Microsoft Got Hacked!

  • Thread starter Thread starter corbomite
  • Start date Start date
corbomite wrote:

> Strange!!!
>
> I wonder if the server was using windows server 2008 beta 3, since it was
> reported that they was using it also on the Microsoft.com site?
>
> Details>>
>
> http://computerboom.blogspot.com/2007/07/microsoft-got-hacked.html
>
>
Why don't the links work on that blog?
Why is the next blog in Arabic?
Never hear of MS using a beta online.
Rather strange.
Got anymore links that work?
Thanks.
Frank
 
Frank wrote:
> corbomite wrote:
>
>> Strange!!!
>>
>> I wonder if the server was using windows server 2008 beta 3, since it
>> was reported that they was using it also on the Microsoft.com site?
>>
>> Details>>
>>
>> http://computerboom.blogspot.com/2007/07/microsoft-got-hacked.html
>>
> Why don't the links work on that blog?
> Why is the next blog in Arabic?
> Never hear of MS using a beta online.
> Rather strange.
> Got anymore links that work?
> Thanks.
> Frank

Here's one: http://www.zone-h.org/content/view/14780/31/

--
norm
 
That blog site is full of it. All their blogs is always completely false

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"corbomite" <-> wrote in message news:46885f3f@newsgate.x-privat.org...
> Strange!!!
>
> I wonder if the server was using windows server 2008 beta 3, since it was
> reported that they was using it also on the Microsoft.com site?
>
> Details>>
>
> http://computerboom.blogspot.com/2007/07/microsoft-got-hacked.html
>
>
 
* Peter Foldes:
> That blog site is full of it. All their blogs is always completely false

http://www.infoworld.com/article/07/06/29/Microsoft.uk-SQL-injection-attack_1.html

A hacker successfully attacked a Web page within Microsoft's U.K. domain on Wednesday,
resulting in the display of a photograph of a child waving the flag of Saudi Arabia.

It was "unfortunate" that the site was vulnerable, said Roger Halbheer, chief security advisor
for Microsoft in Europe, the Middle East and Africa, on Friday.

The problem has since been fixed. However, the hack highlights how large software companies
with technical expertise can still prove vulnerable to hackers.

The hacker, who posted his name as "rEmOtEr," exploited a programming mistake in the site by
using a technique known as SQL (Structured Query Language) injection to get unauthorized access
to a database, Halbheer said. The site took SQL queries of a particular form, embedded in URLs
(uniform resource locators), and passed them to a database. By embedding a query with an
unexpected form in the requested URL, the hacker prompted the server to return error messages,
Halbheer said.

From those error messages, a hacker can get an idea of how the database is structured and
refine a SQL query that the database will process as an instruction to insert, rather than
retrieve, data. Eventually, the hacker found the right combination and inserted a link to an
external Web site into the database.

That meant when the normal Web page was called into a browser, the database would download data
from an external link. In this case, it was two photos and a graphic, a screen shot of which is
available on Zone-H.org , which tracks hacked Web sites.

There are two ways to avoid this style of attack. First, the database should not be allowed to
return error messages, Halbheer said. Secondly, the Web application should have validated the
URL the hacker entered and rejected ones that should not be processed, he said.

If a programmer makes a mistake, "the bad guy can leverage it," Halbheer said.

SQL injection attacks are on the rise, overall, since valuable data is held within databases,
said Paul Davie, founder and chief operating officer of Secerno, a security vendor that
develops technology to protect databases from SQL attacks.

"I don't think Microsoft are unique in this respect and shouldn't be held up as particularly
slipshod," Davie said. "This could have happened to practically anybody."


Talkback:

Williamh 2007-07-01 11:06:42
Amazing that microsoft with all that cash are too stingy to buy a web vulnerability scanner
from say Acunetix or SPI Dynamics that picks up SQL injection errors automatically. Then again
microsoft were always stingy...
 
