Relentless Web Attack Hard To Kill

← Back to Stories (view on slashdot.org)

Relentless Web Attack Hard To Kill

Posted by kdawson on Wednesday November 12, 2008 @07:13AM from the stay-dead-willya dept.

ancientribe writes "The thousands of Web sites infected by a new widespread SQL injection attack during the past few days aren't necessarily in the clear after they remove the malicious code from their sites. Researchers from Kaspersky Lab have witnessed the attackers quickly reinfecting those same sites all over again. Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."

218 comments

Min score:

Reason:

Sort:

Chinks get their Interwebs on! by Anonymous Coward · 2008-11-12 07:16 · Score: -1, Flamebait

Chinkies broked the web. :(
1. Re:Chinks get their Interwebs on! by Rick+Bentley · 2008-11-12 10:26 · Score: 2, Funny
  
  Chinkies broked the web. :(
  Okay, now that there is a black president you realized that being racist against blacks would be unpatriotic ... so now you go after Chinese instead?
  
  I for one (don't) welcome our new sino-phobic first-posting anonymous-coward overlords...
  
  --
  My favorite quote doesn't fit into 120 characters. Now no one will like me.
2. Re:Chinks get their Interwebs on! by Fulcrum+of+Evil · 2008-11-12 15:14 · Score: 1
  
  Is this going to be another Tiger Woods? He was black, now he's half black, and if he does a good job in his first term, he'll somehow be asian...
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
This... by Anonymous Coward · 2008-11-12 07:16 · Score: -1, Troll

...is NOT the First Post.
1. Re:This... by stonedcat · 2008-11-12 08:04 · Score: 0
  
  Amazing! You're telepathetic!
  
  --
  You can't take the sky from me.
Kaspersky by mfh · 2008-11-12 07:16 · Score: -1, Offtopic

It's because of security reports like this, I always recommend Kaspersky security suite over any other anti-virus solution available (free or otherwise). These guys are in the internet-trenches fighting for a more secure internet, and a more secure planet. It is widely known that they are the best in the business. So while many users will try and limp by on free anti-virus, Kaspersky just updated all my computers with protection against these attacks.

--
The dangers of knowledge trigger emotional distress in human beings.
1. Re:Kaspersky by RaceProUK · 2008-11-12 07:19 · Score: 1, Flamebait
  
  Kaspersky is so brilliant, it locks up every time I try to do anything with it.
  
  Then again, my AVG hasn't updated properly all week...
  
  --
  No colour or religion ever stopped the bullet from a gun
2. Re:Kaspersky by mfh · 2008-11-12 07:22 · Score: 4, Informative
  
  Kaspersky is so brilliant, it locks up every time I try to do anything with it.
  Then again, my AVG hasn't updated properly all week...
  You're not supposed to run them at the same time. They fight for control and eventually stalemate. Uninstall AVG and reinstall Kaspersky, but by now you may have damaged your system configuration. Kaspersky is pretty brutal if it gets unhinged, but it's unstoppable if you get it configured correctly.
  
  --
  The dangers of knowledge trigger emotional distress in human beings.
3. Re:Kaspersky by RaceProUK · 2008-11-12 07:27 · Score: 1
  
  Should have mentioned: Kaspersky's on my work PC, and AVG on my home PC.
  
  --
  No colour or religion ever stopped the bullet from a gun
4. Re:Kaspersky by martinw89 · 2008-11-12 07:31 · Score: 3, Insightful
  
  ...AVG...
  <mechanic>Well there's your problem.</mechanic>
5. Re:Kaspersky by Anonymous Coward · 2008-11-12 07:33 · Score: 4, Funny
  
  "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -Gene Spafford
6. Re:Kaspersky by dedazo · 2008-11-12 07:39 · Score: 1
  
  (This post brought to you by Kapersky Labs. Not detecting SQL injection vulnerabilities on servers since 2003!)
  
  --
  Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
7. Re:Kaspersky by Arancaytar · 2008-11-12 07:43 · Score: 4, Insightful
  
  It's a bloody SQL injection attack. I'd like to see your virus checker automatically rewrite your web application to use input filtering.
  What these people need is a real web application instead of some self-built PHP script - not a virus scanner, whether free or expensive.
8. Re:Kaspersky by Anonymous Coward · 2008-11-12 07:50 · Score: 0
  
  Maybe they were able to highjack the OP /. account using this exploit, who knows ? And it would be a really good proof of concept : "look even Slashdotter with a 2-digit ID is powerless, you're doomed, so please by our products".
9. Re:Kaspersky by Joce640k · 2008-11-12 07:51 · Score: 1
  
  Do you know what an SQL injection attack is?
  Clue: It's not something an antivirus can ever protect people from.
  
  --
  No sig today...
10. Re:Kaspersky by LandDolphin · 2008-11-12 08:04 · Score: 1
  
  "I'd like to see your virus checker automatically rewrite your web application to use input filtering."
  
  Now that's an Anti-Virus software I'd pay for!
  
  --
  Spelling and Grammar errors have been added to this post for your enjoyment
11. Re:Kaspersky by ceejayoz · 2008-11-12 08:04 · Score: 1
  
  What these people need is a real web application instead of some self-built PHP script - not a virus scanner, whether free or expensive.
  Uh, this exploit is targeting ASP/MSSQL.
12. Re:Kaspersky by mfh · 2008-11-12 08:08 · Score: 1
  
  Uh, this exploit is targeting ASP/MSSQL.
  And to be fair, there are two attacks going on. #1 is getting the SQL on the server (which is impossible to detect unless your code is ok) and then there are the aftermath attacks that the SQL code launches when a browser executes Javascript when browsing, WHICH KASPERSKY PROTECTS YOU AGAINST.
  Unless you run a website, you won't care about the first attack, and the second one you ARE protected against if you have a decent configuration.
  
  --
  The dangers of knowledge trigger emotional distress in human beings.
13. Re:Kaspersky by sgt+scrub · 2008-11-12 08:16 · Score: 1
  
  Why do you say that? They patch ALMOST every hole within AT LEAST 8 years! http://tech.slashdot.org/article.pl?sid=08/11/12/199215 Sigh.
  
  --
  Having to work for a living is the root of all evil.
14. Re:Kaspersky by DerCorny · 2008-11-12 08:29 · Score: 1
  
  So? Before you do free advertisement, do some more research: http://blogs.zdnet.com/security/?p=1516 They can't even protect their own sites ...
15. Re:Kaspersky by mordred99 · 2008-11-12 09:11 · Score: 2, Interesting
  
  I take every syllable that comes out of Eugene Spafford's mouth with a pound of salt. I speak as a Purdue Graduate and Security Professional.
16. Re:Kaspersky by mfh · 2008-11-12 09:32 · Score: 1
  
  Do you know what an SQL injection attack is?
  I think I understand it better than you do. The SQL injection is the tip of the iceburg.
  You have your run of the mill garden variety SQL injection that can bypass security and get user passwords on a website, which GRANTED have little to do with anti-virus.
  But the most robust and versatile attack using SQL injection is to gain access to visitor computers via Javascript executed trojan horses and malware being hosted in the databases. Kaspersky protects you from... the activity of those types of security risks.
  No matter where malware comes from, suites like Kaspersky track and disable the aftermath of how bad stuff got on the internet.
  SQL injection is just the method in which people bypass server security, but the RESULT is that people who haven't updated windows or who don't run a good anti-virus (ie: kaspersky instead of AVG) will possibly become infected with some really NASTY rogueware that was downloaded from reputed sources.
  Chances are if you run Noscript, you allow these trusted websites, and therefore you could easily get pwned if the site in question suddenly becomes a launchpad for malware/spyware/trojans/keyloggers.
  So perhaps that sheds some light on my original comment, which has been mod-bombed because mods don't think before they mod, and at times they tend to get overwhelmed to the noise from users who also forgot to think before responding.
  Phase 1: Kaspersky can't protect you against, but the attack isn't directed at end users, only databases.
  Phase 2: Kaspersky protects against all kinds of nasties that could be pushed onto your system by the original SQL injected/compromised website and that truly is what matters as a last and final line of defense.
  
  --
  The dangers of knowledge trigger emotional distress in human beings.
17. Re:Kaspersky by dgatwood · 2008-11-12 10:44 · Score: 1, Interesting
  
  You know, something just occurred to me. The biggest reason SQL injection attacks are so common is that SQL allows multiple commands per input line and allows you to comment out the rest of the line, neither of which is useful when called from a programming language (or really anywhere outside of dump/restore tools). If you built a custom SQL library that PHP/Perl/* linked into that would return an error and do nothing if it detects more than one command or a comment start character anywhere in a command, injection attacks would become dramatically harder, if not impossible. At best, an attacker would merely be able to change additional fields in a table that were not changed in the original query, a security flaw that is much less problematic than the more general case of injection attacks....
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
18. Re:Kaspersky by vishbar · 2008-11-12 11:52 · Score: 2, Interesting
  
  PHP is just as vulnerable to SQL injection as ASP...I think he was speaking in generic terms.
  The problem isn't in the scripting engine. The problem is bad code. You can put a bad developer in front of system you want, and he'll still write bad code.
  
