MySql.com Hacked With Sql Injection

iceco2 writes "MySql.com and associated sites were hacked today. Among other items some simple passwords were recovered and private emails were revealed. Ironically the attack was performed using a blind sql injection attack."

Another report

[symbolset]

Some evidence of server issues here already. Another report: A proper link?

Re:Another report

No offense. Bad code can be written in any language.

Re:Another report

[AsmCoder8088]

Okayyyyyyyy... MS astroturfing, anyone?

Re:Another report

[WrongSizeGlass]

This article is a tad harsh on MySQL.com - and rightfully so:
* The domain's SSL expired a month ago
* Some of the passwords for the account 'sysadm' was “qa”
* Their website was obviously not properly secured

Re:Another report

[WrongSizeGlass]

This article is a tad harsh on MySQL.com - and rightfully so:

That should have been This article . D'oh!

Re:Another report

[symbolset]

180 words, under 1 minute by the timestamp. It was actually under 30 seconds. Bot. A prepared response to any article containing "hacked" and "mysql"

Re:Another report

[Dunbal]

Not trusting the user input is rule #1 of programming - from way before the internet era. I'm only a programmer by hobby and even I know that. What do they teach these kids at school?

Re:Another report

[PopeRatzo]

Note the parent's comment.

Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety? I'm betting the MS is using in-house talent for this purpose, but it's quite possible that they are using New Media Strategies or another such company to keep the activity at arm's length to provide deniability. I wouldn't be surprised if 100,000 or more of the accounts with UIDs over 1500000 belong to employees of these companies or departments. Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds". A Slashdot story with an energetic discussion which is negative on say, AT&T can have an out-sized influence on opinion regarding that company, due to both word of mouth and search engine results.

One only has to watch any story that is critical of a major US company to see this behavior, which usually shows up as ignorant "frosty piss" trolling followed by >2000000 UID comments (often densely written) followed by a string of sockpuppet "bumping". The tactic is to disrupt the discussion to the point where serious opinion is abandoned. It can work because many don't have java-script enabled so you can't even collapse the offending thread.

Re:Another report

Does anyone still want to challenge my assertion that Slashdot is under an ongoing escalated attack from organized astroturfers of the New Media Strategies and Reputation Defender variety?

I agree with you, but sometimes a nigger joke is just a nigger joke. I wrote a nigger joke in one story and it made first post. Then you went all ape-shit (pun intended) about how it's THEM!!!! conspiring to take over teh solar system or something ... that made my day dude. I think the neighbors could hear me laughing.

But yeah this troll can obvious tell that guy was a shill. A real obvious one. Anybody who isn't sure about that may be interested in buying some nice swampland in Florida. Maybe they'd like to also help a Nigerian prince move money out of his country.

Slashdot is a good target for them because so many of us are in influential or decision-making positions at our companies or are opinion-drivers due to our reputation as "computer nerds".

Most Slashdotters are familiar with the long history of Microsoft and its business practices. Some moron singing the praises of MSSQL isn't gonna erase that history. Even if MS made the undisputably best database in the entire world, and they don't, but even if they did I wouldn't use it. I would rather use the second-best and not have to deal with the devil. But then I have standards. A lot of you are mercenary types who don't give a damn and that's cool, just don't complain about how corrupt and fucked up most of the world is because you're the reason for it, the steady source of support for it.

Anyway Slashdot's gotta be one of the very worst places to try to make MS look good. The people who don't like MS got a long LONG list of damned good reasons for that. It is not something they flipped a coin to decide. It is the product of repeated examples of abuses and asshattery by this company over the last 10-15 years. Not something you can smarm your way out of. The PHBs who might be dumb enough to buy this shill's marketing don't usually read Slashdot.

The professional liars known as PR firms are only making sure that a foolish company with no scruples and its money are soon parted. Anybody who works for a PR company, really what the fuck is wrong with you? How does it feel knowing that you get your living by dishonesty and trickery?

Re:Another report

[PopeRatzo]

It shows how broken the Slashdot discussion system is.

To be fair, I think we're seeing an attack of mil-spec astroturfers and their sockpuppets. I don't expect Slashdot to have been able to have been omniscient enough to have anticipated this.

But now that it's here, I think it's an issue that anyone who uses the Internet to get information or opinion has to be aware of and address.

