The website of the world renowned magazine has been subject of an SQL injection attack

BusinessWeek has just joined a group of highly rated and visited websites that fell victims to SQL injection attacks. Graham Cluley, Senior Technology Consultant for the security company Sophos, disclosed that parts of the website of the popular weekly magazine were attempting to serve malware from a Russian server.

SQL Injection has been at the top of vulnerability trends in recent years along with XSS (cross-site scripting). The SQL Injection name comes from the end-result of the exploitation of such a vulnerability, which is to inject malicious code into the web application's SQL database. This code is generally used to spread malware from third-party servers.

The new BusinessWeek incident adds to the other 16,000 pages affected by SQL Injection discovered daily (according to a Sophos report). Mr. Cluley points out that hundreds of individual BusinessWeek pages from a section of the website were affected. What's even worse is that the particular section was addressed to MBA students looking for career opportunities.

The injected malicious code was trying to serve malware from a .ru website, but the server in question was offline at the time when the attack was discovered. According to Cluley, this wasn't necessarily permanent and the status of the website could have changed, which would have posed a serious security risk to the personal or financial information of the users. A BusinessWeek spokesman commented for The Register that, following their investigation, it was determined that no sensitive information had been compromised and that the particular web application affected had been removed from their website.

BusinessWeek website infected by malware from Sophos Labs on Vimeo.
Even so, Mr. Cluely pointed out that BusinessWeek had been notified about that last week and two days ago the malicious code was still online. All companies should work to fix these problems as soon as possible as time is essential with these attacks, the longer the code remains online, the higher the chances of more people getting infected are.

In a short video, Cluely outlines the basic steps companies should take in order to prevent such incidents. They include adopting development best practices, ensuring web applications run with lowest possible database privileges, constantly checking server logs for suspicious activity as well as using programs designed to tighten the security of web applications.

The Antivirus Vendor Claims That No Customer Data Has Been Compromised

After a SQL injection attack against the US support website belonging to Kaspersky Labs was published on the Romanian Hackers Blog, the company disclosed details of the security breach. The investigation established that no sensitive data was accessed, but the antivirus vendor hired a database security expert to audit all of its websites.

During the past weekend, the Romanian Hackers Blog published information regarding a successful attack on http://usa.kaspersky.com/support/. According to the attacker, full access to the database containing customer information, support tickets, and even product activation codes had been obtained through SQL injection techniques.

The alleged ethical hacker who is calling himself "unu," did not post any sensitive information stored in the database, which was confirmed to contain around 2,500 customer e-mail addresses and 25,000 software activation keys. "This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," he said.

However, Vitaly Kamluk, chief malware expert at Kaspersky Lab, who has been involved in the investigation into this incident, claims there were several attackers, not one, and dismisses their good intentions. "After collecting field names, the attackers made a few attempts to extract the data from tables," he writes on the Kaspersky Analyst's Diary Weblog.

Apparently, only a simple mistake prevented them from hitting the jackpot. "Those queries failed because the attackers specified the wrong database," Kamluk explains. "There were several attackers with IP addresses from Romanian ISPs," the analyst also notes.

Meanwhile, during a conference call with reporters, Kaspersky Senior Research Engineer Roel Schouwenberg explained that the vulnerability was introduced along with a new update on the support site on January 28. He also pointed out that a Romanian Kaspersky employee came across the blog entry explaining the attack and immediately alerted his U.S. colleagues, who in turn rolled back the website to its stable state before the vulnerable update was deployed.

Vitaly Kamluk shares that the attackers used a free version of an automated probing tool from Acunetix to determine that the site was vulnerable to SQL injection, and then proceeded with manual exploitation. "The attackers stopped after they got only the column and table names from the database and decided to go for glory. No data modification queries UPDATE, INSERT, DELETE... were logged," he adds.

Both Kamluk and Schowenberg challenge the hackers' claim that they published the attack only after e-mails sent to the antivirus vendor went unanswered. "After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky an email – on a Saturday to several public email boxes. They gave us exactly 1 hour to respond," Kamluk mentions, while Schowenberg concludes that " They gave us little if any chance to respond."