  --
  Ride the skies
19. Re:Kaspersky by mfh · 2008-11-12 12:41 · Score: 1
  
  Neat idea, but this is MSSQL so you know that won't be the case by default. The number one reason people use MSSQL is so that businesses can support requirements from other online packages that drive websites as well as other functions... from hosting solutions to special funky elitist blackberry/email/IM/domain/remote access package type applications.
  I worked for a place that was a Gold partner, and they had access to it all and very few of them really know what was under the hood in terms of security, protocols or potential problems. I mean these guys all used default settings.
  Their reason for selling MSFT was to make money by delivering a value-added service, and while security always sort of played into things, they didn't have the people to make it happen really and that's one of the reasons I left... being overworked and under-appreciated.
  And MSFT will pamper you if you're a Gold partner, until you have a real question... they give you a URL and smile... but the answer is never 100% what you want or need to know unless you know somebody who is an expert at the jargon, the design, the implementation and the focus behind the whole system... good luck!
  So what you need to realize is that this company like most other MSFT customers, and there are so many, all want the same thing -- rich features. You can't possibly expect SQL packages to only allow one SQL call at a time. MSFT conforms to customers while limiting certain things, but you can't put Pandora back in the box. Now that it's allowed, it must be backwards compatible and therefore that could never happen.
  Oh sure you could invent an attachment that interfaced with MSSQL to check against it, but then you'd have to open a channel to the other feature-ridden facets of each application. You would drive yourself nuts -- not to mention how long it would take to process your data, one call per line.
  They'd find a work-around, IMHO.
  No the best bet is to keep it simple. Use trusted products, and keep an eye on securityfocus for patches and exploits so you can catch stuff ahead of time.
  MSSQL and all the supporting packages available is a huge system, really, and there are many different ways to create unexpected results (which is the cornerstone to any good exploit).
  
  --
  The dangers of knowledge trigger emotional distress in human beings.
20. Re:Kaspersky by RobinH · 2008-11-12 13:32 · Score: 1
  
  We're currently trying to upgrade a .NET 1.1 web application to .NET 3.5. I assure you that Microsoft didn't appear to have backward compatibility on their minds when they went from .NET 1.1 to .NET 2.0.
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
21. Re:Kaspersky by Fulcrum+of+Evil · 2008-11-12 15:19 · Score: 3, Informative
  
  Are you insane? Write parameterized SQL for all your queries and this just won't happen - setting your name to ';-- drop table users;' will just result in funky display logic.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
22. Re:Kaspersky by dgatwood · 2008-11-12 18:16 · Score: 1
  
  I do use parameterized SQL when it is convenient in the particular programming language I'm using. When it isn't, I'm religious about writing functions that do proper quoting of values and always using them for values that are not known to be numeric... in much the same way that I'm religious about casting numbers in PHP with (int) to ensure no non-numeric crap gets in where I'm expecting a number. Those are all fairly basic security measures that every PHP programmer should use with regularity.
  I'm not talking about making changes to the SQL database to avoid fixing bugs or looking for bugs in my own code. Even if my code were known to be flawless and used only parameterized SQL, I would still want additional protection from these sorts of injection attacks at the database layer. Why? While the parameter hndling code might in theory be less likely to contain mistakes than hand-rolled code that does the same thing, if there were a bug in the shared code that does the quoting behind the scenes when inserting the parameters into the queries, it would be much more likely to get exploited because the same flaw would be shared across many more pieces of software, and so would be widely known (not to mention that it might be detectable with something as simple as a web server version string). As such, explicitly disallowing both "--" and ";" in queries would still be useful changes that would provide additional hardening even if nobody used any non-parameterized SQL at all.
  Also, I didn't write every line of code that runs on my web server. There are third-party bits of code lurking. I try to keep them isolated into their own databases (with their own login credentials and locked down permissions) so that they can only harm themselves (and only to a limited degree), but that only limits the damage that they can cause, and not nearly as much as I'd like. Any extra layer of added security would be beneficial, IMHO.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
23. Re:Kaspersky by Thorwak · 2008-11-12 20:52 · Score: 1
  
  HEY! Show some respect for the elder! I'm sure Kaspersky was great at some point and the poor old man is just remembering the good old days ;)
  
  --
  Connection closed by foreign host.
24. Re:Kaspersky by radio4fan · 2008-11-12 22:50 · Score: 1
  
  If you built a custom SQL library that PHP/Perl/* linked into that would return an error and do nothing if it detects more than one command or a comment start character anywhere in a command, injection attacks would become dramatically harder, if not impossible.
  PHP's database drivers already kind-of work this way: they only run the first statement of a multi-statement query.
  eg:
  "SELECT * FROM foo; DROP TABLE foo"
  Only the select statement will be passed to the database by the driver. The successive statements are quietly ignored.
  Of course, this only protects against one class of injection attacks, and doesn't help if the first statement is targetted.
25. Re:Kaspersky by Anonymous Coward · 2008-11-13 02:56 · Score: 0
  
  I take every syllable that comes out of Eugene Spafford's mouth with a pound of salt. I speak as a Purdue Graduate and Security Professional.
  I take every post I read on /. with a grain of salt. I speak as a high school dropout and raging alcoholic.
26. Re:Kaspersky by mfh · 2008-11-13 03:41 · Score: 1
  
  They definitely did intend to involve backwards compatibility, although you are correct in reminding us that MSFT did it wrong (as usual). That underscores my original point that they will try and keep things compatible, so they will not intentionally try and break a feature. MSFT has no qualms breaking a product's functionality, but they always resist trying to remove features.
  Imagine proposing one-SQL-call-per-connection at a meeting and imagine how fast they would shut you down. "You mean to say that we could only have one call per connection? The door is that way."
  
  --
  The dangers of knowledge trigger emotional distress in human beings.
27. Re:Kaspersky by RobinH · 2008-11-13 07:36 · Score: 1
  
  But couldn't you have some kind of option you could turn on in your connection string that only allows one call per connection? Enable that and you've added some security to your site, but not removed any features.
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
relentless by Anonymous Coward · 2008-11-12 07:18 · Score: -1, Troll

Relentless, like a nigger asking for a handout?
1. Re:relentless by Anonymous Coward · 2008-11-12 07:29 · Score: -1, Troll
  
  No, more like a Republican trying to convince the public that Sarah Palin isn't full-on retarded, no matter how good she looks in a short skirt.
first post by Dan541 · 2008-11-12 07:18 · Score: -1, Offtopic

:P

--
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
1. Re:first post by Dan541 · 2008-11-12 07:19 · Score: 0, Offtopic
  
  Dammm,
  Where's the "-1 fail"
  
  --
  An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
2. Re:first post by Anonymous Coward · 2008-11-12 07:21 · Score: 0
  
  Why is it that when someone decides they have the karma to burn and make a "first post", someone else already posted something long and informative?
  If you're going to waste the karma, at least do it right. Sheesh.
3. Re:first post by martinw89 · 2008-11-12 07:27 · Score: 2, Informative
  
  Don't worry, your "-1 fail"® moderation is being applied at this moment. Thank you for using Slashdot©, please come again.
4. Re:first post by Chris+Burke · 2008-11-12 07:55 · Score: 1
  
  Where's the "-1 fail"
  In your heart, my friend. In your heart.
  
  --
  
  The enemies of Democracy are
5. Re:first post by windsurfer619 · 2008-11-12 07:55 · Score: 1
  
  Good point! We'll need a "-1 not funny" while you're at it, too!
6. Re:first post by martinw89 · 2008-11-12 07:59 · Score: 1
  
  I think you dropped this.
Whatever happened by RaceProUK · 2008-11-12 07:18 · Score: 5, Insightful

to fixing the hole? It's like fixing a car coolant leak by pouring more water in the radiator.

--
No colour or religion ever stopped the bullet from a gun
1. Re:Whatever happened by compro01 · 2008-11-12 07:26 · Score: 2, Informative
  
  AFAICT, they are patching the hole, they're just finding even more holes of the same type.
  
  --
  upon the advice of my lawyer, i have no sig at this time
2. Re:Whatever happened by gurps_npc · 2008-11-12 07:54 · Score: 1
  
  The problem is, they don't have "a hole", they have swiss cheese. The reason they have swiss cheese is that the people responsible for securing their machines take 3 days to do something that should be done in ten minutes.
  
  --
  excitingthingstodo.blogspot.com
3. Re:Whatever happened by Anonymous Coward · 2008-11-12 08:31 · Score: 0
  
  Has been working for us for years...
  Steve B.
4. Re:Whatever happened by Anonymous Coward · 2008-11-12 08:39 · Score: 0
  
  So, basically, their rad hose is perforated. Time to get a new one, preferably from a better manufacturer.
5. Re:Whatever happened by ScrewMaster · 2008-11-12 11:54 · Score: 1
  
  to fixing the hole? It's like fixing a car coolant leak by pouring more water in the radiator.
  I would say that it's more like trying to cure diarrhea by tinkering with the toilet.
  
  --
  The higher the technology, the sharper that two-edged sword.
6. Re:Whatever happened by Spy+der+Mann · 2008-11-12 15:21 · Score: 1
  
  Has been working for us for years...
  Steve B.
  Look out, Steve! An infected chair!!!
It's the plugins... by sam0737 · 2008-11-12 07:21 · Score: 2, Insightful

At the end of the day it's the problem of plugins...I mean, besides the fact that the website is being infected, it's the flaws and vulnerabilities of the ActiveX/Browser plugins that allow this kind of activity to be profitable.
Just yet another reason, besides bandwidth, to get Flashblock.
And install as few as browsers plugins/ActiveX as possible.
1. Re:It's the plugins... by larry+bagina · 2008-11-12 08:10 · Score: 1
  
  They could fill the website with links to v1agr@, svbpr1me m0rtg@g3s, and geniune r0lexxs.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
noscript by Manfre · 2008-11-12 07:22 · Score: 5, Informative

NoScript is one of the best ways to avoid viruses that are distributed from the web.
1. Re:noscript by NorQue · 2008-11-12 08:06 · Score: 1
  
  Until someone discovers an exploitable bug in noscript. ;)
2. Re:noscript by Bryansix · 2008-11-12 08:12 · Score: 1
  
  If you want to break a shitload of websites like uhm say the custom CRM that I support for my company that our own developers write in ASP.NET!
3. Re:noscript by Anonymous Coward · 2008-11-12 08:23 · Score: 0
  
  It's rare that I care enough about visiting a website that REQUIRES Javascript for me to actually go to the trouble of enabling Javascript. Most of the time, when I see a site requiring Javascript, I assume that I am not in their target demographic, and I close that tab.
4. Re:noscript by Anonymous Coward · 2008-11-12 08:28 · Score: 0
  
