An email was sent out earlier today on the Full-Disclosure mailing list, detailing the compromise of numerous MySQL websites along with portions of their database containing usernames and passwords.
MySQL offers database software and services for businesses at an enterprise level as well as services for online retailers, web forums and even governments. The vulnerability for the attack, completed using blind SQL injection and targeted servers including MySQL.com, MySQL.fr, MySQL.de and MySQL.it, was initially found by "TinKode" and "Ne0h" of Slacker.Ro (according to their pastebin.com/BayvYdcP dump of the stolen credentials) but published by "Jackh4x0r".
The stolen database contain both member and employee email addresses and credentials, as well as tables with customer and partner information and internal network details. Hashes from the database have been posted, with some having been already cracked.
A submission to XSSed.com also details an XSS (Cross Site Scripting) vulnerability affecting MySQL.com that may have provided a secondary entry point for compromising visitors or employees with the organization since early January of 2011.
This is definitely a shame for the folks behind MySQL since they were bought by Sun and later on by Oracle (through the Sun acquisition). MySQL is used by millions of users for small and medium sized databases, including by the popular blogging software WordPress.
The email sent to Full Disclosure lists out all the databases, tables and even some password hashes for the users at MySQL.com. There has been no response from MySQL on this issue yet. We have contacted them for a comment and will update this post once more information becomes available.
More updates coming soonâ€¦.
Update: This hack also compromised the database at Sun.com, more info on this at http://tinkode27.baywords.com/
Last year, Operation b49 announced a large win by taking down the botnet Waledec. This year, the Microsoft Digital Crimes Unit (DCU) got more confident by taking down the Rustock botnet in a major operation b107.
The botnet has been involved in fake email activity amounting to billions per day. The emails included lottery scams and dangerous prescription drugs. All these activities were controlled with a million computers under the control of this botnet.
The technet blog announcing this takedown has written,
This operation, known as Operation b107, is the second high-profile takedown in Microsoft’s joint effort between DCU, Microsoft Malware Protection Center and Trustworthy Computing known as Project MARS (Microsoft Active Response for Security) to disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected computers.
Rustock was one of the largest operational botnets with a capacity of sending 30-billion spam emails every day. A single Rustock infected computer sends out nearly 8000 emails in an hour and the emails being related to pharmaceutical drugs, the botnet poses a serious risk to the healthcare industry.
The operations of a botnet are focused, though not limited to a single task. It can be modified to perform an array of activities ranging from password thefts to launching DDoS attacks.
All our readers are advised to stay alert on botnets, use good firewalls in conjuncture with antivirus software and keep track of the network activity of their computers.
A new worm has spread on Twitter and is spreading like wildfire. Users are spreading messages saying "Have you heard of HCG diet? AMAZING AND IT WORKS, I lost 2lbs in the last 3 days [link redacted]" to their friends.
This is a spam message so please do not click on the message. A quick Twitter search shows that an number of people have been affected by this and the number of updates that are coming through are astonishing.
First of all don’t click on this link or you might just spread the work yourself. Second, tell your friends who have posted this update to delete the message and reset their passwords if possible.
Update: The website in question is a landing page for some sort of dietary medicine. However, the page has scam written all over it so don’t click on anything. I am trying to investigate on how this worm is spreading and will update this post shortly with more information.
Update 2: If resetting your password does not help, it might be because of an app that has been added to your account. Learn more about revoking permissions for Twitter apps.
More to comeâ€¦
Back in January, I had spotted a new feature in Twitter which allowed users to browse using HTTPS. However, the feature was quickly removed by Twitter for some reason.
Today, Twitter has officially brought back that feature for everyone and now allow users to switch to HTTPS browsing by making a change to their settings. By default, Twitter will start using the HTTPS protocol for any validations done through them and also in the official Twitter apps for iPhone and iPad.
However, mobile users will have to forcefully load https://mobile.twitter.com to make use of the HTTPS feature. Twitter is working on using HTTPS for mobile users who select the above option automatic in future.
Using HTTPS is a good way to encrypt your data while you browse on the internet and this move is definitely good. Other major providers which provide HTTPS support include Facebook, Gmail and Hotmail.
Earlier in the week, we reported that Internet Explorer (running on Windows 7) and Safari (running on Snow Leopard) had been hacked almost instantaneously on the first day of pwn2own, an annual hackfest. Google’s Chrome browser made it through as the sole participant who had registered to take a crack at Chrome failed to turn up.
The following days of the competition witnessed Firefox web browser, and Android and Windows Phone 7 mobile operating systems survive pwn2own 2011 in a similar manner as contestants either failed to turn up or withdrew.
On the other hand, Apple’s poor show in the competition continued with the legendary Charlie Miller succeeding in bypassing iPhone’s defense by exploiting a bug present in Mobile Safari.
RIM’s Blackberry OS, which was tested next, also fell quite easily. Once again, a flaw in its Webkit based browser was the culprit. The team made up of Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann targeted the browser as unlike RIM’s operating system, WebKit is well documented and well known.
Meanwhile, after examining the vulnerabilities exploited by Stephen Fewer to hack Internet Explorer 8, Microsoft has stated that they have already fixed the concerned vulnerability in Internet Explorer 9. It didn’t however explain why older versions of internet explorer were yet to be patched, and when, if at all, they will be patched. All the exploits used in the competition are properties of TippingPoint ZDI, which passes them on to the concerned vendors, and provides them six months to fix the issue.
