Recall back in November last year when we published a history of sql injection attacks, and followed that up with a sql injection tutorial. The purpose of these publications is to increase awareness of sql injection and to familiarize users with securing dynamic web applications. For testing and understanding the attack we have an online sql injection test that allows anyone to quickly test a HTTP GET based URL for a sql injection vulnerability.

It is normal to assume that when implementation of security has a cost associated with it; in the form of development time or code fixing, there will be those who hold off until disaster strikes. However it seems that unless that disaster directly affects the organisation, pushing applications out that have been untested or security reviewed continues to be the normal practice.

Sony has been having all sorts of data breach problems lately — namely a million passwords from the Sony Pictures site, 77 million accounts from the PlayStation Network, and nearly 25 million user accounts from Online Entertainment. I was curious how these recent attacks compared to the largest known data loss incidents, so I headed over to DataLossDB. Sony now holds spots #4 and #10 for largest breaches of all time.

Recently I put together a slide rocket of 10 years of SQL Injection History, however I don’t think my design Fu is quite up there with the flowing data guys.

Largest Data Breaches of All Time – FlowingData.com

This is a good example of current threats that website operators as well as end users should all be aware of, a high profile site gets hacked and poses a signifcant threat to the end user.

Once downloaded and run, the PDF files exploit a vulnerability and make the system download a version of the ever-so-popular ZeuS Trojan.

According to Trend Micro’s Rik Ferguson, the server in question is located in Germany and is hosted by Netdirect – not a stranger to hosting malicious sites.

A few hours ago, TechCrunch tweeted that they “are aware of the (annoying) malware warning about the @TCEurope site”, and that they are trying to fix it.

The awkward phrasing makes me think they thought at the time that there was some kind of mistake and not a legitimate warning. The site hasn’t been taken down in the meantime, and there is no official
update on the situation.

Ferguson warns that the ZeuS variant is currently detected by only 2 out of 43 anti-malware solutions used by VirusTotal, so it’s best to avoid the site altogether until they manage to clean its code.

TechCrunch Europe hacked, serving malware

TEHRAN (FNA)- An Iranian cyber group announced that it has hacked more than 1,000 important governmental websites of the US, Britain and France in protest at their support and financial aids to anti-Iran terrorist groups.

“To commemorate the Day of Campaign against Terrorism and the martyrdom anniversary of (former Iranian President Mohammad Ali) Rajayee and (his Prime Minister Mohammad Javad) Bahonar (by the terrorist Mojahedin-e Khalq Organization), the group rose to protest at the inhumane measures of the supporters of terrorism, with the US
and Britain standing on top of them, through a new method and hacked and changed the pages of more than 1,000 of their websites,” Behrouz Kamalian, Head of the Iranian Ashiyaneh (nest) cyber group, told FNA on Monday.

Iran’s Cyber Army Hacks 1,000 US, British, French Gov’t Websites

[QUOTE]Websites operated by the US Treasury Department are redirecting
visitors to websites that attempt to install malware on their PCs, a
security researcher warned on Monday.

The infection buries an invisible iframe in bep.treas.gov,
moneyfactory.gov, and bep.gov that invokes malicious scripts from
grepad.com, Roger Thompson, chief research officer of AVG
Technologies, told The Register. The code was discovered late Sunday
night and was active at time of writing, about 12 hours later.[/QUOTE]

http://www.theregister.co.uk/2010/05/03/treasury_websites_attack/

From the Matrix:
Trinity: Hello Neo.
Neo:How do you know that name
Trinity: I know a lot about you
Neo: Who are you?
Trinity: My name’s Trinity
Neo: Trinity…THE Trinity? The one who hacked the IRS D-Base?
Trinity: That was a long time ago
Neo: Jesus
Trinity: What?
Neo: I just thought…you were a guy
Trinity: Most guys do

To the horror of Latvia’s political establishment, a mysterious group of computer hackers is threatening to expose the incomes of top officials after stealing millions of government tax records.

The group, calling itself the People’s Army of the Fourth Awakening, claimed to have downloaded more than 7.5 million documents, including VAT receipts and income tax returns, from the State Revenue Service
(SRS) after exploiting a security loophole on its website.

