Microsoft Got Hacked!

Discussion in 'Windows Vista General Discussion' started by corbomite, Jul 1, 2007.

  1. corbomite

    corbomite Guest

    corbomite, Jul 1, 2007
    #1
    1. Advertisements

  2. corbomite

    Frank Guest

    Why don't the links work on that blog?
    Why is the next blog in Arabic?
    Never hear of MS using a beta online.
    Rather strange.
    Got anymore links that work?
    Thanks.
    Frank
     
    Frank, Jul 2, 2007
    #2
    1. Advertisements

  3. corbomite

    Peter Foldes Guest

    That blog site is full of it. All their blogs is always completely false
     
    Peter Foldes, Jul 2, 2007
    #3
  4. corbomite

    MICHAEL Guest

    * Peter Foldes:
    http://www.infoworld.com/article/07/06/29/Microsoft.uk-SQL-injection-attack_1.html

    A hacker successfully attacked a Web page within Microsoft's U.K. domain on Wednesday,
    resulting in the display of a photograph of a child waving the flag of Saudi Arabia.

    It was "unfortunate" that the site was vulnerable, said Roger Halbheer, chief security advisor
    for Microsoft in Europe, the Middle East and Africa, on Friday.

    The problem has since been fixed. However, the hack highlights how large software companies
    with technical expertise can still prove vulnerable to hackers.

    The hacker, who posted his name as "rEmOtEr," exploited a programming mistake in the site by
    using a technique known as SQL (Structured Query Language) injection to get unauthorized access
    to a database, Halbheer said. The site took SQL queries of a particular form, embedded in URLs
    (uniform resource locators), and passed them to a database. By embedding a query with an
    unexpected form in the requested URL, the hacker prompted the server to return error messages,
    Halbheer said.

    From those error messages, a hacker can get an idea of how the database is structured and
    refine a SQL query that the database will process as an instruction to insert, rather than
    retrieve, data. Eventually, the hacker found the right combination and inserted a link to an
    external Web site into the database.

    That meant when the normal Web page was called into a browser, the database would download data
    from an external link. In this case, it was two photos and a graphic, a screen shot of which is
    available on Zone-H.org , which tracks hacked Web sites.

    There are two ways to avoid this style of attack. First, the database should not be allowed to
    return error messages, Halbheer said. Secondly, the Web application should have validated the
    URL the hacker entered and rejected ones that should not be processed, he said.

    If a programmer makes a mistake, "the bad guy can leverage it," Halbheer said.

    SQL injection attacks are on the rise, overall, since valuable data is held within databases,
    said Paul Davie, founder and chief operating officer of Secerno, a security vendor that
    develops technology to protect databases from SQL attacks.

    "I don't think Microsoft are unique in this respect and shouldn't be held up as particularly
    slipshod," Davie said. "This could have happened to practically anybody."


    Talkback:

    Williamh 2007-07-01 11:06:42
    Amazing that microsoft with all that cash are too stingy to buy a web vulnerability scanner
    from say Acunetix or SPI Dynamics that picks up SQL injection errors automatically. Then again
    microsoft were always stingy...
     
    MICHAEL, Jul 2, 2007
    #4
  5. corbomite

    Frank Guest


    Thanks Michael.
    Know if there is any truth about the site being on 2008 b3 server?
    Just curious.
    Frank
     
    Frank, Jul 2, 2007
    #5
  6. corbomite

    xfile Guest

    Thanks for the info.

    It's sad to see any site is being hacked, but SQL injection has been
    repeatedly warned by security experts in recent months as the top security
    threat to the degree that even we, a small company, have done the review and
    corrections on web applications and database.

    Unbelievable.
     
    xfile, Jul 2, 2007
    #6
  7. corbomite

    MICHAEL Guest

    * Frank:
    I haven't heard which version it was. But, I think Microsoft's rollout
    of Server 2008 has been of a limited nature.

    I'm sure we'll hear about it soon enough. ;-)


    -Michael
     
    MICHAEL, Jul 2, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.