Articles about Sql Injection

Web security still outstandingly mediocre, experts report

Black Hat EU Cross-site scripting (XSS) vulnerabilities continue to dominate the list of most common vulnerabilities found in real-world tests. In more than a third (37 per cent) of cases, a website vulnerable to XSS is also vulnerable to a more critical flaw such as SQL injection or improper access control, according to web security …
John Leyden, 07 Nov 2016

Boffins turn phone into tracker by abusing pairing with – that's right – IoT kit

Black Hat EU Security researchers have worked out how to hack into a smartphone and turn it into a tracking device by abusing its pairing with a Belkin home automation device. Joe Tanen and Scott Tenaglia of Invincea Labs were able to root a WeMo device before injecting code into the WeMo Android app from a compromised WeMo device. The …
John Leyden, 07 Nov 2016

Telnet, SSH prod of death smashes Cisco broadband boxes offline

Cisco has issued six software updates to address security vulnerabilities in its networking products, ranging from denial of service conditions to authentication bypasses. The most serious of the flaws is the authentication bypass hole in the Cisco Meeting Server. Cisco warns that, due to improper handling of XMPP messaging, a …
Shaun Nichols, 12 Oct 2016

TalkTalk gets record £400k slap-slap from Brit watchdog

The UK Information Commissioner's Office (ICO) has issued TalkTalk with a record £400,000 fine for allowing attackers to access customer data “with ease”. The penalty comes at the same time as the ICO publishes its in-depth investigation of last October's megabreach, which the office claims “could have been prevented if …
SHUT UP!

Cisco squeezes out massive patch dump

Cisco's issued 18 patch notices. Let's start with the OpenSSL fix, because it affects the largest number of devices. This implements both OpenSSL's September 22 patches, and the September 26 patch that patched bugs introduced in the first patch. Switchzilla's routing operating systems are going to present sysadmins with the …

London-based Yahoo! hacker gets 11 years for SQLi mischief

A 23-year-old man has been sentenced to two years in prison for his part in a cyber attack on Yahoo! in 2012. Nazariy Markuta, of Harlesden, London, was a member of the D33Ds Company network, which nicked over 450,000 customer email addresses and passwords from Yahoo! after an investigation by the UK's National Crime Agency ( …
Person using a card reader

Hackers claim they breached Aussie point-of-sale tech firm, try to sell 'customer DB'

Exclusive Hackers are claiming to have hacked Australian point-of-sale technology (PoS) company H&L Australia, and have been claiming to potential buyers that they had lifted its customer database. They were already offering it for sale for AU$22,000 ($16,580, £12,723) more than two months ago. If indeed they have hacked into H&L, …
Darren Pauli, 20 Sep 2016
couch_potato_remote_control_surfer

DDoSers do it more now, but they do it less fiercely*

The number of distributed denial of service attacks has doubled over the last 12 months. Akamai reports that Q2 saw a 129 per cent year-on-year increase in total DDoS attacks. During the second quarter, Akamai mitigated a total of 4,919 attacks, one of which (against a media company) reached an eye-watering 363n Gbps. Although …
John Leyden, 15 Sep 2016

Bad news: MySQL can dish out root access to cunning miscreants

Updated Security holes in MySQL can be abused to gain remote root access on poorly configured servers, it emerged on Monday. Patches to fix up the programming blunders were quietly released last week. The flaws are present in all default installations of MySQL 5.5, 5.6 and 5.7. Grab versions 5.5.52, 5.6.33 and 5.7.15 to avoid any …
Chris Williams, 13 Sep 2016

FBI: Look out – hackers are breaking into US election board systems

IT admins have received a flash warning from the FBI to harden up their systems following attacks against servers run by two US state election boards. The security advisory states that the security breaches in June and August emanated from IP addresses around the world and involved Acunetix, SQLMap, and DirBuster tools. It …
Iain Thomson, 29 Aug 2016