When asked by the reporters if the company's image might suffer as a result of this security breach, Roel Schouwenberg said that "Honestly speaking, yes. This is not good for any company, especially a company dealing with security. This should not have happened." However, he stressed that "We are doing everything within our power to do the forensics on this case and to prevent this from ever happening again." In this respect, the company has hired world-renowned database security expert David Litchfield to perform an independent security audit of websites belonging to Kaspersky Labs.

"Secure development MUST be a key priority for web development - anywhere, anytime and all the time. It is a lesson to us all - check, check and re-check your processes and your code," Vitaly Kamluk advises. "We are lucky the hackers proved to be more interested in fame than in causing damage," the software engineer concludes.

Note: This article has been updated as to correctly attribute the cited material from the Kaspersky weblog, signed VitalyK, to Vitaly Kamluk, chief malware expert at Kaspersky Lab, as opposed to Vitaly Kouzin, software engineer at Kaspersky Lab, whom it originaly credited.

The Romanian HackersBlog Makes a New Victim

After previously compromising websites belonging or related to Kaspersky and Bitdefender, the Romanian hackers from the HackersBlog crew launched a new successful SQL injection attack against the website of an antivirus vendor. This time around, it was F-Secure, however, the security breach did not have the potential of disclosing sensitive information.

In a new post published on the HackersBlog, one of the website's admins, Tocsixu, discloses a SQL injection attack against the statistics section of the website belonging to Finnish security company F-Secure. In addition to being vulnerable to SQL injection, the http://stats.f-secure.com website also allowed for code injection through cross-site scripting (XSS).

Successful poisoning of SQL SELECT statements through URL manipulation exposed the tables of what it looked like a Microsoft SQL Server 2000 database running on a Windows Server 2003 with Service Pack 2.

The compromised tables were: MailboxInfo, VirusUpdated, dtproperties, Country, sysconstraints, VirusTrends, Virus_Top50_24h, Virus_Top50_30days, Virus_Top50_7days, Virus_Top50_90days, Virus_Top50_Month, Virus_Top50_Week, VirusDateTotal, VirusDate, VirusMonthTotal, VirusReports, VirusReportsTemp, VirusTrends.

F-Secure confirmed the security breach, but pointed out that the compromised database contained information about malware statistics that had been made publicly available anyway. "The malware statistics is something we publish anyway at F-Secure Worldmap and, because of our IT security strategy, the impact was minimal," Patrik Runald, senior security specialist at F-Secure, writes on the company's weblog. This is also mentioned by Tocsixu, who points out that "Fortunately, F-Secure doesn’t leak sensitive data, just some statistics regarding past virus activity."

The F-Secure analyst explains that the attack was possible because a page on their statistics website didn't properly sanitize the input. He also maintains that no information altering SQL commands was executed against the database, and that other details on the server could not be reached by the hackers, because the SQL username used by that section of the F-Secure website only had access to the statistics database. "While the attack is something we have to learn from and look at things we need to improve, it's not the end of the world," Patrik Runald concludes.

This is the third strike in less than a week when the HackersBlog team launched a successful SQL infection attack against the website of a security vendor. The first was the U.S. support website of Kaspersky Labs, developer of Kaspersky Antivirus. This was followed by a similar breach on the website of a Bitdefender Antivirus partner in Portugal, http://www.bitdefender.pt.

Even though slow to respond at first, Kaspersky eventually assumed responsibility for the security incident and revealed extensive details about the attack. In addition, the company hired a renowned database security expert to perform a security audit on its websites. Bitdefender, however, only kept it short by saying that the website belonged to a reseller and was not controlled by it. Even so, the site was using the Bitdefender name, logo, a very similar website layout and was selling Bitdefender products. It's unlikely that the Bitdefender users who have had their personal information put at risk care too much about who's website that is.

The databases were compromised through SQL injection attacks

Both Kaspersky and Bitdefender antivirus vendors have been left with red faces by a Romanian hacker who obtained access to the SQL databases of two of their websites. The data stored in the databases includes customer information, e-mails, support tickets, and even activation codes.

A hacker going by the nickname of "unu," meaning "one" in Romanian, has reported on Saturday that he compromised the security of the Kaspersky website in USA. In a posting made on HackersBlog, unu published screenshots as well as a list of the tables found in the site's SQL database.