  If you want to break a shitload of websites like uhm say the custom CRM that I support for my company that our own developers write in ASP.NET!
  True, the first few days of using NoScript you will run into "problems" on nearly every page you visit, but that is simply the software learning what is "trusted" and what isn't (everything else). After that, NoScript is damned useful keeping the sketchy web developers away from your personal info.
  If a site REQUIRES JavaScript or Flash to work (and I've never used it before) then it is not worth anyone's time to visit.
5. Re:noscript by Manfre · 2008-11-12 08:30 · Score: 1
  
  The developers are doing something wrong if the CRM mandates XSS javascript.
6. Re:noscript by Bryansix · 2008-11-12 08:31 · Score: 1
  
  I think you missed the point that the COMPANY I WORK FOR REQUIRES I SUPPORT THIS WEBSITE! Geez. Target Demographic?! You don't even know what that term means.
7. Re:noscript by Bryansix · 2008-11-12 08:42 · Score: 1
  
  You're doing something wrong by talking about something you have no idea about. ASP.NET is a programming language that is BOTH compiled and interpreted. The intermediate step language is run upon demand and spits out a combination of HTML and Javascript to render the webpages.
8. Re:noscript by RpiMatty · 2008-11-12 08:49 · Score: 1, Informative
  
  SO WHY CAN'T YOU WHITELIST THE SITE THAT YOU HAVE TO SUPPORT? Along with any other sites you support?
  Its not that hard to build up a whitelist. The first time you visit a "trusted" or regular site, add it to the white list. Does it have any subdomains, or "partner" domains that you also need to add? Go ahead and add them.
  So many people complain about how NoScript breaks pages, but its really not that hard at all to setup a whitelist.
  Now when your redirected/accidentally click on a link to dgdrklgdr.com/e3rer it can't run any javascript on your pc.
9. Re:noscript by Manfre · 2008-11-12 09:06 · Score: 3, Informative
  
  I've been developing with ASP.NET (c#) since its initial beta and am very familiar with how it functions. This discussion would go a bit smoother if you would read a comment before replying to it. Noscript prevents javascript from loading on any site, until the site is explicitly given permission by the user. Approve your CRM domain(s), which will allow it to work properly. Then if it is compromised, noscript will block the javascript on the destination domain. If your server is compromised to the point where it is hosting exploits, then the IT staff needs to spend a bit more effort patching and locking things down. Noscript is not the only protection that should be used, but it greatly helps. It's like driving a car a little bit slower. You've still got a seatbelt to help keep you alive, but you should be less likely to hit something.
10. Re:noscript by Anonymous Coward · 2008-11-12 11:56 · Score: 0
  
  How does what you just wrote contradict his post? Perhaps you don't understand it.
11. Re:noscript by arotenbe · 2008-11-12 12:19 · Score: 1
  
  They update it at ridiculous intervals, multiple times per week. It's really irritating because it always brings up their website every time it gets updated, but I'm sure that any exploitable bugs would get patched immediately.
  
  --
  Tomato wedge sperm darts that are Republican.
12. Re:noscript by andy_t_roo · 2008-11-12 13:31 · Score: 1
  
  yes your site will be broken unless, say, you spend 1 second to click on the little S with a red line through it at the bottom of the screen to add the current website to noscripts whitelist...
  even then it is still secure as if (in the unlikely event) that the website you have previously marked as safe is hacked, they still can't run anything else off another website unless you also whitelist that.
  at the moment i've only 2 of the 4 scripts here enabled - slashdot and google-analytics, but not doubleclick or fsdn.com
13. Re:noscript by Spy+der+Mann · 2008-11-12 15:26 · Score: 1
  
  They update it at ridiculous intervals
  Nope, Ridiculous speed is too slow for them. They update at LUDICROUS SPEED!!
14. Re:noscript by Anonymous Coward · 2008-11-12 21:10 · Score: 1, Informative
  
  It's really irritating because it always brings up their website every time it gets updated
  Easily fixable: about:config -> noscript.firstRunRedirection = false
15. Re:noscript by daveime · 2008-11-12 21:27 · Score: 2, Insightful
  
  Yes, we should stick to the old tried and true "overload the server and piss off the user" method of the 1990's.
  Name: Dave
  Country : Thailand
  Telephone : 12345678
  Date of Birth : 29/02/2000
  [SUBMIT]
  Oops' looks like some problems with your submission - please correct the following :-
  Please supply your Firstname AND Surname ...
  Name : Dave Mullen
  [SUBMIT]
  Oops' looks like some problems with your submission - please correct the following :-
  You are from Thailand, where people don't always HAVE surnames - please just supply your Name ...
  Name : Dave
  [SUBMIT]
  Oops' looks like some problems with your submission - please correct the following :-
  Please supply a full telephone number with area code ...
  Telephone : 0066 12345678
  [SUBMIT]
  Oops' looks like some problems with your submission - please correct the following :-
  Country code should start with + ...
  Telephone : +66 12345678
  [SUBMIT]
  Oops' looks like some problems with your submission - please correct the following :-
  Please supply an area code ...
  Telephone : +66 99 12345678
  [SUBMIT]
  Oops' looks like some problems with your submission - please correct the following :-
  February 29th is not a valid date because 2000 is not a leap year.
  BY WHICH TIME, *IF* THE USER IS STILL HERE, YOU HAVE THOROUGHLY PISSED HIM OFF, AND MADE NO LESS THAN 6 SUBMISSIONS TO THE SERVER FOR SOME CRAPPY VALIDATION THAT COULD HAVE ALL BEEN TRAPPED ON THE CLIENT SIDE.
  If that's the web you want, then it's your choice I suppose.
16. Re:noscript by BenoitRen · 2008-11-13 02:38 · Score: 1
  
  Good for you. But it won't help the servers.
Infiltration by Anonymous Coward · 2008-11-12 07:24 · Score: 2, Funny

SecureWorks: Can I have a copy of your super secret automated tool?
ChineseUnderground: No...
1. Re:Infiltration by Kent+Recal · 2008-11-12 17:08 · Score: 1
  
  Probably more like:
  *** Joined #ChineseUnderground
  Can I have a copy of your super secret automated tool?
  *** Mao set mode +b *!*@secureworks.com
  *** Kicked from #ChineseUnderground by Mao (No.)
2. Re:Infiltration by Kent+Recal · 2008-11-12 17:10 · Score: 2, Funny
  
  *** Joined #ChineseUnderground
  <SecureWorks> Can I have a copy of your super secret automated tool?
  *** Mao set mode +b *!*@secureworks.com
  *** Kicked from #ChineseUnderground by Mao (No.)
  (sorry, crapdot ate the brackets)
Meanwhile... by girlintraining · 2008-11-12 07:25 · Score: 1

Secureworks... Announcing the fact that you're trying to covertly gain access to these tools rather defeats the point don't you think? It's like going into the ghetto with a sign on your back that says "Undercover Drug Officer". Secureworks, I see two possibilities for this level of stupidity; Management, and your researchers. If by some statistical fluke it was your researchers that had the idea of publicizing this... please have your researchers develop some street smarts and common sense. I don't mean this as a dig at you; This is professional advice... Get them out of the labs and back into the real world and do it now before you really embarass yourself. Now, the more likely answer is someone in management thought this would be a great opportunity for publicity. Shoot them... and use silver bullets. PHBs are notoriously hard to kill.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:Meanwhile... by An+ominous+Cow+art · 2008-11-12 07:47 · Score: 1
  
  > PHBs are notoriously hard to kill.
  Only if you're working for the ship's cook.
2. Re:Meanwhile... by jeffmeden · 2008-11-12 07:49 · Score: 1
  
  The post you read must have looked like this:
  "Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground using the alias of S00p3r-1337 in an attempt to convince them to e-mail a copy of the stealthy new automated tool being used in the attacks to viruscheckers@secureworks.com"
  Which is weird because that's not what I saw...
3. Re:Meanwhile... by atraintocry · 2008-11-12 10:42 · Score: 1
  
  Here's what I saw: maybe the crackers in general will be a little bit more careful now that this news came out. Maybe that will make SW's attempts at getting a copy of the tool harder.
  The screwed up thing here is that no one needs to be trying to get it in the first place. Just prevent the damn SQL injection attack in the first place. Instead of looking at every single coding problem and saying "omg! i can parse this string by hand! yay!"
  The fact that this a particularly nasty automated exploit does not mean that these people don't deserve to get it. If the exploits could somehow destroy the app's code instead of the database, maybe people would learn the first time, and not simply "remove the malicious code from their sites" and hope that (apparently through magic) they won't get hit again.
  Perhaps SW knows this, but they just want some publicity. In which case, it doesn't matter if they even track down a copy. What could they hope to learn from it anyway? Probably not much beyond "don't assign shitty coders to a project involving an internet-facing database".
4. Re:Meanwhile... by Anonymous Coward · 2008-11-12 12:29 · Score: 0
  
  I'm sure Casey Ryback would like to have a word with you.
5. Re:Meanwhile... by An+ominous+Cow+art · 2008-11-12 12:43 · Score: 1
  
  Oops, I mixed up the "Under Siege" movies with the "Hard to Kill" movies, both starring Steven Seagal.
Infected Websites by sexconker · 2008-11-12 07:26 · Score: 3, Interesting

Can someone explain to me how websites get infected?
Oh, that's right, running ads and other shit from shady people (directly or indirectly).
I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.
1. Re:Infected Websites by sexconker · 2008-11-12 07:29 · Score: 1
  
  Just so we're clear, that includes flash and pdf.
2. Re:Infected Websites by corsec67 · 2008-11-12 07:41 · Score: 1
  
  Oh, that's right, running ads and other shit from shady people (directly or indirectly).
  The article says that the websites are getting hit with a sql injection attack, so ads shouldn't be the problem, unless the ad server is vulnerable.
  This probably has nothing to do with ads and more to do with failing to validate user input. (Obligatory xkcd reference)
  
  --
  If I have nothing to hide, don't search me
3. Re:Infected Websites by sexconker · 2008-11-12 08:22 · Score: 1
  
  In this case, yes, but see above:
  I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.
4. Re:Infected Websites by CaptSaltyJack · 2008-11-12 08:55 · Score: 1
  
  You know not what you're talking about.
  SQL injection attacks involve passing SQL code through the query-string. On a simple level:
  
  http://www.somesitezzz.com/page.asp?name=about
  
  An attacker sees that, and changes the URL in their browser to:
  
  http://www.somesitezzz.com/page.asp?name=about'+and+some+other+malicious+SQL+code--
  
  Of course, that's on a very simplistic level. They do much worse things, like throw in entire coded blocks of SQL code to do all kinds of malicious things, like insert script tags pointing to their site.
  More sophisticated attackers have bots that have a catalog of online stores' known weaknesses (for instance, CandyPress - piece of garbage), and it knows exactly which pages to target.
5. Re:Infected Websites by Hatta · 2008-11-12 09:16 · Score: 1
  
  I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.
  I really wish websites would simply stop expecting me to run their code.
  