One hacker used the name Neo, in apparent tribute to the hero of The Matrix science-fiction films, in which a vast system for enslaving humanity is exposed. He or she claimed that the documents revealed the
extent of official hypocrisy over belt-tightening reforms introduced as Latvia’s economy reeled under the impact of the global economic crisis. “The purpose of the group is to unmask those who gutted the country,”
Neo told the Latvian television current affairs programme Kas Notiek Latvija in an interview posted on its website.

Neo has been hailed as a digital Robin Hood by disgruntled Latvians after posting details from the documents on the internet to contrast the earnings of top officials with cuts experienced by other workers.

Times Online – Latvia in turmoil after hacker exposes establishment salaries

Based on Ubuntu and well tested this is an outstanding release, and we wish the Offensive Security Team all the best with the 2010.

Download Back-Track now and get cracking with some serious Security Testing. Explore the Offensive-Security, Back-Track websites, and the forums for Guides, Tutorials and FAQ’s.

Real security can only be achieved through awareness, knowledge and some clever tools.

What has happened is that entities within China, that may or may not be the Chinese Government or at least backed by the Chinese Government have been caught accessing Google’s computer systems through unauthorised means. Some articles say some Gmail accounts were hacked, others indicate it may have been more serious, as Google has a back end system that allows them to easily collect all data on individuals from Google services. This is used when supplying information to law enforcement, and the indications are this system may have been accessed.

The most notably thing is that it has been caught and is being talked about in a big way.

Here is a good perspective from the Shadowserver foundation.

Little by little organizations of all types are being broken into and having intellectual property and other information stolen.

Unfortunately we can tell you these scenarios are playing out day in and day out on a massive scale, whether we recognize it or not.

Cyber Espionage Intrusions Run Rampant: Google Compromise is *NOT* atypical

Targeted cyber intrusions are occurring daily at a very staggering level. Industries in the United States are heavily targeted but this truly is a global problem that is facing nearly every nation. These are not your run of the mill cyber attacks. They may have varying levels of sophistication, however, the attacks are often much more advanced than what most users have and will likely ever see. The next closest thing, perhaps on a parallel playing field, is those that are stealing vast amounts of money from banking systems that require two-factor authentication and/or dual approvers to transact. In these cases the attacks often start off extremely broad and are narrowed down.

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100119

Whether we get the full picture or not, the one thing that is certain is that something annoyed Google, who had up until now been censoring results on behalf of the Chinese Government.

Additional Links:
http://www.csmonitor.com/USA/2010/0113/China-cyber-attacks-Google-only-one-of-many-US-targets
http://www.wired.com/threatlevel/2010/01/hack-for-oil/
http://www.ironcove.net/2008/04/when-dragons-attack-tibetan-hacking-review/

Now would be a good time to check your site try our scanner for a quick check against possible HTTP GET injection. Be sure to enter the full url with the additional parameters that will be tested. Ie: www.mysitetotest.com/listproducts.php?cat=3 or www.examplesite.com/article.asp?id=3. Once you have checked this form don’t forget that form based SQL Injection is also very easy to exploit. For testing form based sql injection attacks try the firefox plugin SQL from Security Compass – SQL Injection – Exploit Me – Firefox Plugin

Several high-profile hacks over the past year including those at Heartland, Hannaford Bros., and 7-11, all have had one thing in common: they were launched with a SQL injection attack.

Cross-site scripting (XSS) had been the king of Web attack techniques for some time, and for good reason — the ability to steal user credentials, hijack active Web sessions and take action on behalf of a user without their knowledge is particularly nasty. But the classic SQL injection attack has regained the lead as the most popular of Web attacks. Most of all reported Web breaches the first half of this year, according to the new Web Hacking Incidents Database (WHID) report, were conducted via SQL injection. And SQL injection is one of the most common vulnerabilities in Web applications today.

Dark Reading – SQL Injection Demystified

Researchers at security firm Finjan said on Wednesday that they have uncovered an underground botnet-leasing network where cyber criminals can pay $5 to $100 to install malware on 1,000 PCs for things like stealing data and sending spam.

The Golden Cash network, dubbed “Your money-making machine” on its home page, sells access to botnets comprised of thousands of compromised PCs to cyber criminals for custom malware spreading jobs, according to issue 2 of the Cybercrime Intelligence Report for 2009.

Here’s how it works: a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor
that reports back to the Golden Cash command and control server.

‘Golden Cash’ botnet-leasing network uncovered