Epic Games forums breached, salted passwords nabbed

Information on some 808,000 Unreal Engine and Unreal Tournament forum accounts, including email addresses, birth dates, and private messages, have been stolen from Epic Games. The games company says passwords were not compromised on the Unreal forums so account resets are not necessary. Salted passwords were breached for …
Darren Pauli, 23 Aug 2016
Image by Maksim Kabakouhttp://www.shutterstock.com/pic-362745248/stock-photo-privacy-concept-broken-shield-on-wall-background.html

SAP whacks application cracks, shutters baker's dozen of potential hacks

SAP has issued a baker's dozen of high, medium, and low-severity patches. The fixes cover four denial of service vulnerabilities, two sets of directory traversal and missing authorisation holes, a cross-site scripting and a SQL Injection flaw, and four miscellaneous security shortcomings. SAP does not include any detail about …
Darren Pauli, 10 Aug 2016
Angry man on laptop. Illustration via Shutterstock

Sealed with an XSS: Popular vulnerabilities probed

If we have internet-facing web servers (and other types of server, for that matter) we care about how vulnerable they are to attack. There are loads of services out there that you can use to probe your public-facing systems, and they'll tell you loads of useful stuff about why they might be vulnerable. But of course they're only …
Dave Cartwright, 03 Aug 2016

WordPress admin? Thinking of spending time with the family? Think again

The Dutch hacking community's Summer of Pwnage (SoP) has disclosed three vulnerabilities in WordPress plugins, including an XSS in the popular Ninja Forms. Since Ninja Forms claims more than 600,000 users, we'll start there: the now-fixed reflected XSS bug allows attackers to inject malicious JavaScript into the victim's …
Happy penguin, image via Shutterstock

Ubuntu forums hacked

Ubuntu maker Canonical says that its Linux distro's user forums have been hacked, and the usernames, IP addresses, and email addresses of roughly 2 million users have been swiped. Canonical CEO Jane Silber said no passwords were taken via an SQL injection attack, and that the miscreants did not appear to have accessed any …
Shaun Nichols, 15 Jul 2016

700,000 Muslim Match dating site private messages leaked online

Hackers have leaked the personal details of 150,000 users of the Muslim Match website after breaking into the niche dating portal. Almost 150,000 user credentials and profiles, as well as more than 700,000 private messages between users, were posted online. "These private messages cover a range of subjects from religious …
John Leyden, 01 Jul 2016
still_life_with_skull_cropped_648

Riverbed's NetProfiler, NetExpress virty appliances patched

Riverbed has pushed out an update to virtual security appliances, after Security-Assesment warned it they had multiple vulnerabilities. The report details SQL injection, command injection, privilege escalation, local file inclusion, cross-site scripting, account hijacks and hard-coded credentials affecting two Riverbed virtual …
Big Ben and Underground sign. Pic: Crown copyright/MoD

Telco bosses' salaries must take heat for cyber attacks, says MPs' TalkTalk enquiry

A Parliamentary inquiry into the TalkTalk hack has said that telco CEOs' salaries should be garnished if their firms' cyber security practices are lacking. The report by the Culture, Media and Sport Committee, titled Cyber Security: Protection of Personal Data Online was initiated last November as “an inquiry into cyber- …
Newsroom

Patch Joomla SecurityCheck

If you use the SecurityCheck security plug-in for Joomla, it's time for an upgrade. The ADEO Security Team posted cross-site scripting (XSS) and SQL injection vulnerabilities (with proof-of-concept) to Full Disclosure. Both of the vulnerabilities are only exploitable when the admin is logged into a Joomla site. The XSS …

Oracle eBusiness Suite has 'huge, massive, ginormous' pwn surface

Auscert Oracle has a 'huge, massive, ginormous' attack surface, according to one prolific and proven researcher who reckoned he gave up looking because there are too many vulns. The security tester (who requested anonymity because his presentation wasn't approved by his employer) for one of the biggest tech firms found 50 …
Darren Pauli, 01 Jun 2016

