Feeds

Articles about Sql Injection

Drupal SQL injection nasty leaves sites 'wide open' to attack

A newly patched SQL injection flaw in Drupal leaves sites that rely on the widely used web development platform wide open to attack. Admins of sites that run Drupal 7 should upgrade to 7.32 to guard against possible attack. Patching needs to take place sooner rather than later because the easy-to-exploit vulnerability hands …
John Leyden, 16 Oct 2014
bug on keyboard

Joomla issues upgrade to patch critical SQL vuln

Joomla's developers have moved to fix a critical SQL injection vulnerability – but are coming under fire for taking a month to address the issue. The version 3.2.3 update, available since late last week, is described by Joomla as fixing a high priority core SQL injection bug (along with two medium priority XSS bugs and an …
The Register breaking news

Ruby on Rails has SQL injection vuln

The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular Web framework. They advise that users should immediately apply an upgrade available here. Designated CVE-2012-5664, the maintainers explain the bug this way: “Due to the way dynamic finders in Active Record …
The Register breaking news

PayPal plugs SQL injection hole, tosses $3k to bug-hunter

PayPal has fixed a security bug that could have allowed hackers to compromise the payment website's databases using an SQL injection attack. Researchers at Vulnerability Laboratory earned a $3,000 reward for discovering and reporting the critical bug to PayPal in August. An advisory sent to the Full Disclosure security mailing …
John Leyden, 30 Jan 2013
The Register breaking news

E-shopkeepers stabbed with SQL needles 'twice' as much as other sites

Retailers suffer twice as many SQL injection attacks on their systems as other industries, according to a new study by data-centre security firm Imperva, which claims the ferocity of web-based assaults is growing. The fourth annual edition of Imperva's Web Application Attack Report [PDF] also revealed that e-shopping …
John Leyden, 23 Jul 2013
The Register breaking news

MySQL.com hacked via... SQL injection vuln

MySQL.com was hacked over the weekend via an attack which used a blind SQL injection exploit to pull off the pawnage. Hackers extracted usernames and password hashes from the site, which were subsequently posted to pastebin.com. Any easy to guess login credentials could be easily extracted from this data using rainbow tables to …
John Leyden, 28 Mar 2011
Breach

2,285,295 Aussie logins nabbed in Russian password haul

More than two million unique login credentials for Australian internet users were stolen as part of the massive haul of 1.2 billion passwords by a Russian hacker outfit. Earlier this month Hold Security reported that Russian hackers under the group dubbed CyberVors amassed the largest ever cache of stolen website passwords …
Darren Pauli, 11 Aug 2014
The Register breaking news

LizaMoon mass-injection attack reaches epidemic proportions

Malware writers are using website vulnerabilities to inject malicious scripts into thousands of websites as part of an ambitious attack ultimately designed to redirect surfers to a site pimping rogue anti-virus packages. The so-called LizaMoon mass-injection attack uses SQL injection trickery to inject a line of malicious code …
John Leyden, 31 Mar 2011
FireEye image

FireEye patches OS, torpedos Exploit-DB disclosure

FireEye has patched a series of publicly-disclosed flaws in its operating system (FEOS) that facilitated man-in-the-middle attacks and command injection. The vulnerabilities released over June affected versions NX, EX, AX, FX, and CM of the FEOS and were patched in the first individual security bulletin for the system. The …
Darren Pauli, 10 Jul 2014
Pinterest security

I saved Pinterest's business and all I have to show for it is a t-shirt

Pinterest is gearing up a bug bounty programme which will pay security researchers to plug holes in the popular kittens'n'cupcakes site. The programme today launched in an early phase where researchers could report bugs through managed bounty service BugCrowd although cash rewards are not yet on offer. The digital scrapbook has …
Darren Pauli, 28 May 2014
The Register breaking news

No secret to stopping XSS and SQL injection attacks

SQL injection attacks and cross-site scripting exploits just won't die. The most recent and high-profile incident was a mass webpage attack on more than 100,000 pages, which included victims as diverse as The Wall Street Journal, TomTom, and the UK's Strathclyde police. There was a teetering stack of exploits involved in this …
Matt Stephens, 23 Jun 2010

Bogus Firefox add-on FORCES WITLESS USERS to join vuln-hunting party

Cybercrooks have brewed up a botnet that uses a bogus Firefox add-on to scan the web for hackable websites. The so-called Advanced Power botnet runs SQL injection attacks on websites visited from infected machines. The malware, disguised as a legitimate add-on for Mozilla Firefox, found its way onto 12,500 systems, reports …
John Leyden, 17 Dec 2013
Flag China

Mass SQL injection hits English language websites

Thousands of websites in China have been booby trapped with code written to download Trojan software onto visitors who run vulnerable Windows PCs. Unlike earlier rounds of SQL injection attacks the latest assaults mostly target English language sites (predominantly sites hosted in China but with a .com suffix) and purposefully …
John Leyden, 21 May 2008
Crime in Russia

Hacker crew nicks '1.2 billion passwords' – but WHERE did they all come from?