The hacker explained that he obtained full access to the database through SQL injection. SQL injection is a form of URL manipulation that allows passing SQL commands through a URL. It is usually used by hackers to insert rogue data into the database for various purposes. "Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc," the Romanian writes.

Image comment: Kaspersky USA database information screenshot

However, unu's intensions were not malicious. According to The Register, he only decided to go public after he sent messages to several Kaspersky official e-mails and got no response. This is also reflected by the evidence he presented, like the malformed URLs being blurred in the screenshots.

Also, he did not publish any customer information, although he claims to have had complete access to it. "This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," unu explains.

Image comment: Bitdefender Portugal adminstrator login credentials screenshot

Kaspersky has partially confirmed the security breach. "On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site," the company claims in a statement.

Tocsixu, one of the admins of HackersBlog, has told The Register that unu hacked the website days before going public, which seems to come into conflict with Kaspersky's account. According to him, the reason why no data has been compromised is only due to the good will of the hacker. "Indeed, no data was compromised from the site because that is not Unu's (our) intention. No sensitive information from the site was stored, legit Kaspersky users can rest assured," he states.

However, after being done with Kaspersky, the hacker turned his attention to another big player on the antivirus market, Bitdefender. In a new post published today, the hacker documents a similar successful SQL injection attack against the website of Bitdefender Portugal. "It seems Kaspersky aren’t the only ones who need to secure their database. Bitdefender has the same problems," unu adds.

He goes on to describe the attack that provided him with access to the database containing administrators' usernames and passwords, the personal details of thousands of customers and sales data. In addition, one table in the database contains a large number of e-mail addresses belonging to people who subscribed to the company's newsletter. "And last a part of the data from the table inscricoes(Newsletter)… thousands of email addresses, candy for possible spammers," the attacker points out.

Like in the case of the Kaspersky incident, unu did not publish any sensitive information and also blacked out the compromising details of the attack in the provided screenshots. Bitdefender has still to confirm and comment on this attack. Stay tuned, we will return with updates if it does.

Blind SQL Injection Vulnerability Disclosed

The Romanian ethical hacking outfit HackersBlog shames yet another antivirus vendor – Symantec. A SQL injection vulnerability in a section of the Symantec website allows unauthorized access to the database.

Symantec is one of the biggest IT security companies in the world, developing a wide range of products for both home and enterprise consumers. It is a veteran on the antivirus market, its flagship product being Norton Antivirus.

According to “unu,” a Romanian hacker associated with HackersBlog, the Document Download Centre section of the Symantec website contains a poorly-sanitized parameter, which facilitates SQL injection attacks. Successful exploitation results in giving an attacker access to the database.

Image comment: TRUE condition AND 1=1 - Page loads normally

“The irony of the situation is that it’s done on https, on a login page, a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY,” the hacker, who doesn't specify what sensitive information, if any, is stored in that particular database, notes.

Image comment: FALSE condition AND 1=2 - Text disappears

The documented attack is actually a “blind” SQL injection. As opposed to regular SQL injections, such attacks are harder to instrument, because the website does not respond back with useful error information that would give the hacker an idea of how to proceed.

Image comment: SELECT function, AND (SELECT 1)=1 returns true - Text doesn't disappear

According to the few items of information “unu” has provided, the website runs on an Apache Web server with PHP 5.2.6 and a MySQL 5.0.22 backend. The published screenshots demonstrate how executing SQL commands through URL manipulation alters the content of the page.

“Unu” claims to have contacted Symantec regarding the problem, or at least attempted to. “[...] On the website there is no contact email address for cases such as this, I’ve sent an email to webmaster@symantec.com and security@symantec.com. The email didn’t bounce, so someone must have received it. No answer as of yet,” he writes, while pointing out that more detailed info could be revealed after the company fixes the issue.

During the past two weeks, hackers from the HackersBlog crew have been disclosing various SQL injection vulnerabilities on websites belonging to no less than four antivirus vendors: Kaspersky, F-Secure, Bitdefender, and now Symantec. The site operated by the Bitdefender business partner in Portugal has also been compromised by the same group through SQL injection.

Antivirus vendors are not the only targets of the Romanian group of hackers. Yahoo! has also made the subject of attacks from them more than once, while “unu” has just recently disclosed a similar vulnerability on the website of the International Herald Tribune, the global edition of the New York Times.