IBM warns of 'bug poachers' who exploit holes, steal info, demand big bucks

At least 30 companies have been hit in the past year by so-called "bug poaching," where hackers break into corporate servers, steal data, and then demand a fee for showing how it was done. The technique, spotted by IBM's Managed Security Services researchers, involves miscreants breaking into a corp's servers, typically using …
Iain Thomson, 01 Jun 2016
Prison

Insider trading hacker pleads guilty to p0wning press releases

A Ukrainian ne'er-do-well who broke into market computers for an insider trading scheme has entered a guilty plea in the US. The 28-year-old, Vadym Iermolovych, has put his hands up to three charges – conspiracy to commit wire fraud, conspiracy to commit computer hacking, and aggravated identity theft. The US Department of …

YouTube skiddie busted for hacking Country Liberal Party

A man from the Australian state of Victoria has been charged after stealing, using, and publishing credit cards of political party members using basic tricks he learned from YouTube. Aaron Warren Camm, 20, of Kangaroo Flat, learnt how to use the skiddie tool Havij to launch SQL injection attacks and applied the lessons in …
Darren Pauli, 16 May 2016
Furnace by https://www.flickr.com/photos/changeable_fate/ cc 2l0 attribution generic https://creativecommons.org/licenses/by/2.0/

Hackers tear shreds off Verizon's data breach report top 10 bug list

Information security boffins have pilloried Verizon's latest data breach report, suggesting its list of top security vulnerabilities do not represent reality. The 2016 Data Breach Investigations report [PDF] is Verizon's ninth in the series drawing on a wider pool of data including some 100,000 security incidents and 2260 data …
Darren Pauli, 12 May 2016

Researcher arrested after reporting pwnage hole in elections site

Vanguard Cybersecurity man David Levin was arrested after exploiting and disclosing SQL injection vulnerabilities that revealed admin credentials in the Lee County state elections website. The Florida Department of Law Enforcement says the 31-year-old Estero man hacked into Lee County state elections website on 19 December. …
Darren Pauli, 09 May 2016
SuperTim's bacon bounty sarnie

MIT launches campus lunch bug bounty

The Massachusetts Institute of Technology has joined the growing number of large organisations and agencies to offer a bug bounty. The program is in an experimental phase and is open to current MIT students and affiliates, and includes a limited number of domains. Those submitting severe bugs will have money dropped into MIT …
Darren Pauli, 26 Apr 2016
Facebook's Mark Zuckerberg, speaking at the 2015 F8 conference

'I hacked Facebook – and found someone had beaten me to it'

A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp – and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully …
Chris Williams, 22 Apr 2016
fail_parking_meter_648

SQL injection vuln found at Panama Papers firm Mossack Fonseca

Grey hat security researchers have discovered new flaws in the systems of Panama leak firm Mossack Fonseca. A self-styled “underground researcher” claims to have found a SQL injection flaw on one of the corporate systems of the Panamanian lawyers. “They updated the new payment CMS, but forgot to lock the directory /onion/,” …
John Leyden, 11 Apr 2016
Water Treatment Centre pipe sluices off water. Photo by Joe Jungmann, released into the public domain

Water treatment plant hacked, chemical mix changed for tap supplies

Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water, we're told. The cyber-attack is documented in this month’s IT security breach report (available here, registration required) from Verizon Security Solutions. The utility in question is referred to using a …
John Leyden, 24 Mar 2016
Asleep on the sofa image via Shutterstock

Symantec warns of serious security holes – in Symantec security kit

Symantec is advising users of its Endpoint Protection (SEP) software to update their systems, after three vulnerabilities were reported in the computer defense tools. Two of the bugs – a cross-site scripting (XSS) flaw, and a SQL injection vulnerability – are in the SEP Management Console, a web-based portal you can log into …
Shaun Nichols, 18 Mar 2016
Hacker with face obscured, wearing a hoodie,  works in front of a bank of monitors. photo by Shutterstock