  --
  Give me Classic Slashdot or give me death!
6. Re:Infected Websites by sexconker · 2008-11-12 10:23 · Score: 1
  
  Are you joking?
  Sanitize your inputs and you've defeated SQL injection.
7. Re:Infected Websites by CaptSaltyJack · 2008-11-12 10:26 · Score: 1
  
  Obviously. How is my post "joking"? I'm just explaining how it works. The solution is pretty straight-forward, but you'd be surprised how many e-commerce stores ship with vulnerable code.
8. Re:Infected Websites by sexconker · 2008-11-12 10:31 · Score: 1
  
  Agreed!
9. Re:Infected Websites by sexconker · 2008-11-12 10:44 · Score: 1
  
  Which is exactly my point!
  Most websites taking orders online simply used a cookie cutter ecommerce front end that they get free/cheap with their hosting.
10. Re:Infected Websites by atraintocry · 2008-11-12 10:47 · Score: 1
  
  My understanding was that people are passing input as a big string and then turning that into queries instead of doing it the right way, which is passing parameters.
11. Re:Infected Websites by CaptSaltyJack · 2008-11-12 10:53 · Score: 1
  
  Agreed. I guess I just disagreed with:
  
  Oh, that's right, running ads and other shit from shady people (directly or indirectly).
  Nothing to do with shady. Even some reputable carts have holes in them. Some programmers are more meticulous than others. :)
12. Re:Infected Websites by sexconker · 2008-11-12 12:09 · Score: 1
  
  Hence, indirectly.
13. Re:Infected Websites by Anonymous Coward · 2008-11-13 02:25 · Score: 0
  
  A friend gets lots of calls from end users complaining that his company's site contains porn ads. "Actually Ma'am, our site does not contain porn ads, you have downloaded a virus that is replacing all ads on every page you visit with the same porn ad. You probably got this virus when someone in your household was surfing for porn".
This disgusts me by 77Punker · 2008-11-12 07:28 · Score: 3, Insightful

I develop web applications for a living right now and as someone who's only been in this game for a few months, this disgusts me. I already know how to prevent SQL injection with prepared statements. It's easy to do and requires no extra knowledge, so why doesn't everyone do this?
1. Re:This disgusts me by Anonymous Coward · 2008-11-12 07:32 · Score: 1, Insightful
  
  You might know, but the intern who developped the crappy PHP4 app 8 years ago did not, and it would cost too many man days to fix the code.
2. Re:This disgusts me by Rycross · 2008-11-12 07:33 · Score: 3, Insightful
  
  The problem is a frightening amount of training material on the web uses concatenated SQL strings to teach SQL. Pull up your average PHP/.Net/Java SQL tutorial and odds are that it will be concatenating strings. Throw that in with the fact that roughly half of the programmers reading that are going to be below average, and there you go.
3. Re:This disgusts me by tripdizzle · 2008-11-12 07:38 · Score: 0, Troll
  
  Not trying to insult here (I'm no programmer), but since you say you've been doing what you are doing for just a few months, I am guessing the attack is a more advanced than what your prepared statements are going to block, since a major site like travelocity is being hit, and Kaspersky is not yet able to find a solution.
  
  --
  "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
4. Re:This disgusts me by Pope · 2008-11-12 07:41 · Score: 4, Funny
  
  I'd say fully half of all the programmers are going to be below average...
  
  --
  It doesn't mean much now, it's built for the future.
5. Re:This disgusts me by 77Punker · 2008-11-12 07:44 · Score: 4, Funny
  
  I'd say fully half of them will be below median.
6. Re:This disgusts me by Yetihehe · 2008-11-12 07:45 · Score: 1
  
  It's very often simple laziness. In latest project which I'm working on I did one function: function q($str). It's even easier to use than prepared statements, it just filters everything not supposed to be there. But why other dev's don't always use it is beyound me.
  
  --
  Extreme Programming - Redundant Array of Inexpensive Developers
7. Re:This disgusts me by corsec67 · 2008-11-12 07:45 · Score: 3, Insightful
  
  Throw that in with the fact that roughly half of the programmers reading that are going to be below average
  Um for anything that is approximately normally distributed,... half of the X are going to be below average. (Especially if it is a continuous variable and you use the median)
  
  --
  If I have nothing to hide, don't search me
8. Re:This disgusts me by Anonymous Coward · 2008-11-12 07:54 · Score: 1, Insightful
  
  I say that fully half of programmers will be below median assuming theres an even number of programmers.
  All bets are off if theres an Odd number of programmers.
9. Re:This disgusts me by Jeff+Hornby · 2008-11-12 07:55 · Score: 1
  
  No, he's right. Prepared statements are how you block SQL Injection attacks.
  
  --
  Why doesn't Slashdot ever get slashdotted?
10. Re:This disgusts me by spiffmastercow · 2008-11-12 07:56 · Score: 1
  
  That depends on two things:
  1.) Are there equal programmers?
  2.) Is the number of programmers even or odd?
11. Re:This disgusts me by NNKK · 2008-11-12 07:58 · Score: 4, Informative
  
  You're right, you're no programmer. Go read up:
  http://en.wikipedia.org/wiki/SQL_injection
  Prepared (or parametrized) statements are an easy and absolute defense against SQL injection attacks. The OP is right, the fact that such attacks still succeed is disgusting and inexcusable.
12. Re:This disgusts me by 77Punker · 2008-11-12 08:01 · Score: 2, Funny
  
  The more I think about it, the more I think your post should read
  "...disgusting, inexcusable, and potentially hilarious."
13. Re:This disgusts me by Not+The+Real+Me · 2008-11-12 08:06 · Score: 1
  
  "...Pull up your average PHP/.Net/Java SQL tutorial and odds are that it will be concatenating strings..."
  That and I run into programmers who have over ten years working in the field who absolutely refuse to work with databases any other way. They freak out when you tell them data access is via parameterized stored procedures.
14. Re:This disgusts me by larry+bagina · 2008-11-12 08:15 · Score: 1
  
  I'm not sure how that's simpler, but you might still be vulnerable with invalid utf-8 strings.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
15. Re:This disgusts me by tripdizzle · 2008-11-12 08:15 · Score: 1
  
  Then why hasn't Kaspersky or Travelocity figured this out?
  
  --
  "A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
16. Re:This disgusts me by Emb3rz · 2008-11-12 08:21 · Score: 4, Insightful
  
  The idea of a SQL Injection attack is to pass a parameter in such a way that it changes the structure of the query itself. Typical beginner's SQL query:
  
  sql = "SELECT * FROM Users WHERE Username = '" & Request.Form("Username") & "' AND Password = '" & Request.Form("Password") & "';"
  
  This uses 'String Concatenation' to build a line of text from several smaller parts. The completed string is then, in this example executed by a database. A new query is dynamically created and executed based on the text passed to it. Thus, we are able to at this point change what query will be run. Form data:
  
  Username = "Admin" Password = "x' OR 'e' = 'e"
  
  So when the string is being put together, we get:
  
  SELECT * FROM Users WHERE Username = 'Admin' AND Password = 'x' OR 'e' = 'e';
  
  Certainly, even with no programming experience, one can see that the letter E will always be equivalent to the letter E. Thus, any validation of the password will return a false positive.
  Prepared statements avoid this whole deal by only allowing you to pass parameters. The query is already set in stone. You cannot change how it basically works, only its criteria / filtering / etc. A prepared statement would execute basically:
  
  SELECT * FROM Users WHERE Username = "Admin" AND Password = "x' OR 'e' = 'e";
  
  Since the query does not change dynamically when it's executed as a prepared statement, you can't add your logical 'OR' operator after having broken out of your parameter. You just get no rows returned, as should be the case.
17. Re:This disgusts me by dzfoo · 2008-11-12 08:22 · Score: 1
  
  I agree. Headlines with "SQL injection" make me chuckle; but including Travelocity.com and other high profile sites in the victims list is priceless!
  -dZ.
  
  --
  Carol vs. Ghost
  ...Can you save Christmas?
18. Re:This disgusts me by 77Punker · 2008-11-12 08:24 · Score: 3, Insightful
  
  Kaspersky can't figure it out because a virus scanner can't fix a web application. Fixing SQL injections is beyond their realm.
  Travelocity can't figure it out because their developers must suck. Travelocity is well-known because they have a decent service, not because the software that runs the service is really great software.
19. Re:This disgusts me by delirium28 · 2008-11-12 08:24 · Score: 2, Insightful
  
  They're most likely trying to find a solution that doesn't require them to revisit and re-code a large portion of their site. They most likely want a band-aid solution rather than fix the underlying problem.
  