History repeated itself, once again, on the first day of pwn2own, an annual hacking competition where hackers try to break through the defense of modern browsers and operating systems. Safari and Internet Explorer were once again successfully exploited by hackers, while Chrome remained unchallenged and undefeated.
Safari, which was the first browser to be challenged, fell within five seconds. The French security firm VUPEN managed to both execute arbitrary code (launch the Calculator), and bypass sandbox protection (write file on the hard disk). The technique used by VUPEN required development of tools from the scratch and took about three weeks to put together. VUPEN’s success is notable because shortly before the contest began, Apple patched as many as 62 vulnerabilities in a massive security update.
Next up was Internet Explorer, which met a similar fate at the hands of Stephen Fewer. Fewer exploited three separate vulnerabilities to execute Calculator and write a file to the disk. Unlike Apple, Microsoft hadn’t even bothered to issue any security updates last week.
The final browser that was supposed to be tested today was Chrome. However, the single contestant who had signed up to take a crack at Chrome didn’t turn up. So Chrome finished the day unchallenged and undefeated. Like Apple, Google had also released a major security update to Chrome in which at least 24 vulnerabilities were patched. It’s likely that the contestant dropped out because the zero-day vulnerability he planned on using was fixed by Google.
Firefox is slated to be challenged tomorrow. Should it fall, Google Chrome will be the last browser standing for the third consecutive year. Opera is not included in the competition as the organisers are of the opinion that its current user base of 53 million is not large enough.
A couple of days earlier, Facebook was hit with a massive Miley Cyrus Sick video Scam. Today I am seeing a new scam going viral where users are clicking on links and posting updates saying “Look what happens when Father catches Daughter on Webcam!”. This Facebook scam is similar to a previous one where an update was posted saying that a Girl Killed Herself After Dad Posted on Wall.
Most of these scams play on the gullibility of users to click on links with cleverly framed text which entice. As always, my advice is to never click on such links at all, even if they are coming from your closest friend.
As for this scam, clicking on the link takes you to a website where you a video is displayed with the message, “Please watch this video only if you are 16 years or older”. As a strong warning, I would ask you to not click on the play button as it will then automatically post a message on your wall and then ask you to fill out a survey through which they will make money.
Please feel free to share this message with your friends and family so that they don’t fall into clicking on the enticing messages.
Recently we gave away a free iPad to a lucky winner as our Christmas gift to our readers. That contest is over so where would you get a free iPad now? Not from those
stupid bots pretty ladies on Twitter who mention you in tweets and tell you that you can win a Free iPad from some site.
First of the Free iPad mentions are a scam and I urge you to report the sender as spam and block them. Secondly most of the free iPad tweets are basically spam. If you are enticed and click on those links, you will be asked to fill up some survey which could lead to tons of email spam or you could potentially just download some virus or malware to your PC.
Some of these links could be as bad as the Facebook scams doing rounds of the internet and you could unwittingly share something on your timeline.
So please don’t click on the links when you see these kind of messages. Anything Free comes with a catch . However, when we say that we are giving away an iPad, it is for real .
Most of the web applications built today rely on user passwords to allow secure access to data. This process has been in practice for a long time, however, passwords can easily be hacked.
Also at times there are vulnerabilities in websites which lead to database hacks allowing exploiters to gain access to user data, including passwords. Many banks today provide a secure login to users where users have to provide a password and a verification code which is usually sent to their mobile numbers. This form of authorization is very secure as users will only be able to login if they have the passwords and their mobile phones.
Google has today introduced a similar 2-step verification process for all the accounts where users can opt-in to securely login using their password and a secure code sent to their mobile phones.
To enable the 2-step verification with your Google account, head over to your Account Settings page and turn on the 2-step verification. The verification setup will guide you through the process and also allow you to setup backup phones so that you can login even when you have lost your current phone.
Once you have setup the 2-step verification process, you will have to first login and will then be sent a code through a message which you will have to enter before you gain access to your account.
The 2-step verification process is a really good more from Google since it will allow users to keep their data safe even when their passwords have been compromised. For users like me who rely on Google for email, contacts and more, this is something that will definitely make using Google more secure.
Although I normally recommend Avira Antivir and Microsoft Security Essentials to anyone looking for a free antivirus, Avast is another option worth considering. In fact, it is one of the most popular free antivirus utilities available in the market, and with good reason. Avast performed quite well in all of Av-comparative’s on-demand and performance tests carried out over the past year.
A couple of days back, Avast Software released the first beta of Avast 6. The biggest draws of the new version are:
- AutoSandbox: Avast Pro already features a sandboxing option that enables users to surf the web and run applications in an isolated environment that can’t affect the rest of the system. In the new version, Avast has gone a step further and added auto-sandboxing, which can automatically run suspicious programs in a sandbox.
- WebRep: WebRep’ is a browser toolbar, which is largely similar to WOT (Web of Trust). It is plugin for Internet Explorer and Firefox that displays the reputation score of the website you are currently browsing based on the feedback collected from the community as well as the expertise of Avast’s researchers.
Avast 6 also adds a SafeZone’ to the premium version, which offers a special virtualized area for sensitive transactions. Script Shield’ and Site Blocking’, which were previously available only in the Pro version, are now included even in Avast Free.
Head over to the forums to download the beta version. However, don’t forget to uninstall any previous version or other antivirus products before installing it. Also keep in mind that unexpected stability and performance issues might be present, since this is the first public beta build.