As of December 10, 2009 over 132,000 websites have been compromised and are serving up the malicious content.  The attack loads up an Iframe onto the websites via the data returned from the database which eventually leads the user (without there knowledge) to download data from 318x.com which then installats a rootkit-enabled variant of the Buzus backdoor trojan.  The full path of what happens can be found on the link above.

We’ve talked about the securing your website from SQL Injection attacks here, here and here, apparently there are tons of sites out there which haven’t been listening.

Denny

Google has a translation of the article, and the original can be found here.

The power company is question claims that the blackout which hit 18 Brazilian states on Tuesday was not caused by the hackers.  However the timing out the attack and the outage is very suspicious.  This just goes to show that utilities needs to take even more care that other companies to secure there environments to ensure that the services which they provide remain online as peoples live depend on the power staying on.

Based on the results of testing against the sites as reported by Darkreading the standard SQL Injection attack may have been used in this case to attack the site and break in.  One would think that a company as large as a countries power company would be able to have developers which wouldn’t allow SQL Injection attacks.

Denny

His lawyer claimed that he is “extremely remorseful as to what has happened” in a statement to the AP on Thursday.  Personally I think that he’s remorseful that he was caught, not that he swindled and stole, but that’s just me.

As part of the plea dea Gonzalez must forfeit his computers, home, car and cash, in addition to the $1.1 million that federal agents found buried in his parents back yard.  His girl friend, her father and friends also have to turn over to authorities watches and jewelry which Gonzalez gave them as gifts.

Under the terms of his plea deal Gonzalez will be behind bars for 15 to 25 years (reality 7-10 years with good behavior and early release).  His computer usage will be restricted for 5 years post release (which probably means not a whole hell of a lot).  If convicted at trial Gonzalez could have been sentenced to several hundred years, effectively a life sentence.

May he enjoy the next 7 years of his life in club fed.

Denny

Gonzalez, who is a former US Secret Service informant, is already in custody on charges related to the TJ Max break in.  Also charged as two unnamed Russian persons who are suspected of being Gonzalez’s partners in the operation.

Based on information released these attacks do not appear to be the standard “script kiddy attacks” that we as sysadmins are used to dealing with.  These attacks were well thought out and well executed, granting the attackers access to corporate and production networks for months in some cases.

The software, which was custom written for these attacks when tested against a variety of anti-virus and anti-spyware software before the attack was launched.  Additionally it was written to delete all trace of itself in order to avoid detection.

The truly pathetic thing about this is that according to the documents, the attacks all started via SQL Injection attacks.  Which means that they could have been avoided if basic security protocols and procedures were being followed on the websites in question.  These basic security protocols include:

• No dynamic SQL either in stored procedures or from the websites directly.
• If dynamic SQL must be used in stored procedures, use as few actual values from the Website as possible.  (For example if sorting a result set which must be done through dynamic SQL don’t pass in the column name from the website, pass in an ID which means nothing except that the stored procedures knows that 1 = Column2, 2 = Column4, etc.
• Clean the data before you pass it to the database.  This is where the website developers and the DBAs really need to get along.  The database can’t secure it self, the Website has to check each value that is being passed in and ensure that the values won’t harm the database in any way.
• Disable xp_cmdshell as well as anything else that you aren’t using (oh yeah and don’t use xp_cmdshell on SQL Servers that websites have access to).
• Don’t allow the account that the website uses to do anything more than it needs.  This means not using ANY fixed server or fixed database roles.  Just the minimum rights that are possible, in a perfect world this means execute rights to stored procedures only.

If these basic rules had been followed then the hackers probably wouldn’t have been able to get into the system and we wouldn’t have had these problems to begin with.

It also would have helped if these companies were actually following the PCI rules which they are required to follow but apparently weren’t.  If they were then this wouldn’t have been an issue either as they wouldn’t have been storing anything, and everything in flight would have been encrypted and basically worthless.

Denny