Russian hackers have amassed the largest ever cache of stolen website passwords – 1.2 billion, it's claimed – by swiping, one way or another, sensitive data from poorly secured databases. A network of computers quietly hijacked by malware, and controlled from afar by the gang, identified more than 420,000 websites vulnerable to …
Darren Pauli, 05 Aug 2014
Hacker baseball cap

Laurie Love investigation stretches to Australia, Sweden

Following the arrest of Laurie Love of Suffolk on charges that he gained unauthorised access to US government computers, it's emerged that he was working with co-conspirators in Australia and Sweden. According to the charges reported here yesterday, Love's twelve-month hacking spree included machines belonging to the US Army, …
The Register breaking news

Next-gen SQL injection opens server door

A vulnerability estimated to affect more than 1 in 10 websites could go lethal with the finding that it can be used to reliably take complete control of the site's underlying server. Research to be presented at the Black Hat security conference in Amsterdam later this month will show how so-called SQL injection attacks open the …
Dan Goodin, 02 Apr 2009
The Register breaking news

SQL injection taints BusinessWeek.com

Add BusinessWeek.com to the list of big-name sites felled by the mighty SQL injection attack. According to Sophos, the business news site has been infected with attack code that since sometime last week has been trying to install malware on the machines of those who visit the site. The attack affected hundreds of BusinessWeek. …
Dan Goodin, 16 Sep 2008

Racing Post escapes ICO fine after leaking info of 677K punters

UK sports-betting newspaper the Racing Post has received a stern warning – but not a fine – after it emerged that it had aired the private details of more than 677,000 customers as the result of a security breach last year. The October 2013 snafu resulted in the exposure of the names, addresses, passwords, dates of birth and …
John Leyden, 28 Aug 2014
Google's XSS game

Google launches hacker game to train bug 'mercenaries'

Google wants to bring new blood into the security bug hunter community with a game launched to test developers' knowledge of cross site scripting (XSS) vulnerabilities. The XSS Game put devs through six games of increasing complexity that required successful attacks against mock vulnerable web applications. "The game is …
Darren Pauli, 30 May 2014
dayz arma II

Did hackers scoop source code from DayZ zombie game brains?

It's feared source code for the apocalyptic zombie game DayZ may have fallen into the hands of hackers after an alleged security breach at publisher Bohemia Interactive. Someone called DrWhat, apparently based in the UK, appears to have uploaded debugging data for the game's executable – specifically a program database file (PDB …
Darren Pauli, 13 May 2014
Mind blown

80 PER CENT of app devs SUCK at securing your data, study finds

Developers are experts in spinning wonderfully-shiny, horribly-insecure apps, according to research from Aspect Security. Social media meeting buttons and go-live dates rate far higher with app developers than the need to ensure the security of private data. Worse, devs couldn't secure apps if they wanted to, according to the …
Darren Pauli, 23 Sep 2014
HP

Microsoft and HP tackle SQL-injection scourge

With successful attacks against websites reaching epidemic levels, Microsoft and HP have released a free set of tools that help developers check their web applications for the mistakes that leave them open to exploits that can steal sensitive information and harm visitors. The tools are designed to scan websites for …
Dan Goodin, 26 Jun 2008

Xbox hackers snared US ARMY APACHE GUNSHIP ware - Feds

Hackers from the US, Canada and Australia have been arrested over a sting that took in the US Army, gaming companies and Microsoft. The Department of Justice accuses the alleged perps of copying software worth more than US$100m. The thieves pinched data and source code relating to then unreleased titles Call of Duty Modern …
Darren Pauli, 01 Oct 2014
The Register breaking news

Energy sector under increasing attack: DHS

The Department of Homeland Security, via its ICS-CERT group, is reporting growing attacks against critical infrastructure with the energy sector leading the way. Its most recent ICS-CERT Monitor report states that of more than 200 incidents it investigated between October 2012 and May 2013, 53 percent were in the energy sector. …

In dot we trust: If you keep to this 124-page security rulebook, you can own yourname.trust

NCC Group has published a set of security standards that you'll have to follow if you want to operate a .trust website. The company owns the rights to sell dot-trusts, and uploaded the 124-page policy document [PDF] earlier this month. It provides a technical rundown covering network security to secure DNS settings, and NCC …
Kieren McCarthy, 22 Oct 2014
Brute force

Gang behind '1.2 billion' megahack ransack is pwning our customers – hosting firm