  --
  Who is John Galt?
20. Re:This disgusts me by Emb3rz · 2008-11-12 08:26 · Score: 4, Insightful
  
  You're working off of the false assumption that security is about knowledge.
  We know abundantly well exactly how SQL injection attacks occur, and we also have many tools at our disposal to -absolutely- prevent them. What we don't have is the cooperation or effort from programmers on a widespread basis. Many are simply too lazy to research and implement reasonable security measures. It's easier to pretend that there are no ways whatsoever that anything can go wrong with your code because when you tested it it worked right. This willfull turning a blind eye to well-established security caveats is what has given us this terrible and prevalent security problem. It's easier to write code that checks nothing, it's quicker to do so, and it requires less think-juice on the part of the lazy programmer.
21. Re:This disgusts me by dzfoo · 2008-11-12 08:26 · Score: 1
  
  Kaspersky has, I can assure you; they just figured that there will always be stupid programmers out there doing crap, buggy code, and decided to help mitigate the consequences.
  As for Travelocity, they probably hired cheap programmers or a third-party contractor who employs inexperienced code monkeys. Bad programmers are more common than you think!
  -dZ.
  
  --
  Carol vs. Ghost
  ...Can you save Christmas?
22. Re:This disgusts me by blincoln · 2008-11-12 08:27 · Score: 1
  
  Prepared (or parametrized) statements are an easy and absolute defense against SQL injection attacks.
  They're actually not an absolute protection. If anything you are doing ends up working with stored procedures that do concatenation internally, your prepared statements can still end up allowing a SQL injection.
  Prepared statements are a very, very good idea that provides a lot of built-in resistance to SQL injection, but they're not bulletproof.
  
  --
  "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
23. Re:This disgusts me by dzfoo · 2008-11-12 08:31 · Score: 1
  
  Well, of course, you should never underestimate the tenacity of stupid programmers.
  
  --
  Carol vs. Ghost
  ...Can you save Christmas?
24. Re:This disgusts me by Anonymous Coward · 2008-11-12 08:42 · Score: 0
  
  I believe you missed the joke.
25. Re:This disgusts me by JoelisHere · 2008-11-12 08:42 · Score: 1
  
  More than likely the lack of cooperation is more from the managers and project managers that when told by their programmers that all their SQL queries need to be rewritten to use prepared statements to prevent SQL injection attacks, response was, "Well we haven't had any problems yet. And that would take too long."
26. Re:This disgusts me by overunderunderdone · 2008-11-12 08:47 · Score: 1
  
  *woosh*
27. Re:This disgusts me by CodeBuster · 2008-11-12 09:04 · Score: 2, Insightful
  
  Throw that in with the fact that roughly half of the programmers reading that are going to be below average, and there you go.
  That is what comes of outsourcing and offshoring especially, but there are still managers out there who refuse to acknowledge what I like to call the Iron Law of Software Development or more generally the Project Triangle (good, fast, cheap...pick two).
28. Re:This disgusts me by bertok · 2008-11-12 09:36 · Score: 1
  
  It's easier to pretend that there are no ways whatsoever that anything can go wrong with your code because when you tested it it worked right.
  Not if the QA guy is even halfway competent. I had a website tested recently by a pro, and the first thing he did was enter various horrible things into every textbox, including all of the fun variants of "DROP DATABASE". Then he started doing even worse things to the URL. If your web app can't stand up to things a human being can enter, don't expect to last long against the internet and script kiddies!
29. Re:This disgusts me by Anonymous Coward · 2008-11-12 09:38 · Score: 0
  
  Or maybe it is poor planning and budgeting from management that doesn't allow enough time for software to be well architected and programmed. Or maybe the low cost offshore "programmer" in Bangladesh/Chennai/someOtherShithole is giving them what they paid for.
30. Re:This disgusts me by ais523 · 2008-11-12 09:42 · Score: 1
  
  No, he's right. Prepared statements are how you block SQL Injection attacks.
  Or parametrised statements are also an absolute defence against them; not as fast, but they're what I use for one-off quick programs that don't need to be efficient or production-quality. (I don't see why such quick programs should have to be insecure, though; using a technique that blocks SQL injection altogether - and let's face it, it's not difficult - is greatly preferable to having your website serving other people's viruses.)
  
  --
  (1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
31. Re:This disgusts me by Ibiwan · 2008-11-12 09:46 · Score: 1
  
  If you're going to break out the pedantry, at least go all the way.
  
  There are many commonly-used ways to calculate averages, among which are medians, geometric means, and modes.
  
  The fact that "arithmetic mean" is also a type of average does not mean all averages require normal distributions to have a meaningful property like "50% of a population will fall below..."
  
  --
  -- //no comment
32. Re:This disgusts me by deraj123 · 2008-11-12 09:49 · Score: 1
  
  This is really not an appropriate solution. "everything not supposed to be there" relies on knowing what isn't supposed to be there. If you know exactly what's supposed to be there in the first place, why even have dynamic queries? Besides, is concatenating my query in code really easier than defining a query with parameters, and then just copying the parameters from the input form to the query? I've yet to see a filtering function that provides the same level of security as PreparedStatements.
33. Re:This disgusts me by deraj123 · 2008-11-12 09:50 · Score: 1
  
  Very true. One should say that you need to ALWAYS use parameterized or prepared statements. Concatenating at any point, even within stored procedures, will expose you to SQL Injection attacks.
34. Re:This disgusts me by corsec67 · 2008-11-12 09:52 · Score: 1
  
  I did, "(Especially if it is a continuous variable and you use the median)"
  
  --
  If I have nothing to hide, don't search me
35. Re:This disgusts me by Rycross · 2008-11-12 10:02 · Score: 1
  
  Well there are good offshore companies, but when a company off-shores they tend to do so to save money, which means they go for the cheap and crappy companies. Unfortunately, because a lot of these places are a growing market, there tend to be an abundance of the cheap places, who subsequently stock up on poor programmers. The hatchet of the market hasn't had opportunity to trim the fat yet. You'd see a lot of the same stuff going on if you looked at what some companies in the late 90's were producing in America.
36. Re:This disgusts me by joost · 2008-11-12 10:20 · Score: 1
  
  What doesn't help is that the standard PHP distribution has no support for prepared statements. You have to compile with mysqli and most distributions don't go to that trouble. And if you go out of your way to use mysqli, you can't use half the documentation on the web and certainly not the documentation on php.net.
  It does reinforce my belief that PHP is for script kiddies and unsuitable for serious web development. Businesses still relying on it will find out the hard way in the coming years, because teh php community will keep falling further behind.
37. Re:This disgusts me by profplump · 2008-11-12 10:26 · Score: 1
  
  I agree that parameterized statements are the way to go, but in many cases it *is* pretty easy to filter input that shouldn't be present, and using both techniques together can provide protection from things other than SQL injection.
  In many instances you may simply be able to allow only \w or \w\s\.\- without ever destroying valid input. Even if you have wider input requirements it's often possible to drop anything outside the normal printable range and any quoting characters (where "quoting characters" may vary based on your storage and presentation systems).
38. Re:This disgusts me by deraj123 · 2008-11-12 10:41 · Score: 1
  
  Yes, in some cases it is possible. However, I would argue that it is much more likely that you will either miss something that is harmful, or inadvertently place unnecessary restrictions on input.
  I should note that I don't consider parameterized statements to be a replacement for input validation. You should still make sure that your input makes sense for the data it is supposed to represent. However, filtering for "harmful characters" really shouldn't need to be a part of this.
39. Re:This disgusts me by Anonymous Coward · 2008-11-12 10:48 · Score: 0
  
  Headlines with "SQL injection" make me chuckle
  I was going to tattoo "SQL" on my penis, just to share this amazing joke.
  Unfortunately, the tattoo artist couldn't make it fit.
40. Re:This disgusts me by atraintocry · 2008-11-12 10:51 · Score: 1
  
  Until your database gets dropped, then there's plenty of time, since you won't have those pesky customer orders to deal with :)
41. Re:This disgusts me by tenco · 2008-11-12 10:55 · Score: 1
  
  Standard deviation = 0
42. Re:This disgusts me by atraintocry · 2008-11-12 10:59 · Score: 1
  
  You'd think so, wouldn't you? It makes sense that such a widespread problem would have to have some sort of complicated solution.
  Unfortunately, the reality is that the solution is in fact simple, but yes everyone *really is that stupid*.
  Or the company is cheap, so they hire a crap programmer. This is the same as deciding you'd rather get hit than have any sort of minimum standard when it comes to your code. So they get hit. Not a huge suprise to anyone, except the security researchers, who get publicity by playing it like "good vs. evil" rather than "stupid companies deserve what they get".
43. Re:This disgusts me by sgbett · 2008-11-12 11:15 · Score: 1
  
  I wish people would stop blaming php. Bad programmers write bad code regardless of language.
  
  --
  Invaders must die
44. Re:This disgusts me by Rycross · 2008-11-12 11:29 · Score: 2, Informative
  
  Languages can make bad code harder or easier to write however. Its perfectly acceptable to blame a language if it makes it hard to do things the "right way." I'm not much of a PHP hater, but a lot of stuff that they've done with the language makes me roll my eyes.
45. Re:This disgusts me by Anonymous Coward · 2008-11-12 11:39 · Score: 0
  
  Go ActiveRecord, forget SQL.
46. Re:This disgusts me by kv9 · 2008-11-12 11:41 · Score: 1
  
  What doesn't help is that the standard PHP distribution has no support for prepared statements.
  yes it does.
  
  You have to compile with mysqli and most distributions don't go to that trouble.
  mysqli is an extension, and installing that module is just a pecl/apt-get/yum/pkg_add away. PHP has gobs of functionality implemented as modules, which you can add/remove as needed.
  
  And if you go out of your way to use mysqli, you can't use half the documentation on the web and certainly not the documentation on php.net.
  why not? the documentation seems on par with the rest.
  