Is this Romanian man really 'GhostShell'? If so, he risks arrest

Members of the security community are nonplussed by claims that a Romanian hacker “GhostShell” has seemingly risked arrest by doxxing himself in a bid to get a job in information security. The man claiming to be a one-time Anonymous-affiliated hacktivist avoided identification and arrest for four years before apparently outing …
John Leyden, 15 Mar 2016

You know how we're all supposed to automate now? Dark web devs were listening

RSA 2016 Security researchers have thrown the spotlight on a popular cybercrime tool that’s used by crooks to automate the process of taking over accounts on major websites before making fraudulent purchases. Sentry MBA, which is readily available for purchase on the so-called dark web, offer a way to break into accounts via a point- …
John Leyden, 02 Mar 2016

You're a cybercrime kingpin. You need a new evil lackey. How much do you tell them?

RSA 2016 Cybercrooks, much like ethical security defenders, are facing a skills crisis and difficulties in recruiting qualified staff. Their attempts to bring workers into criminal organisations leave it possible for experts to learn more about their strategies and tactics, according to new research from threat intelligence firm Digital …
John Leyden, 01 Mar 2016

'I bet Russian hackers weren't expecting their target to suck so epically hard as this'

Line Break Welcome back to Line Break, our weekly column of terrible code our readers have encountered in the wild. So far we've featured astonishingly brain-dead designs in production and amusing code from yesteryear machines. Our emphasis has been on learning through others' mistakes while also brightening drab Wednesday mornings with …
Chris Williams, 24 Feb 2016
Indian riot

Cricket can get nasty: India v Pakistan rivalry boils over into cyber-war

The continuing rivalry between India and Pakistan has spilled over into cyberspace, with activity peaking around nationalist holidays and sports fixtures. A study of recent real-world events and hacktivist operations by threat intelligence firm Recorded Future highlights the varied motives behind online malfeasance. Events …
John Leyden, 11 Feb 2016
Blackhat

Russian ATM-popping gang used nation state cybercrook tactics

Cybercrooks are increasingly adopting tactics from more advanced hackers in order to steal millions of dollars from banks and other financial institutions. The first of the two cybercrime groups, dubbed Metel, are mostly active in Russia. The group’s typical modus operandi involves gaining control over machines inside a bank …
John Leyden, 09 Feb 2016

Security? We haven't heard of it, says hacker magnet VTech

Insecure kiddie-IoT-tat merchant VTech has decided its insecurity is its users' fault. As noted by developer-blogger Troy Hunt, VTech has updated its terms and conditions after its brain-dead security practices led to the leaking of its customers' personal information. In particular, Hunt notes, there's this: YOU ACKNOWLEDGE …

Asda slammed for letting vulns fester on its cyber shelves

Supermarket chain Asda has come under fire for sitting on a potentially serious set of web vulnerabilities on its website for almost two years. As first reported by The Register on Monday, UK security consultant Paul Moore warned Asda about a shopping list of online vulnerabilities in March 2014. Asda upped the grade of its …
John Leyden, 21 Jan 2016
Asda Recycling Site, Belvedere On Crabtree Manorway North. Copyright David Anstiss and licensed for reuse under this CC 2.0

Shop online at Asda? Website vuln created account hijack risk

Updated Retailer Asda dragged its heels for nearly two years before finally this week tackling a set of security vulnerabilities reported to it by a UK consultant. Asda has acknowledged the flaws - which Paul Moore, who discovered them, argues offer up an account hijack risk - but played down their significance. Moore told El Reg …
John Leyden, 19 Jan 2016