Research Shows Economic Slump Prompting Surge In Online Criminality

Malware volumes grew by a huge 300 per cent during 2008, fuelled in part by continuing job uncertainty, according to new research from security-as-a-service provider ScanSafe.

The firm analysed more than 240 billion web requests in over 80 countries last year, and found a particular growth in exploits and iframe attacks, which rose 1,731 per cent, and data-theft Trojans, which increased by 1,559 per cent.

Mary Landesman, senior security researcher at ScanSafe, suggested that the rise in criminal activity could correspond to the decline in the global economy.

"We saw a continued acceleration of web-delivered malware in 2008, reaching significant peaks in October and November. The numbers are staggering," she said.

"It could be that the increasing job losses and uncertainty are fuelling the surge in criminal activity. It is also likely that cyber crime is a viable business opportunity in a climate where legitimate opportunities are becoming increasingly limited."

ScanSafe also warned that trusted sites are now statistically the most dangerous on the web, as they are frequently hacked using techniques such as SQL injection attacks. The firm recorded 780,000 malicious web pages in April alone as a result of a single SQL injection attack.

BT has dismissed the significance of supposed vulnerabilities on its systems detailed by infamous hacker Unu on Tuesday.

The Romanian hacker posted screenshots illustrating what he claimed highlighted SQL injections in a posting at Hackersploit.org.

"A faulty parameter, improperly sanitized opens the vault to the pretious (sic) databases. One can gain access to such ordinary things as personal data, login data, and the like," Unu writes. A subsequent post explains that the issue involved blind SQL Injection vulnerabilities involving the site www.comparebroadband.bt.com.

But an investigation by BT concluded that the flaws (such as they are) involved only test systems.

A statement by the telecoms giant explains that its production systems and customer data remain safe.

BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time.

When sites are under test they do not contain live data and are often not included within our secure network until they become operational. BT has developed rigorous, world-leading protection against unauthorised computer access in order to protect customer details and commercial interests. Where a suspected intrusion has occurred BT will act swiftly to ensure our customer data is not at risk.

Our operational systems have not been affected in any way by this attempt to break through our security.

Romanian hacker Unu came to prominence a month ago when he poked the websites of security vendors, such as Kaspersky Lab and BitDefender, discovering some problems in the process. More recently he's moved onto scouring the websites of large UK businesses, such as those run by Camelot and the Daily Telegraph and now BT, scouring for database flaws. In all of the three latest cases the firms involved have said that Unu's postings suggest a more severe problem than was actually the case.

Unu's results are genuine but his analysis fails to explain that partner or test sites, rather than the main sites of the Daily Telegraph and BT, for example, have flaws.

Hundreds of Twitter users have been hit by another attack on the popular micro-blogging site, with messages being sent from compromised accounts trying to drive traffic to a pornographic website.

The messages which say

hey! 23/Female. Come chat with me on my webcam thingy here www.chatwebcamfree.com

are being spammed out as Tweets.



However, the index page of that website serves up obfuscated JavaScript that loads a variety of pornographic adverts and contains a web form directed to a site called eroticgateway.com.



Clearly, if a hacker has managed to ascertain your Twitter password there is a chance that they may have also compromised your system in other ways too.

Any Twitter users who find that they have unwittingly posted the message would be wise to change their Twitter password immediately. Furthermore, if you use that password on any other non-Twitter account then you must also change those passwords too (please *don't* make it the same as your new Twitter password.

As we don't yet know how the hackers compromised accounts, it wouldn't do any harm to scan your computer with an up-to-date anti-virus product either.

Twitter has confirmed that approximately 750 accounts were hijacked by criminals during the course of this attack, and says that they have reset the passwords of all compromised accounts. That should stop the tidalwave of spam messages advertising adult webcam websites for now.

But there is still a lack of clarity of how the accounts were compromised in the first place.

Finally, one extra thing to throw into the mix. Last month, Facebook users reported seeing a very similar message.



You don't have to be Albert Einstein to put two and two together, and deduce that these attacks must be related.

We're seeing more and more attacks from spammers, phishers, malware authors, scammers and identity thieves against the users of social networks like Twitter and Facebook. These aren't just proof-of-concept attacks in controlled conditions - they're full-blooded assaults seen in the wild every day, making money out of real people.