Re:Another report

[hairyfeet]

Which is why I have a question: WTF is up with the MS Shill brigade on /. lately? I've only noticed it for about the past three weeks or so, but damned the shit is getting thick. Look at the one that posted on the Nook hack, the very first post is "I Wish Microsoft would have released the Courier" complete with link for those that don't know what that bullshit vaporware was in the first place. I mean did they get a deal on that HB Gary software or what? And why are they so insecure? I mean sure WinPhone is dead last but Windows 7 is nice, and the X360 is doing well. So what is up with the rampant MSFT shilling? Do they fire your ass if you don't post X number of shill posts or something?

As for TFA, garbage in, garbage out. I don't care if you code in VB 6 or Brainfuck if you write sloppy code it WILL come back to bite you in the ass. But trying to blame this on the language, to use a /. car analogy, would be like trying to blame Ford because someone got drunk and hit a kid with their Mustang. A tool is only as good as the person using it, full stop. I've seen clean code and lousy shit in just about every language. It ain't the tool that's the problem it is PEBKAC. But they should get extra points for the sheer irony factor. I mean a site promoting SQL falling for the oldest trick in the book? Bobby Drop Tables anyone?

Re:Another report

[gfody]

it's called social media monitoring and engagement and get used to it because it's the future of marketing. more

Re:Another report

[shutdown+-p+now]

You do understand that every time you post such crap in a Slashdot story (and it seems to be in Every. Single. Fucking. One.), you do nothing but drive more bad feeling towards Microsoft? If you want to do advocacy, fine - but then study what you're promoting enough to be able to meaningfully argue in favor of it, rather than spewing pure concentrated marketing drivel ("makes sure the programmer is coding safe code" - WTF?).

This isn't a room full of clueless PHBs where the higher your concentration of buzzwords, the better. This is Slashdot, where audience is highly technical, mostly inclined towards FOSS already, and has very little patience for bullshit.

Re:Another report

[DrXym]

Of course. That is hardly relevant. The question is, how hard is it to write bad code?

I think SQL databases / drivers could do a lot more to protect themselves from bad programmers. For example we all know that a prepared statement is safer from SQL injection than an ad hoc one because params are properly escaped. So why allow ad hoc statements at all by default? Seems to me that drivers should require the app to explicitly override safeguards if they want to dangerous things. Likewise SQL comments are often used to disable the rest of an injection attack but why are they needed in client side sql? So disable them. If the bad programmer absolutely wants to they can throw the switches but perhaps in reading how to do it, he / she might learn to program better and would of course be safe by default rather than insecure by default.

Incoming botswarm

[symbolset]

Microsoft web serving products? How dumb can can a bot get? Turing fail.

Bad link in summary

[innocent_white_lamb]

Should be: http://techie-buzz.com/tech-news/mysql-com-database-compromised-sql-injection.html

(There is an extra l in the summary's link.)

USE BIND VARIABLES

[MoNsTeR]

Jesus fuck, people. It's not rocket surgery.

If you use bind variables, you CANNOT be SQL-injected.

If you don't, you can be.

It's that fucking simple. Do The Right Thing.

Re:USE BIND VARIABLES

[SanityInAnarchy]

Note that this doesn't mean you should assume you're safe just because you're using bind variables -- be aware of stuff like LIKE, for instance.

But yes, that is exactly the frustration I have when I hear about things like this. There's pretty much never a reason to build your own SQL string outside of a library.

Re:USE BIND VARIABLES

I just use something : addslashes(addslashes(addslashes(addslashes($str)))) ;
I like slashes ;-) ;

Re:USE BIND VARIABLES

[Dunbal]

Jesus fuck, people. It's not rocket surgery.

Apparently it's brain science.

Re:USE BIND VARIABLES

addslashes() is unsafe. In PHP you want to be using the standard function "mysqlreallyescapethingsanddoitproperlythistime()". Don't go using "mysqlescapethingscorrectly()" by mistake, that one is completely insecure.

(Seriously, why do people use PHP?)

Re:USE BIND VARIABLES

[Just+Some+Guy]

SQL = """
SELECT make, model
FROM vehicle
WHERE vin IN (%s)
""" % ', '.join(["%s"] * len(VINs))

My eyes, they bleed! Write that like:

VINs = ("1M8GDM9A_KP042788", "1M8GDM9A_KP042789")
SQL = """
SELECT make, model
FROM vehicle
WHERE vin = ANY(%(vin)s)"""
dbconn.execute(SQL, {'vin': VINs})

Or even better:

vehicles = session.query(Vehicle).filter(Vehicle.vin.in_(VINs))

Voila. Those work, they're not hideous, and they prevent injection. To repeat the earlier idea: there's no need to write unsafe code. If you are, you're in the wrong line of work.

