Tag Archive | SQL injection
December 17, 2012  

Yahoo Flaws Potentially Found by Egyptian Hacker

Security experts are investigating an Egyptian hacker who goes by the name “Virus_Hima”, who released screenshots of potential flaws in Yahoo’s website. This has been done before by the hacker, whose intentions may or may not be good.

One of the flaws identified by this hacker included the ability to access a full backup of one of Yahoo’s domains. The other problems included a cross-site scripting (XSS) and SQL injection vulnerability, according to a PasteBin.com post “Yahoo data leak by Virus_Hima“.

Some of his previous work included Adobe, where he released a batch of more than 200 email addresses obtained from a database belonging to them. Adobe shut down Connectusers.com as a result, which is the Connect Web conferencing service.

Without his “good intentions”, it appears that he also has shut down the claim that he sold a $700 XSS vulnerability in the black market. He claims to be a former blackhat, and that his intentions are good as a vulnerability researcher. However, he was spotted in his PasteBin.com post to be taking shots at security reporter Brian Krebs, calling his site “Krebsonshitz” when it clearly is “Krebs on Security”. Krebs reported about the hacker back when the XSS vulnerability was being sold.

October 15, 2012  

More news in Sony Pictures hack, LulzSec member Rivera pleads guilty

LulzSec member, Raynaldo Rivera, who was arrested at the end of August, appeared in court this past Thursday (Oct. 11), and has plead guilty to the charges of being involved in hacking into Sony Pictures, as well as for stealing personal information, passwords, and other personal data from thousands of users.

Under the plea agreement, Rivera will pay restitution to his victims and faces the maximum penalty: five year prison sentence and a fine of at least $250,000.

Because of this “simple SQL injection“, it costed Sony over $600,000 apparently, which is not cheap change by any means.

Rivera used the HideMyAss proxy service, illegally according to their Terms, to investigate potential vulnerabilities on Sony servers. HideMyAss proxy service cooperated with authorities, providing a report of the data transactions made by the hacker.

September 5, 2012  

The issue in encryption: Why it will not solve our security problems

The issue in discussion today is whether or not encryption is really that important in computer security, when it comes to the issues people face today (in security). The biggest issue faced in encryption is that even if every piece of info in an enterprise, intruders could still access it.

There are many issues faced in encryption. Many speculations occur like the following when it comes to encrypting data (and why there is a need for a backup method):

  • Encrypting every piece of information does not always mean the data is totally secure.
  • If a user can access the data, so can the intruder.
  • Users and even applications must be able to access data in unencrypted form to use it.
  • Web apps will still suffer SQL injection.
  • It will not stop Java exploits.
  • Only if a user can access the device he/she is on, if the device is stolen, the data is no longer secure.
  • If the least bit of personal/business information is leaked, a hacker has at least a small means to try to crack passwords.

So, the biggest concern, it seems, that even if data is encrypted doesn’t make it completely secure. The best way to truly secure data is working with a defense-in-depth method of securing machines, as it seems to be a way of making the hacker work hard to get to the data. By that time, the hacker would question whether the hack would be worth it.

If this post would appear to help you save money, by providing tips to secure your data, please consider a donation.

 

August 29, 2012  

Alleged LulzSec Member Arrested by FBI for Sony Hack

LulzSec

A man alleged to hacking in to Sony Pictures Entertainment computer systems has been arrested. A man named Raynaldo Rivera has been arrested, not only for hacking, but also for stealing personal information, passwords, and other personal data from thousands of users. Most of the information leaked was about innocent users whom entered contests held by Sony Pictures Entertainment.

Because of this “simple SQL injection“, it costed Sony over $600,000 apparently, which is not cheap change by any means.

Rivera used the HideMyAss proxy service, illegally according to their Terms, to investigate potential vulnerabilities on Sony servers. The alleged hacker is known by the online handles, “neuron”, “wildicv”, or “royal”. He could face up to 15 years in prison, if convicted.

 

Protect your computer:

August 9, 2012  

Report: Average Web App Attacked Every Three Days

Do not envy the life of a Web app. It’s a brutal, public existence filled with attacks from all sides. In fact, a new report by Imperva sheds some light on this sad life, showing that a typical Web app is attacked once every three days and some are targeted as many as 2,700 times in a given year.

Web apps are lots of fun for attackers because they’re publicly accessible and take all kinds of interesting inputs. Attackers can take their time, throwing whatever data they choose at a given app and then see what happens to break. To determine what this attack landscape looks like, Imperva monitored 50 Web applications for six months, looking at the kinds of attacks each one endured and pulling out trends.

One of the more interesting findings was that the typical Web app can expect to be attacked every third day and that some of the applications are under attack as often as 292 days per year. There are likely to be multiple attack incidents on any given day, as well. The average attack that Imperva observed lasted a little less than eight minutes and the longest went on for about 80 minutes.

Read more on ThreatPost

Related articles
June 25, 2012  

PayPal Bounty Program Kicks Off


BOUNTY HUNTERS: PayPal is offering sweeter deals!!

PayPal Chief Information Security Officer, Michael Barrett said on the PayPal Blog:

Today I’m pleased to announce that we have updated our original bug reporting process into a paid “bug bounty” program. The experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have  implemented similar programs has been very positive. I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong – it’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues.

The bug reporting program has many different steps:

  1. Bug reports are submitted by researchers.
  2. The report is then categorized by the following criteria: A. Cross-site scripting (XSS), B. Cross Site Request Forgery (CSRF), C. SQL injection, D. Authentication bypass.
  3. Severity and priority is determined.
  4. Researcher is paid in their PayPal account.

See more information, if needed, on the PayPal Blog.