  It does reinforce my belief that PHP is for script kiddies and unsuitable for serious web development.
  script kiddies are unskilled people that run other peoples scripts/programs for nefarious purposes on the interwebs. at least get your insults right, your UID is low enough.
  
  Businesses still relying on it will find out the hard way in the coming years, because teh php community will keep falling further behind.
  I agree with the low barrier of entry and questionable quality of most programmers, but if you know what you're doing PHP can get you far. and that also goes for all popular languages.
  
  --
  Stop Computers/Cars Analogies on S
47. Re:This disgusts me by Anonymous Coward · 2008-11-12 11:47 · Score: 0
  
  Why do beginners write SQL in webapps at all? The 90s are over. There are ways to encapsulate database commands, with the added benefit that you can switch your backend to XML or whatever.
48. Re:This disgusts me by sgbett · 2008-11-12 11:48 · Score: 1
  
  I accept php is not awesome, but what is it that is being made hard, and is it something relevant in a language that is(should be) being used to generate dynamic (x)html?
  With regard to the case in point it's certainly not hard to use mysqli and prepared statements
  .
  
  --
  Invaders must die
49. Re:This disgusts me by Anonymous Coward · 2008-11-12 12:48 · Score: 0
  
  Sorry, and thanks for the link.
50. Re:This disgusts me by Ibiwan · 2008-11-12 13:05 · Score: 1
  
  If you're using a median, why go to all the trouble of specifying the other caveats?
  
  --
  -- //no comment
51. Re:This disgusts me by pod · 2008-11-12 13:05 · Score: 1
  
  Because it takes 10 seconds to pop in a query in place, vs 10 minutes to do it with abstraction, even assuming the framework (libraries and includes) is built and in place for the web project.
  
  --
  "Hot lesbian witches! It's fucking genius!"
52. Re:This disgusts me by Anonymous Coward · 2008-11-12 13:33 · Score: 0
  
  Excellent example.
  I might add that MySQL's quote() function also disables this type of attack.
  
  mysql> select * from Users where Username=quote("victim") and Password=quote("x' OR 'e' = 'e");
  Empty set (0.00 sec)
53. Re:This disgusts me by Anonymous Coward · 2008-11-12 14:15 · Score: 0
  
  Or you could simply sanitise your input with a regular expression.
  
  Alpha & numeric only: "/[^A-Za-z0-9]/"
  
  Run that code through a regex replace function before doing anything sensitive, like database transactions for example.
54. Re:This disgusts me by Anonymous Coward · 2008-11-12 14:17 · Score: 0
  
  i get the math, but i still think most of them are below average (for extremely large values of x)
55. Re:This disgusts me by Smauler · 2008-11-12 14:33 · Score: 1
  
  Hah! That's where you're wrong. In my house, only a third of the programmers are below the median of the house.
56. Re:This disgusts me by Anonymous Coward · 2008-11-12 14:39 · Score: 0
  
  ok, this thread isn't funny anymore...
57. Re:This disgusts me by waltjones · 2008-11-12 15:12 · Score: 1
  
  This description of a SQL injection attack is completely correct. However the method that appears to have been used in this case is different, and unfortunately much simpler for the attacker.
  
  Rather than manipulating the actual SQL statement syntax, they are merely adding a malicious script tag to a text field. The contents of the text field are not sanitized, and are saved to the database as is. Later, when the text is dynamically displayed in the browser, the script tag is included, and is executed by the client browser.
  
  The reason you will not find the offending code by inspecting all your HTML (or whatever templating language you use) is because it is actually in your SQL database. Thus, this attack only works on sites that display dynamic content.
  
  Any and all developers should be sanitizing any and all text that will later be displayed in a browser. Even sites that are well written against the kind of attack Emb3rz describes, seem to often overlook this simple vulnerability.
58. Re:This disgusts me by Fulcrum+of+Evil · 2008-11-12 15:25 · Score: 1
  
  What do you mean 'rewritten'? The only time I ever write non parameterized queries is when I'm datahumping in sqlplus
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
59. Re:This disgusts me by fbjon · 2008-11-12 16:22 · Score: 1
  
  Using input validation to avoid malicious attacks requires enumerating evil, which is a bad idea. Use prepared statements early and often. If you later discover that a prepared statement doesn't really need to be prepared, hesitate before changing anything, because it might need some parameters in the future, and a future lazy coder will inevitably open up an injection point.
  Executing a concatenated string of sql is completely safe only when dealing with entirely internal variables that are never under any circumstances touched by outside influence, today or in the future. It may seem strict, but reckless coding is full of bugs.
  
  --
  True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
60. Re:This disgusts me by corsec67 · 2008-11-12 17:20 · Score: 1
  
  Just because you are using the median doesn't mean half of the people are going to be above the median and half below.
  For example, if everyone is exactly the same in whatevery parameter, then everyone is going to be at the median, and nobody is above or below the median.
  Or if the variable is a boolean, and at least one person is true and another is false, then if the majority is, say, true, the minority are going to be below the median and the rest are going to be equal to the median.
  
  --
  If I have nothing to hide, don't search me
61. Re:This disgusts me by dkf · 2008-11-12 20:37 · Score: 1
  
  Any and all developers should be sanitizing any and all text that will later be displayed in a browser.
  Actually, you should be sanitizing on output so that all characters with special meaning for HTML are quoted, with particular attention on angle brackets. If you feel you have to allow HTML-like tags (e.g. such as /. does) then allow only exact forms and sanitize everything else, so you don't get caught out by attributes. And don't forget to test your sanitizer with evil cases.
  It's probably better to consider using a proper HTML templating library.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
62. Re:This disgusts me by chord.wav · 2008-11-13 00:32 · Score: 1
  
  This doesn't come of outsourcing. There are [lazy coders | greedy managers] everywhere in this planet.
  IMHO, problem is an inherent flaw in capitalism, as companies are more directly rewarded by maximizing profits at all costs than by doing the right thing.
63. Re:This disgusts me by Emb3rz · 2008-11-13 02:05 · Score: 1
  
  Many of the attacks that I recall seeing used SQL injection in an inventive way to execute a nasty query that affected all text fields in a database by use of data from system tables. It was not like, for instance, including a script tag in your signature and slashdot outputting it, it was like maliciously inserting a script tag into every single post, username and signature at the same time.
64. Re:This disgusts me by waltjones · 2008-11-13 05:19 · Score: 1
  
  I agree whitelist is the way to go.
  
  However, I don't literally sanitize on output for perf reasons... the filter would run on every render. I do maintain two separate DB columns for every user input field that is ever displayed in the browser. One is the input/edit field, the other is the sanitized output field. So, this really is sanitize-on-output, with cached output.
  
  Also, my sites use a subset of Textile for markup, so all angle brackets are escaped.
65. Re:This disgusts me by waltjones · 2008-11-13 05:26 · Score: 1
  
  I agree, and as I continue to read about this particular attack, it may be a true SQL statement injection. (Also, for some reason they linked this to ASP sites?)
  
  My point, I guess, is that in order to affect thousands of sites, one need not try that hard these days. A lot of frameworks are providing automatic protection from SQL injection, but it's up to the developer to think about not displaying raw user input.... or blacklist "sanitized" input, which is easy to hack.
66. Re:This disgusts me by Emb3rz · 2008-11-13 06:30 · Score: 1
  
  The reason these attacks have been primarily cited as ASP vulnerabilities is because it's MSSQL that the attacks have been tailored to. Some of the features and system tables exposed by MSSQL make the attacks possible/easy.
67. Re:This disgusts me by waltjones · 2008-11-13 07:58 · Score: 1
  
  Right, I get it now. Thanks for the explanation.
68. Re:This disgusts me by PutonBackBurner · 2008-11-13 12:51 · Score: 1
  
  Though I do not the situation with the post you are referring to, we do have a problem with old code written by novice programmers years ago. There are neither stored procs or prepared statements for the sql queries. There was little or no validation for user input. Management will not allow us to devote any time to fix it, no manner how many times we explain the risk - even after we got hacked months ago by a mass attack. They are more concerned about 'moving forward' with new features to show the CEO. We patched it by black listing, but that will not solve the problem long term. It is appalling and insane.
Comment removed by account_deleted · 2008-11-12 07:29 · Score: 3, Informative

Comment removed based on user account deletion
The link above leads to an infected site by Anonymous Coward · 2008-11-12 07:29 · Score: 0

Not really - but it would be ironic if it was
Install a proxy by gfilion · 2008-11-12 07:35 · Score: 4, Interesting

We had this problem a few months back at work. Old but necessary asp web sites kept getting infected. It only took a few hours to install a reverse proxy with mod_security on EC2 and we were in the clear.
Full story on my blog:
http://guillaume.filion.org/blog/archives/2008/05/i_love_ec2_and_rightscale.php
1. Re:Install a proxy by merreborn · 2008-11-12 08:56 · Score: 3, Informative
  
  mod_security is a reactive security measure. It's blacklist based, which makes the classic error of attempting to "enumerate badness".
  While it's great if you've identified an existing threat to an application you cannot properly secure, it does nothing to protect you against future attacks using less obvious techniques.
  mod_security alone is not an adequate solution. It's still necessary to proactively write secure applications in the first place, which means making sure you're never allowing raw, unfiltered/unescaped user data into places where it shouldn't go.
yet another ugly side of DRM by Aoet_325 · 2008-11-12 07:36 · Score: 3, Insightful

"The toolkit is protected with a layer of digital rights management and appears to be sold mainly in China. "
this is why I don't believe in "Tusted" computing.
When software or hardware are used to take control of a computer away from that computer's owner bad things will happen.
1. Re:yet another ugly side of DRM by IamTheRealMike · 2008-11-12 09:51 · Score: 1
  
  lol,
  
  When software or hardware are used to take control of a computer away from that computer's owner bad things will happen.
  ... on an article about viruses. Yes well done, +1 Insightful. Never mind that trusted computing != DRM and that the most common use of TC is for security software, doh.
2. Re:yet another ugly side of DRM by Jack+Kuze · 2008-11-13 11:53 · Score: 1
  
  "When software or hardware are used to take control of a computer away from that computer's owner bad things will happen." . . Like an OS for instance? . . I know that a lot of people think that once they have downloaded something it belongs to them but consider this for a moment: Suppose that you point your camera at the bedroom window across the way where some very interesting things are happening and press the shutter button. Does the resulting image belong to you? Well, you might say that it does indeed since the image was caused by a modulated light stream which entered your home and not by anything which belonged to the participants in the neighbor's bedroom... You might say that if you wished but, as we all know, you would be wrong according to well accepted common law. If you were one of the participants in the bedroom, and not the one holding the camera you might have a completely different view of the situation.
Chinese underground by AragornSonOfArathorn · 2008-11-12 07:39 · Score: 4, Funny

Is it like Big Trouble in Little China, with the lightning ninjas and floating eye thing? Did they get Kurt Russel to help?
If so, that would be AWESOME.