Re:USE BIND VARIABLES

[Third+Normal+Form]

Tom Kyte of Oracle/"Ask Tom" fame blogged about this recently:

[speaking about HBGary] And all because of - SQL Injection... If you don't use bind variables - you are susceptible to it. If you accept input from an end user and concatenate it into your SQL, you are subject to SQL Injection. If you use bind variables - if you do not dynamically construct your SQL at runtime - you are not subject to it. It is that simple.,

http://tkyte.blogspot.com/2011/02/interesting-read.html

He continues, "it is much harder to write code that doesn't use binds than it is to write code that uses binds". I agree- I feel... dirty... not taking the minute or two to add a parameter. Looking at our error logs, I see bots searching for parameters in web forms and testing vulnerabilities.

Re:USE BIND VARIABLES

[JustinRLynn]

You know, I could be a smart arse and say this rules out most people that choose to use PHP, but I think my karma would burn. Oh wait....

Re:USE BIND VARIABLES

[Lorien_the_first_one]

What a trip. I'm not an SQL guy, but I'm fascinated by the discussion. So you can look at logs to see that bots are trying to hack your db? Does it look like the bots have any kind of intelligence? Do they seem to learn as they go? Can you tell if there is any human intervention?

Yo Dawg

[mrstrano]

I herd you like Sql, so we injected Sql in your Sql so you can have Sql while you code MySql

Re:Yo Dawg

[MarkRose]

An SQL statement walks into a bar and sees two tables and says, "Hello, may I join you?"

Re:Yo Dawg

[Sparks23]

Honestly, "YourSQL" seems more accurate than "MySQL" given that apparently even the developers can't keep control of their own database. ;P

Re:Yo Dawg

[MarkRose]

Pardon the grammatical gaff, but don't you mean YourSOL? :-)

Too funny

[danielcolchete]

After I finished visit all the funny sites I usually go to daily, that title made laught much much more than all of them.

The work of a lonely developer

[danielcolchete]

Even inside a big team of a big company it is amazing how so many people are working by themselves. That's the kind of error that a simple code review by an experienced programmer would have avoided (use bind variables/prepared statements).

Re:The work of a lonely developer

[Eunuchswear]

The NSA has some nice whitepapers on how to prevent SQL injection attacks

That is so fucking sad. Imagine your first day at work at the puzzle palace, expecting to work on some shit hot, high tech, super secret stuff and they say "write a paper on how to avoid SQL injection attacks."

Re:That's Not Ironic

[6031769]

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that's hypocrisy, not irony. Try again.

Re:That's Not Ironic

[NoOneInParticular]

If a website gets hacked, it is sad. If the website in question is the home of one of the products that is commonly used by websites, it is already ironic. Apparently even the builders of this product don't know how to secure a website using their product.

Re:That's Not Ironic

[Trebawa]

There are several definitions of irony, you know. One is an outcome of events contrary to that which might have been expected. You would expect a website concerning SQL to be well-protected against SQL-injection; in such a situation, an attack of this kind would not succeed. The attack did succeed, hence the irony.

Re:why is it ironic?

Perhaps you need a little refresher on irony.

Few but the most naive would expect the MySQL.com site to be written by nubies and rubes so unsophisticated as to depend on remedial examples of anything found "floating around the 'net". To the contrary, most people would expect MySQL.com to be maintained to somewhat high levels of security in particular at the level of the database. This is the construction of the irony in this case.

"How ironic, now he's blind after a life of enjoying being able to see." -- Homer Simpson.

Yes it is

[pavon]

Ironic is when one's words say one thing and one's actions another that contradict it.

No, that is hypocritical. Situational Irony is where the outcome is has a humorous incongruity or discrepancy from what one would expect, or from what would normally be implied by the situation. The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Re:Yes it is

[glwtta]

The fact that the company which produces and sells MySQL wasn't using SQL correctly is indeed ironic.

Having used MySQL, I don't see anything unexpected here.

Re:Yes it is

[Daniel+Dvorkin]

The situational meaning of "irony" is very old and well-established, and in fact probably predates the linguistic meaning. Look it up, and don't try to impose your own ignorance on everyone else.

Re:That's Not Ironic

You would expect a person correcting the summary's definition of irony to be aware that there are multiple definitions of irony. The grandparent was clearly ignorant of this fact, thus making the comment meta-ironic.

