lame as sql injection is still happening, especially to large company websites. Anyone using inline SQL should be taken out back and ridiculed until they cry. If your developers are mindless enough not to validiate user input then at least use stored procedures.

  9. Re:MBA students, appropriate. by broohaha · · Score: 2, Insightful

    Depends on the school and the student.

    Half the engineers in my dept of this telecom equipment company I used to work for were getting their MBA's at Northwestern's Kellogg School of Management or at the U of Chicago's Graduate School of Business.

    They were all freakin' brilliant, but being a staff engineer wasn't all they wanted to be. They wanted to start their own companies or run one from a very high perch. I kept in touch with a few of them over the years, and sure enough, they all ended up doing those things. I even started a company with one of them.

    So, again. It all depends on what you take out of it, as well as where you go and how seriously they treat you. If you walk in thinking it's a piece of cake and nothing more than a piece of paper to wave at people, then it'll be worth far less than others who take it seriously and use what they learned effectively. (Choose the right school, too, of course.)