--
sudo eat my shorts
1. Re:Chinese underground by Hatta · 2008-11-12 09:19 · Score: 1
  
  This Relentless web attack sounds more like a Little Big Adventure to me.
  
  --
  Give me Classic Slashdot or give me death!
2. Re:Chinese underground by Smauler · 2008-11-12 14:43 · Score: 1
  
  You know I spent half my life with people saying that Chinatown is a truly classic, engaging, subtle film, and I should definitely watch it. I'd tell them I have, and didn't rate it much. It was only recently that I realised I was confusing Big Trouble in Little China with Chinatown...
RTFA by mfh · 2008-11-12 07:41 · Score: 1

Thank you for that advertisement, but these are SQL Injection attacks, which an antivirus will not catch.
Didn't you RTFA? This story is about how Kaspersky caught the attacks... :S

--
The dangers of knowledge trigger emotional distress in human beings.
1. Re:RTFA by Bassman59 · 2008-11-12 08:12 · Score: 3, Funny
  
  Didn't you RTFA?
  You must be new here, in spite of that two-digit user ID!
2. Re:RTFA by Anonymous Coward · 2008-11-12 08:46 · Score: 3, Funny
  
  You must be new here, in spite of that two-digit user ID
  He probably is new. I saw Slashdot UID 56 for sale on E-Bay about a month ago for 17 cents or 4 sticks of Trident.
3. Re:RTFA by clustersnarf · 2008-11-13 07:00 · Score: 1
  
  You must be new here, in spite of that two-digit user ID
  He probably is new. I saw Slashdot UID 56 for sale on E-Bay about a month ago for 17 cents or 4 sticks of Trident.
  Damn! what is a 3 digit one worth? I'm out of Tic Tacs.
No DRM trolls? by genner · 2008-11-12 07:53 · Score: 4, Funny

Did everyone miss the fact that the toolkit resposible includes some hefty DRM.

Where's the outrage?
Why aren't we demmanding an open source solution?
Big Picture by mfh · 2008-11-12 07:55 · Score: 4, Interesting

It's a bloody SQL injection attack. I'd like to see your virus checker automatically rewrite your web application to use input filtering.
This is going to sound like a little bit of double speak but I'll remind you that Kaspersky found these attacks were happening. Also, they are studying the behavior. Furthermore, Kaspersky protects systems from nefarious things that attackers will do, regardless of how they get on the system. Nothing is perfect with Windows, but if you look at the options, Kaspersky is the best out there.
Now of course, if you want to insist that the attacks happen whether Kaspersky is running or not, you will be correct. But what you're not saying is how LIMITED the attackers are when trying to get past Kaspersky after they get on a system.
Noscript also helps, but isn't perfect either.

--
The dangers of knowledge trigger emotional distress in human beings.
1. Re:Big Picture by Arancaytar · 2008-11-12 13:42 · Score: 2, Informative
  
  Sorry, I see we're talking about different user groups.
  From the user perspective a virus scanner (and NoScript) will indeed protect you from installing malware on your computer, which may be downloaded from a hijacked website (XSS is a more common attack vector for that, but I've had an Invision forum hijacked via SQL injection too).
  I was speaking more from the perspective of the web admin whose site gets defaced, who won't get around some lessons on secure input handling. ;)
2. Re:Big Picture by mfh · 2008-11-13 03:47 · Score: 1
  
  I was speaking more from the perspective of the web admin whose site gets defaced, who won't get around some lessons on secure input handling. ;)
  I agree, but there are no number of lessons enough to teach an entrenched MSFT sysadmin or corporate purchasing agent how systems should work. They don't get it. They typically want more features because it makes sales easier, and they want the thing to work. Security is always a last-ditch concern for these guys. They don't know that security can come first if you start the project with inflexible security rules.
  Instead of relying on protection from outside packages that you have no control over, it's always better to write that stuff yourself so you know what it can do and what it can't.
  
  --
  The dangers of knowledge trigger emotional distress in human beings.
notSoGreat Firewall O' China by sgt+scrub · 2008-11-12 08:13 · Score: 1

Sure! They can block users from nasty ol' Capitolist porn. But, do they keep users from attacking overseas networks? Noooooo.
Sorry. I'm in touch with my inner child today.

--
Having to work for a living is the root of all evil.
1. Re:notSoGreat Firewall O' China by Anonymous Coward · 2008-11-12 10:20 · Score: 0
  
  The government only really cares what comes in as the stuff going out is likely to be patriotic anti-west drivel.
  You don't think peasants (or prisoners) have broadband, do you?
Comment removed by account_deleted · 2008-11-12 08:13 · Score: 2, Informative

Comment removed based on user account deletion
No kaspersky for me by jonaskoelker · 2008-11-12 08:24 · Score: 3, Funny

zsh% apt-cache search kaspersky zsh%
:(
No, it's not. by Bearhouse · 2008-11-12 08:44 · Score: 3, Informative

Your're right to publicise a good product that I also use and reccommend. However:
Most people that get caught by malware don't understand all these arcane details.
Most people use IE, (no noscript here..) and blindly click 'OK' when they cannot see the porn.
Bad web sites / pages don't just install viruses.*
1. Re:No, it's not. by Manfre · 2008-11-12 11:09 · Score: 1
  
  In response to people who blindly click 'OK', "You can't cure stupid".
  Viruses are just following darwinian evolution.
Obligatory by Riot.ATL · 2008-11-12 09:01 · Score: 1

http://xkcd.com/327/
Erm - yes, it was a joke... by Anonymous Coward · 2008-11-12 09:16 · Score: 0

I guess you need to have someone explain it...
What a job description. by mapkinase · 2008-11-12 09:27 · Score: 2, Funny

"researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks"
I wish my job description sounded as exciting as this one.

--
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Where's the vulnerability by Animats · 2008-11-12 09:35 · Score: 1

I keep seeing "SQL injection", but injection into what? PHP? ASP? Plesk? Something else? Specific scripts, or the language engine itself?
1. Re:Where's the vulnerability by shawnce · 2008-11-12 09:57 · Score: 1
  
  "I keep seeing "SQL injection", but injection into what?" ...into anything that will then turn around and execute the tainted SQL query (dynamically generated).
With IIS, you can use a url scanning ISAPI dll by Anonymous Coward · 2008-11-12 09:51 · Score: 0

For example:
http://www.aqtronix.com/?PageID=99
Presto.. you're safe from sql injection
SQL in the HTML...! by Plugh · 2008-11-12 09:57 · Score: 1

Governmnent Website Appears To Be Designed Stupid

--
Part of the Second American Revolution!
Insightful? Nope. by Bearhouse · 2008-11-12 09:58 · Score: 1

If you're going to show off, do it right.
Many continuous distributions are not normally distributed, and no discrete distributions are. So don't understand the 'especially if it is a continuous variable' part. Should be 'only if'.
He said the average, not the median. Sure, for a perfect normal distribution all 3 measures of central tendancy are the same - mean, median & mode. Of course, in real life this never happens.
So the other AC got it right...'fully half if even number' is only right interpretation for all cases.
Meanwhile, your point was?
Trust by mfh · 2008-11-12 10:00 · Score: 2, Insightful

Okay keep using Noscript. I don't have a problem with that, but be warned that you are not fully protected by Noscript when the website you TRUST is attacked by an exploit like SQL injection, because YOU TRUST THAT WEBSITE.
White-lists are better than no-lists, but they aren't perfect.

--
The dangers of knowledge trigger emotional distress in human beings.
Which is.... by Namlak · 2008-11-12 10:12 · Score: 1

...roughly half of them being below average, as the OP pointed out.

Thanks all for playing a rousing round of Pageant of Pedants.
McColo? by Ungrounded+Lightning · 2008-11-12 10:18 · Score: 2, Insightful

I wonder how many of the malicious servers the injected SQL dumped the users into were hosted on McColo - and are thus now not available?

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Why Are There Even SQL Injection Attacks in 2008? by smack.addict · 2008-11-12 10:20 · Score: 1

Seriously, SQL Injection is one of the simplest attack vectors to prevent. If you can't prevent SQL injection, you should not be allowed to write a web application.
Re:Trust (not exactly) by Giorgio+Maone · 2008-11-12 10:56 · Score: 1

NoScript is likely to protect you anyway

--
There's a browser safer than Firefox, it is Firefox, with NoScript
Don't rely on FlashBlock for security... by Giorgio+Maone · 2008-11-12 11:08 · Score: 2, Insightful

FlashBlock is handy, but not a security tool.