Does xkcd explain it?

Like this?

Re:Does xkcd explain it?

[Tridus]

I have that comic taped to my door. Any programmer who walks by, reads it, and doesn't laugh is someone I watch VERY carefully when they write any code that touches a database.

Re:Does xkcd explain it?

[roman_mir]

On the other hand if the same guy walks by often and laughs at that every single time, I would just watch VERY carefully to make sure they don't bring in a firearm.

Re:Too bad

[KiloByte]

Let's think if Oracle has something to gain from intentionally tarnishing the reputation of a product they want to kill.

I'm not saying it's foul play for sure, just pointing out they do have an incentive to do so.

Re:That's Not Ironic

[LordLucless]

Ironically, the OP correcting someone else for not using ironic correctly is both hypocritical and ironic.

Re:That's Not Ironic

[MarkRose]

Screwing up irony is the only thing that unleashes the linguists with such ferrousity.

Re:That's Not Ironic

[MarkRose]

Like Oracle not seeing it coming?

Re:That's Not Ironic

[realityimpaired]

If we're going to get on a grammar nazi binge, then it's worth pointing out that one of the definitions of Irony is actually exactly what the GP described... (merriam webster's exact words are "the use of words to express something other than and especially the opposite of their literal meaning".) He may not have expressed it properly, but I do think that was the meaning he was trying to get at.

Though interestingly enough, yet another definition of Irony is an incongruency between an expected result and an actual result... so in other words, MySQL's website being hacked with an SQL injection attack *is* ironic, because one would expect the makers of MySQL to have some idea of how to secure it properly. (it's not even that hard to lock down, which makes it even more humorous).

Though I must say... correcting somebody's already correct use of the word irony? Absolutely classic....

Re:What year is it?

[Software+Geek]

When interviewing people for QA positions, I routinely ask "Do you know what an SQL injection attack is?"
I have never yet interviewed a candidate who answered yes.
So, then I explain what an SQL injection attack is, and ask how they would test for vulnerability to one.
Almost without exception, the answer is "I guess I would try entering some special characters and keywords into the GUI, and see what happens."

FUCK. OFF.

[evanism]

Go die in a hole. What complete, utter and total fucking twat.

Re:That's Not Ironic

[dr2chase]

I think your pun detector is a little rusty.

Re:That's Not Ironic

[adamofgreyskull]

Whoosh.

Hint: He's punning on "ferocity" and...ya know..."ferrous".

Re:Password hashing + salt?

[BCoates]

The salt isn't a second secret, it's there to prevent the use of a pre-constructed rainbow table for the standard hash functions. Without a rainbow table, you can still do dictionary attacks of weak passwords--and there is no way to prevent this short of not using passwords for authentication. This only harms people who use guessable passwords and re-use passwords between sites.

Re:What year is it?

[discord5]

When interviewing people for QA positions, I routinely ask "Do you know what an SQL injection attack is?"

Hahaha, reminds me of what I used to do to interns. We used to get a bunch of interns every year, and every year we'd have them develop small web applications for internal use. They'd work on their project and after a few weeks we'd come in and evaluate their work, steer them in the right direction (if that wasn't necessary earlier) and do a few tests.

The first thing I always asked was "Do you have a backup?" and after the inevitable googling of the mysqldump command I'd be an utter bastard and sneak in a DROP TABLE, or DELETE FROM statement in the URL bar, right after id=x, and surely enough most of the times it would work.

"It looks really great, but I think there's a problem with it. Maybe you want to check the logfiles to see what happened." to see if they'd see what was the problem, and if they didn't I would explain an SQL injection attack to them. Few of them managed to find the solution on google, but most immediately suggested such things as "I'll check for ; in the string" which inevitably led to me trashing their tables about 10 minutes later. I have to say, once they had their tables dropped twice they became real careful of permissions and handling SQL statements.

In a way I hope they learned something from having a complete bastard as a mentor, although I'm sure that a few of them have already forgotten about that one time a single statement ruined their database. Oh well...

Re:Password hashing + salt?

[vgerclover]

There is one incorrect assumption in your reasoning. You don't have to use one salt for all passwords, you can easily use a different salt per entry, and store it along side the password. This way, even if your database is compromised, and the salts are know, you still have to create a different rainbow table for each entry to be able to try and guess the password. This effectively kills the ability of the breacher to fish around for insecure passwords.

Take it a step further. We can learn from this.

[HiggsBison]

bobby-tables.com: A guide to preventing SQL injection