Source: Sophos.com

A company worth billions of dollars which is supposed to have the best programmers, the kind of company that won’t leave any security wholes in the system. Yahoo! system that is!

XSS bugs are already yesterday’s news when we talk about Yahoo! They are all over the place on the *.yahoo.com subdomains.But we are not talking here about minor XSS bugs. We mean serious business. We are talking about the kind of security which exposes the privacy of millions of users of the “trustable” Yahoo! services.

We are talking about SQL Injection. One of the worst kinds of security breach.

Here you have one of the pages vulnerable to SQL Injection:

http://in.jagran.yahoo.com/article/index.php?choice=homepage_getnews&state=1&city=87%20union%20all%20select%201,concat_ws(0x203a20,version(),user()),3,4,
5,6,7,8,9,10,11,12,13,14,15,16,17,18

What do we find here? Information about the SQL server, its version and the current user SQL user:



A list with SQL users and passwords:


And of course, much more information available at the hand of an attacker.

Moreover, this SQL Injection can be used as an XSS, especially for session hijacking:



The sad part is that Yahoo! didn’t adopt any policy whatsoever regarding this kind of problems. They dont admit they have a problem, nor do they give any credits to those who find them.

Following in the footsteps of other sites, Yahoo! could learn to gain from this. Vast majority of those who find bugs don’t disclose them anymore precisely for the fact that Yahoo! is in total denial. By coming out clean, Yahoo! would also reduce the amount of hacked/stolen accounts and other shameful security breaches like the one we present here.

“BT is one of the world’s leading providers of communications solutions and services operating in 170 countries. Its principal activities include networked IT services, local, national and international telecommunications services, and higher-value broadband and internet products and services. BT consists principally of four lines of business: BT Global Services, Openreach, BT Retail and BT Wholesale.”

“The most complete UK broadband, phone lines and mobile products, digital TV, web hosting, online security and networked IT services for home”

The description says it all. One of the giants in IT, mobile, TV and internet services. A Giant Company with a huge database. You don’t need to be an internet whiz, not even a computer literate to understand the tremendous implications that result from such a database beeing vulnerable.

A faulty parameter, improperly sanitized opens the vault to the pretious databases. One can gain access to such ordinary things as personal data, login data, and the like. In the first syntax I concatenated the table names as well as the version and the user of the database.



Lets see some of the user login data for different data bases (among which, of course, the admins of the respective sections).



As well as the login data and personal data (email, active, lastloggedin, firstname, surname, address, town, postcode, level, randomkey, password) for some of the registered users.

Vulnerabilities on a Daily Telegraph website have been exposed by serial grey-hat hacker Unu.

In a posting on the hackersblog site Unu outlines a number of SQL injection security weaknesses on the newspaper's website. The entry, which includes screenshots to substantiate the claim, claims that subscriber email addresses were potentially left open to harvesting as a result of security shortcomings with the site.

More seriously, passwords in clear text were also reportedly exposed.

In a statement, Paul Cheesbrough, chief information officer for Telegraph Media Group, said the attack affected a partner site and not the main Telegraph website.

"The hack interrogated database tables behind one of our partner sites - search.property.telegraph.co.uk - and exposed a weakness in the way that particular site had been coded," Cheesbrough said.

"The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting, but the Telegraph Media Group does take anything that potentially compromises the security of our site and the data that we hold extremely seriously. We immediately took the impacted site down on Friday, and the two-year-old third party code is being re-written to eliminate the issues that hackersblog.org brought to our attention."

The hacker first became famous for scouring the websites of security vendors, such as Kaspersky Lab and BitDefender, for problems. He's since moved on to looking for flaws on more mainstream websites, such as those run by Camelot and the Daily Telegraph.

Trend Micro notes recent research found that three in five (61 per cent) of people use the same password for multiple sites. The compromise of any one site - even if the information it holds isn't particularly sensitive - therefore poses an identity theft risk for those who fail to practice password security.

Here are some of the database names and their version:



Users passwords are in plain view:



Besides numerous interesting tables there is one that contains email addresses of those receivingt he newsletter. A real treasure for spammers. In the syntax you can see there quite a bunch of them. I concatanated the 700.000th email address.