--
There's a browser safer than Firefox, it is Firefox, with NoScript
Obama is Only 1/2 by iconic999 · 2008-11-12 11:49 · Score: 0, Offtopic

He's only half black. He's also half white.
WTF is this article ACTUALLY about?? by scurvyj · 2008-11-12 11:52 · Score: 1

Can somebody clarify this article?? Wtf has SQL got to do with javascript??
And not only that - WHICH SQL server??
I'm guessing its a proprietary one made by a certain large company legendary for their crashware and cheezy interfaces but maybe thats unfair.
Who would know!! IT Journalism standards have dropped through the floor unbelievably.
1. Re:WTF is this article ACTUALLY about?? by skis · 2008-11-12 12:29 · Score: 1
  
  SQL injection does not exploit the SQL server at all, it exploits a vulnerability in the webapp that is sending the SQL query.
  
  If there is SQL injection in an INSERT or UPDATE query, the attacker might be able to insert javascript into the database which might then be sent back to the users in the place of real content (e.g. article text). Basically, persistant XSS via SQL injection.
2. Re:WTF is this article ACTUALLY about?? by nilbog · 2008-11-12 12:46 · Score: 1
  
  Seriously - this article lacks some pertinent details. It's like if I released a sensationalist headline "certain cars prone to suddenly exploding!" and then failed to mention which cars.
  At any rate, I will assume it's Microcraps fault and continue to go about my business.
  
  --
  or else!
Re:Trust (not exactly) by mfh · 2008-11-12 12:25 · Score: 1

Devil's advocate... once you have access to the database, you could have root. With root you could host the JS off in the rhubarb on the victim server, where it could be called from within rewritten field data wherever HTML would be expected. On sites like travelocity (one of the targeted websites) this could be anything from the CMS story/article fields to the ad banner code... sky is the limit and that also explains one possible avenue for repeat attacks, post-patch.
Therefore while in SOME CASES, Noscript keeps you safe -- it's not 100%.

--
The dangers of knowledge trigger emotional distress in human beings.
Comment removed by account_deleted · 2008-11-12 13:27 · Score: 1

Comment removed based on user account deletion
Can PHP/ASP/etc do more? by jonwil · 2008-11-12 14:49 · Score: 1

Why cant web dev languages (PHP/ASP/Java etc) and databases add language features to A.Make writing database driven web apps the RIGHT way easier than doing it the WRONG way and B.Sanitize database inputs to stop this rogue SQL before it gets run by the database?
1. Re:Can PHP/ASP/etc do more? by Fulcrum+of+Evil · 2008-11-12 15:30 · Score: 1
  
  They did - parameterized queries are easy as pie. Problem is, any idiot can do it wrong, and people keep hiring those idiots.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
2. Re:Can PHP/ASP/etc do more? by jonwil · 2008-11-12 16:09 · Score: 1
  
  What they need to do is to detect when people are using unsafe SQL queries (i.e. the ones that cause SQL injections) and warn you. Visual C++ has all kinds of options to warn if your program has potential buffer overflows or the like, why cant ASP/ASP.NET (and others) have something to warn that you are using unsafe SQL queries (and in a way that makes it clear what you need to do to fix it). More to the point, where are these idiots getting their SQL skills and why arent the resources (books, classes etc) changing the way they teach/demonstrate/talk about/etc SQL so that they only discuss the safe ways of doing it.
  Also, we need managers to start caring about this problem so that they insist their database guys use safe SQL queries.
  Its like you parking your car in a bad area and having it broken into/stolen time and again and yet you dont spend any money adding an alarm or other measures to make your car less likely to be broken into.
3. Re:Can PHP/ASP/etc do more? by Fulcrum+of+Evil · 2008-11-12 17:01 · Score: 1
  
  You can't teach the safe way only because the unsafe way is vital for adhoc sql. What's needed is competent devs. For the gui based warnings, you need static analysis to spot sql that's glued together from tainted sources and even then, the dimwits will ignore the warnings.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
4. Re:Can PHP/ASP/etc do more? by jonwil · 2008-11-13 02:10 · Score: 1
  
  Good point on the ad hoc SQL thing. Be a bit hard to write, say, PhpMyAdmin using only the "safe" way of doing SQL :)
not so fast by Anonymous Coward · 2008-11-12 15:03 · Score: 0

Now that you mention it, isn't messing with DRM illegal circumvention?
The Chinese have turned our IP law against us!
One step forward, two steps back by Anonymous Coward · 2008-11-12 15:25 · Score: 0

Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."
Secureworks needs to buy the tool to figure out how an SQL injection works? Come on, this sounds like just a plug for a vendor. Paying for the tool simply encourages more black market exploit trading rather than proper disclosure methods.
obvious, and lame by Gothmolly · 2008-11-12 16:01 · Score: 1

So supposedly patched servers are re-infected? Hint: don't use 'sa' as your password. Secondly, before you get all Gibsonian about "infiltrating the Chinese underground", stop, and think about what you're saying. You sound like a retard.

--
I want to delete my account but Slashdot doesn't allow it.
mod parent up by davros-too · 2008-11-12 17:29 · Score: 1

Well said. Prepared statements do not solve all problems. Malicious content can be inserted without inserting SQL.

--
In theory, there's no difference between theory and practice; in practice there is.
Re:Trust (not exactly) by Giorgio+Maone · 2008-11-12 21:04 · Score: 1

Yes, you're right on the fact a targeted attack might inject on-site content which might be allowed by your whitelist, but this is an unlikely scenario, especially in mass attacks like these, because for the attacker is much more practical injecting a small, stealthy inclusion and host the real payload elsewhere, on a server in his full control where he can log the activity and/or mutate the code as needed. Furthermore, you can configure NoScript to execute plugin content (e.g. Flash) on demand (after clicking on a placeholder) on whitelisted sites as well, hugely reducing the attack surface even on trusted pages.

--
There's a browser safer than Firefox, it is Firefox, with NoScript
Re:Why Are There Even SQL Injection Attacks in 200 by davidbrit2 · 2008-11-13 00:32 · Score: 1

I'm inclined to agree. It's not like being asked to write a sorting algorithm that runs in constant time; it's simply not being a lazy moron. Maybe we need to develop a web programming language where string concatenation takes markedly more effort than adding proper parameters to a query.
PHP does a bit better by omuls+are+tasty · 2008-11-13 01:16 · Score: 1

PHP database connection drivers* will not allow you to execute two SQL statements in one call, effectively limiting the impact of injections to extending the SELECT rather than an INSERT.
Of course, this can still lead to the compromise of admin accounts if you write bad code (which unfortunately covers a lot of PHP code) and "manual" injection from there on.
*Well, I think it's the PHP drivers - it could be just the MySQL/PostgreSQL C drivers that do it. In any case, ASP/MSSQL combo is vulnerable whereas the PHP/MySQL one is not.
CUSTOM HOSTS ARE ANOTHER (Good Combo) by Anonymous Coward · 2008-11-13 03:32 · Score: 0

Custom HOSTS files are more comprehensive, for one thing, and multiapplication as well as multiplatform for TCPIP.
(They are more comprehensive, in that you blockout bad sites before you can even be stricken by them, and if you can't go into the kitchen, you can't get burned because they cover more than just a single webbrowser, as in the case of NoScript (not a bad thing to have installed in FireFox though, I use it myself, in combination with WOT, FlashBlock, AdBlock Plus, & Perspectives .xpi security addons, no others))
Other browsers (all) like Opera &/or IE are even covered, along with email programs (really, any app that accesses the world-wide web, in fact).
A good custom HOSTS file is featured here and has a good writeup on how to use them as well as maintain them and why:
http://ashentech.com/index.php?topic=1391.msg11023#msg11023
It has a large HOSTS file attached there, updated today in fact (as to known reputable lists as regards known malware or malscript serving websites to block out) from:
STOPBADWARE.ORG
SPYBOT SEARCH AND DESTROY
DANCHO DANCHEV ZDNET SECURITY BLOG
HOSTS FILES FEATURED AT WIKIPEDIA
(All those sources, merged into 1 large 12mb sized HOSTS file (DNS Client service must be stopped to use it, & that saves CPU cycles, RAM, & other forms of I/O since you don't really need it on a single machine connected to the internet), updated regularly each week, fully alphabetized inside and repeat entries removed).
Open it in a text editor like notepad.exe and you will see it is all business, and to the point. Not much in the way of this custom HOSTS file having documentation in it but the URL above provides that as to how to use it for the most part.
The file also speeds you up (beyond its showing you how to speed up access to your favorite websites inside of it, by avoiding DNS calls alone and more or less acting as your own DNS server yourself, via the HOSTS file and possibly some registry hacks to 4 small entries that is very easy to do and the URL above gives accurate directions on how to do so and with the tools you need regedit.exe).
This HOSTS file does so, by blocking out every known adbanner server out there (and by not 'streaming in' yet more unneeded data from other servers for adbanners, as well as running their code burning CPU cycles on it (code that mind you may be compromised and house viruses and spywares, this has been happening the past 3 or 4 years now)) as well as secures you from reliable reputable sources, noted above.
Custom HOSTS files, while in combination with tools like:
NoScript in FireFox (only this browser unfortunately)
Opera's native ability to turn off javascript globally (and make exceptions by site no less via rightclicks on website pages)
Internet Options for IE (turn off javascript)
These, along with a good HOSTS file is an excellent start for an internet defense vs. infestors/infectors.
Supplement HOSTS & the tools noted above, and these:
A good software Firewall program (on that caps both inbound and outbound and notifies you of outbound calls especially)
A good hardware NAT true stateful packet inspecting "firewalling" router
Port filtering
Keeping your OS and apps + drivers patched
Do these things & use those tools, and, you have a better than not chance of staying safe online, if not never infected or compromised, and going faster online as well for a bonus - that's fairly certain.
There is more you need to do, so as hack registry and other configuration files, for really strong security online, but this setup noted is a decent start at least and very easy to implement.
A good overall security guide is here:
HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):
htt
having no knowledge from not working there........ by slashpot · 2008-11-19 17:36 · Score: -1

"researchers at SecureWorks have infiltrated the Chinese underground"
*sigh* God. Damn. That's the funniest thing I've ever read on slashdot.