Anecdotal evidence is emerging that the Russian botnet raiders behind the "biggest-ever" password theft have begun attacks against web services using stolen login credentials. The CyberVor gang is reported to have amassed a vast stockpile of compromised login credentials for "1.2 billion" accounts, Hold Security warned in August …
John Leyden, 02 Sep 2014
The Register breaking news

Under the microscope: The bug that caught PayPal with its pants down

Security researchers have published a more complete rundown of a recently patched SQL injection flaw on PayPal's website. The Vulnerability Laboratory research team received a $3,000 reward after discovering a remote SQL injection web vulnerability in the official PayPal GP+ Web Application Service. The critical flaw, which …
John Leyden, 15 Apr 2013
security fail

Spy platform zero day exposes cops' wiretapped calls

National security boosters have just taken a kick to the ego, with revelations that hackers can access exactly the kind of wiretap kit they believe should be deployed in every ISP and telco around the world. The zero-day that's turned up in kit from New Jersey outfit NICE would give attackers access to wiretapped voice …
Darren Pauli, 29 May 2014
FBI badge and gun

UK man Lauri Love accused of hacking US Federal Reserve

The US government have laid more hacking charges against a Brit alleged to have hacked into the US Federal Reserve. Lauri Love, 28, of Stradishall, Suffolk, is charged with one count of computer hacking and a further charge of aggravated identify theft over an alleged attack on Federal Reserve computer systems between October …
John Leyden, 28 Feb 2014
Brute force

Hey guys. We've got 1.2 BILLION stolen accounts here. Send us your passwords, 'cos safety

The backlash is growing against the infosec firm that claimed it had uncovered a Russia-based gang's stash of 1.2 billion nicked website passwords. Hold Security claimed the gang was hoarding over a one billion unique stolen usernames and passwords, siphoned off from insecure websites vulnerable to SQL injection and other common …
John Leyden, 07 Aug 2014
4chan bug bounty.jpg

Web cesspit 4chan touts '$20 bug bounty' after hackers ruin Moot's day

Internet armpit 4chan now has a bug bounty – although with just $20 in "self-serve ad spend" on the website or an annual membership up for grabs, it's not particularly bountiful. The bounty programme was launched after the image-board website and a drawing website, both founded by Chris "moot" Poole, were compromised by …
Darren Pauli, 07 May 2014

It may be ILLEGAL to run Heartbleed health checks – IT lawyer

Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic. Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of …
John Leyden, 11 Apr 2014
The Register breaking news

Microsoft rejects call to fix SQL password-exposure risk

Microsoft is butting heads with a company that provides software for database security over a weakness in SQL Server that can expose user passwords to anyone with administrative access to the program. Researchers at San Mateo, California-based Sentrigo warned Wednesday that the "significant vulnerability" is present in the 2000 …
Dan Goodin, 02 Sep 2009
The Register breaking news

Symantec dismisses blind SQL hack claims

Symantec's website has been given the once-over by the same Romanian hacking group that exposed security problems with websites run by Kaspersky Lab, F-Secure and Bitdefender earlier this month. The hacker, Uno, claims that the document download centre section on Symantec's European site is vulnerable to a blind SQL Injection …
John Leyden, 20 Feb 2009
The Register breaking news

Signatures no good at protecting databases, says Juniper

One of the most common forms of attack is the SQL injection, and although the vector is ancient and well-understood, it's notoriously difficult to defend against. Kevin Kennedy, senior director of product management for Juniper Networks' security business unit, is in Australia to demonstrate Juniper's latest shot at defeating …
The Register breaking news

American Fantasy Football app lets hackers change team rosters

Security researchers have discovery a vulnerability in mobile versions of the Yahoo! Fantasy [American] Football app that created a means for hackers to change team lineups and post imposter comments on message boards. Yahoo! has plugged the security hole, but users who fail to update their mobile app to the most recent version …
John Leyden, 06 Sep 2013
The Register breaking news

They didn't predict that: Astrologers! blamed! after! Yahoo! hack!

Weaknesses in cloud security and third-party code allowed a hacker to compromise Yahoo! systems last month, according to an analysis of the purported breach. In December, an Egyptian nicknamed ViruS_HimA claimed he cracked the web giant's security systems, acquired full access to 12 databases and broke into an unspecified server …
John Leyden, 29 Jan 2013
The Register breaking news

Symantec slams Web Gateway back door on would-be corporate spies

Symantec has plugged a series of critical flaws in its Web Gateway appliances which included a backdoor permitting remote code execution on targeted systems. The flaws, discovered during a short crash test by security researchers at Austrian firm SEC Consult, created a means to execute code with root privileges - or the ability …
John Leyden, 29 Jul 2013