Drupal uncrosses fingers, promises secured patching

Drupal is switching to secured channels for updating its content management system, after IOActive security bod Fernando Arnaboldi reported it sought patches in the clear. More than a million sites use the popular content management system, making it a significant target for hackers. The vulnerabilities are not earth- …
Darren Pauli, 12 Jan 2016
Hammer, spanner and screw

Say oops, UPSERT your head: PostgreSQL version 9.5 has landed

PostgreSQL has pitched its latest release with a cheeky dig at MySQL as a "legacy" database. Version 9.5 of PostgreSQL adds a feature called UPSERT – INSERT, ON CONFLICT UPDATE – which it says removes the last barrier for MySQL users to migrate. The feature targets web and mobile environments, by handling conflicts between …

'You're updated!' Drupal says, with fingers crossed behind back

Drupal installations could be out of date and open to attack thanks to a borked update process that flags unpatched platforms as current. The popular content management system is used by more than a million sites making it a significant target for hackers. Indeed, in October 2014 attackers took mere hours to compromise untold …
Darren Pauli, 07 Jan 2016

Hacktivist pranksters stick it to the European Space Agency

Elements of Anonymous have taken time off from fighting adherents of Daesh (the so-called Islamic State) and trolling Donald Trump to attack the European Space Agency. Hacktivists dumped a schema of the ESA website (esa.int), along with data about registered users, collaborators, and subscribers, after hacking into the space …
John Leyden, 15 Dec 2015

Infosec bods rate app languages; find Java 'king', put PHP in bin

Java applications have been found to have many fewer common vulnerabilities than those coded using web scripting language. Less than a quarter of Java apps sport sporting SQL injection vulnerabilities, compared to more than three quarters of those written in PHP. So says Veracode's new State of Software Security report (PDF …
Darren Pauli, 04 Dec 2015

Mr Grey, the Russian hacker who helped haul in 1.2 billion logins

The FBI has linked a hacker said to be in part behind the plundering of 1.2 billion credentials from some 420,000 websites to the handle "Mr Grey". The hack as reported by The Registercould be one of the biggest data theft hauls in history. The US agency linked the hacker to the handle using open source data including email …
Darren Pauli, 27 Nov 2015
Oil Pump Jack by https://www.flickr.com/photos/paul_lowry/  cc 2.0 attribution

Mixing ERP and production systems: Oil industry at risk, say infosec bods

Black Hat Europe Hackers might be able to bridge the gap between supposedly air-gapped systems in oil and gas production by pivoting from enterprise planning onto production systems. Vulnerabilities and insecure installations in SAP business software and other enterprise systems might be used to interfere with loosely-couple but nonetheless …
John Leyden, 18 Nov 2015

TalkTalk hired BAE Systems' infosec bods before THAT hack

Contrary to suggestions that TalkTalk hired BAE Systems to shore up its security after the much-publicised hack in October, the telco had actually been outsourcing its security operations centre to BAE since June – and previously told investors it had "completed" a security audit. In its annual report, published in June, …
Injection image via shutterstock

NoSQL: Injection vaccination for a new generation

We are becoming more and more accustomed to reading about losses of online data through malicious hack attacks, accidents, and downright carelessness – it’s almost as if we don’t know how to secure data against the most common forms of attack. Of course, that isn’t really true as best practice, legislation, and education on …
Andrew Cobley, 13 Nov 2015

Password reset invoked after vBulletin.com forum software site defaced

The official website of vBulletin.com forum software has hit the big red password reset following a breach by hackers that exposed the IDs of hundreds of thousands of users. A hacker claimed the had made off with a combined 480,000 records after an attack that led to the defacement of the vBulletin.com and a reported hack …
John Leyden, 03 Nov 2015

Here's how TalkTalk ducked and dived over THAT gigantic hack

Timeline It has been almost two weeks since the "cyber attack" on the TalkTalk website of 21 October, yet the company is yet to tell its customers how their data was compromised. TalkTalk's CEO Dido Harding has yet to offer anything more than a token apology regarding the company's security practices, which allowed more than a million …