Ex-Google, Mozilla bods to outwit EVIL BOTS with 'polymorphic' defence

Startup Shape Security is re-appropriating a favourite tactic of malware writers in developing a technology to protect websites against automated hacking attacks. Trojan authors commonly obfuscate their code to frustrate reverse engineers at security firms. The former staffers from Google, VMWare and Mozilla (among others) have …
John Leyden, 21 Jan 2014
The Register breaking news

SAP users slack, slow and backward on security

Cross-site scripting, failure to check credentials, directory traversal and SQL injection make up more than three-quarters of vulnerabilities in SAP environments, according to a presentation by ERPScan's Alexander Polyakov to RSAConference Asia Pacific 2013. And the vulnerable state of the SAP world is increasingly attracting …

FBI sends memo to US.gov sysadmins: You've been hacked... for the past YEAR

Hacktivists allegedly affiliated with Anonymous have been covertly breaking into US government systems and pilfering sensitive information for nearly a year, the FBI warned last week. The attacks (which began last December and are thought to be ongoing) exploit flaws in Adobe's ColdFusion web app development software to plant …
John Leyden, 18 Nov 2013

'Be super careful with AI. It's potentially more dangerous than NUKES'

This week will go down in IT history as the week Microsoft scrapped its long-running fixer-upper day of the week – Patch Tuesday. No longer will Tuesdays be about Redmond plugging the latest breaches in software and sorting out its security problems. Now Tuesdays will be about… updates. Yes, indeed, by changing the name of the …
bug on keyboard

Remember Anna Kournikova? Come with us on a tour of bug-squishing history

Brain. No, it’s not some Skynet AI drone, nor is it the blob that was always out to get the Teenage Mutant Hero Turtles. It is the name of the first PC virus, dating back to 1986. The two Pakistani brothers, Basit and Amjad Farooq Alvi, who wrote it did not have malicious intentions: they simply wanted to scare people running …
Tom Brewster, 03 Jun 2014
anonymousCARTOON

Second LulzSec Sony website hacker starts a year in the cooler

A LulzSec hacker has been sentenced to a year in a US jail for hacking Sony Pictures and dumping personal information of 138,000 movie fans online. Raynaldo Rivera, 21, of Tempe, Arizona, will spend 366 days behind bars, followed by 13 months of house arrest and 1,000 hours of community service for his involvement in the …
John Leyden, 09 Aug 2013
Zombies, credit: Wikimedia from Night of The Living Dead

Zombie PCs are for crimelord chumps: Fear clusters, says infosec ace

It may be possible for a "single dedicated attacker" to run an internet "carpet-bombing" attack by applying Big Data and distributed computing technologies, security researcher Alejandro Caceres warns. The traditional botnet, or network of hijacked computers, has been used for distributed computing problems, such as Bitcoin …
John Leyden, 14 Aug 2013
The Register breaking news

Yahoo! hack! leaks! 453,000! unencrypted passwords!

A Yahoo! service has apparently succumbed to a simple database attack that leaked 453,000 unencrypted account passwords online. A huge document containing the lifted SQL structures, software variables, usernames and cleartext passwords was linked to from a web forum. In the file, the hackers described the break-in as "a wake-up …
John Leyden, 12 Jul 2012

Obamacare website 'either hacked or will be soon', warns infosec expert

Hackers have thrown multiple attacks at US President Obama's medical insurance bazaar HealthCare.gov since it went live in October, according to a senior US government official. Acting assistant Homeland Security secretary Roberta Stempfley told a hearing of the House Homeland Security (HHS) Committee that the website was …
John Leyden, 19 Nov 2013
The Register breaking news

1 MILLION accounts leaked in megahack on banks, websites

Hacker collective Team GhostShell leaked a cache of more than one million user account records from 100 websites over the weekend. The group, which is affiliated with hacktivists Anonymous, claimed they broke into databases maintained by banks, US government agencies and consultancy firms to leak passwords and documents. Some of …
John Leyden, 28 Aug 2012
The Register breaking news

Hackers leak 120,000 student records in raid on world's top unis

Hackers have attacked the world's top 100 universities in a protest against tuition fees and what's deemed to be a falling quality of education. Anonymous-affiliated Team GhostShell dumped information from 120,000 user accounts and student records after raiding servers at institutions including Princeton, Harvard, Cambridge and …
John Leyden, 02 Oct 2012
The Register breaking news

CISPA row: Slurped citizen data is ENORMO HACK TARGET - infosec boss

The ability to identify common patterns in real-world attacks makes crowd-sourcing threat intelligence extremely useful, according to a study from security tools firm Imperva. The report arrives just as a privacy row rages over the new Cyber Intelligence Sharing and Protection Act (CISPA) law in the US. But the head of the …
John Leyden, 23 Apr 2013