MICHAEL wrote:
>
> * Peter Foldes:
>
>>That blog site is full of it. All their blogs is always completely false
>
>
> http://www.infoworld.com/article/07/06/29/Microsoft.uk-SQL-injection-attack_1.html
>
> A hacker successfully attacked a Web page within Microsoft's U.K. domain on Wednesday,
> resulting in the display of a photograph of a child waving the flag of Saudi Arabia.
>
> It was "unfortunate" that the site was vulnerable, said Roger Halbheer, chief security advisor
> for Microsoft in Europe, the Middle East and Africa, on Friday.
>
> The problem has since been fixed. However, the hack highlights how large software companies
> with technical expertise can still prove vulnerable to hackers.
>
> The hacker, who posted his name as "rEmOtEr," exploited a programming mistake in the site by
> using a technique known as SQL (Structured Query Language) injection to get unauthorized access
> to a database, Halbheer said. The site took SQL queries of a particular form, embedded in URLs
> (uniform resource locators), and passed them to a database. By embedding a query with an
> unexpected form in the requested URL, the hacker prompted the server to return error messages,
> Halbheer said.
>
> From those error messages, a hacker can get an idea of how the database is structured and
> refine a SQL query that the database will process as an instruction to insert, rather than
> retrieve, data. Eventually, the hacker found the right combination and inserted a link to an
> external Web site into the database.
>
> That meant when the normal Web page was called into a browser, the database would download data
> from an external link. In this case, it was two photos and a graphic, a screen shot of which is
> available on Zone-H.org , which tracks hacked Web sites.
>
> There are two ways to avoid this style of attack. First, the database should not be allowed to
> return error messages, Halbheer said. Secondly, the Web application should have validated the
> URL the hacker entered and rejected ones that should not be processed, he said.
>
> If a programmer makes a mistake, "the bad guy can leverage it," Halbheer said.
>
> SQL injection attacks are on the rise, overall, since valuable data is held within databases,
> said Paul Davie, founder and chief operating officer of Secerno, a security vendor that
> develops technology to protect databases from SQL attacks.
>
> "I don't think Microsoft are unique in this respect and shouldn't be held up as particularly
> slipshod," Davie said. "This could have happened to practically anybody."
>
>
> Talkback:
>
> Williamh 2007-07-01 11:06:42
> Amazing that microsoft with all that cash are too stingy to buy a web vulnerability scanner
> from say Acunetix or SPI Dynamics that picks up SQL injection errors automatically. Then again
> microsoft were always stingy...


Thanks Michael.
Know if there is any truth about the site being on 2008 b3 server?
Just curious.
Frank
 
Thanks for the info.

It's sad to see any site is being hacked, but SQL injection has been
repeatedly warned by security experts in recent months as the top security
threat to the degree that even we, a small company, have done the review and
corrections on web applications and database.

Unbelievable.


"MICHAEL" <u158627_emr2@dslr.net> wrote in message
news:O0IqZqFvHHA.3364@TK2MSFTNGP02.phx.gbl...
>
>
> * Peter Foldes:
>> That blog site is full of it. All their blogs is always completely false
>
> http://www.infoworld.com/article/07/06/29/Microsoft.uk-SQL-injection-attack_1.html
>
> A hacker successfully attacked a Web page within Microsoft's U.K. domain
> on Wednesday,
> resulting in the display of a photograph of a child waving the flag of
> Saudi Arabia.
>
> It was "unfortunate" that the site was vulnerable, said Roger Halbheer,
> chief security advisor
> for Microsoft in Europe, the Middle East and Africa, on Friday.
>
> The problem has since been fixed. However, the hack highlights how large
> software companies
> with technical expertise can still prove vulnerable to hackers.
>
> The hacker, who posted his name as "rEmOtEr," exploited a programming
> mistake in the site by
> using a technique known as SQL (Structured Query Language) injection to
> get unauthorized access
> to a database, Halbheer said. The site took SQL queries of a particular
> form, embedded in URLs
> (uniform resource locators), and passed them to a database. By embedding a
> query with an
> unexpected form in the requested URL, the hacker prompted the server to
> return error messages,
> Halbheer said.
>
> From those error messages, a hacker can get an idea of how the database is
> structured and
> refine a SQL query that the database will process as an instruction to
> insert, rather than
> retrieve, data. Eventually, the hacker found the right combination and
> inserted a link to an
> external Web site into the database.
>
> That meant when the normal Web page was called into a browser, the
> database would download data
> from an external link. In this case, it was two photos and a graphic, a
> screen shot of which is
> available on Zone-H.org , which tracks hacked Web sites.
>
> There are two ways to avoid this style of attack. First, the database
> should not be allowed to
> return error messages, Halbheer said. Secondly, the Web application should
> have validated the
> URL the hacker entered and rejected ones that should not be processed, he
> said.
>
> If a programmer makes a mistake, "the bad guy can leverage it," Halbheer
> said.
>
> SQL injection attacks are on the rise, overall, since valuable data is
> held within databases,
> said Paul Davie, founder and chief operating officer of Secerno, a
> security vendor that
> develops technology to protect databases from SQL attacks.
>
> "I don't think Microsoft are unique in this respect and shouldn't be held
> up as particularly
> slipshod," Davie said. "This could have happened to practically anybody."
>
>
> Talkback:
>
> Williamh 2007-07-01 11:06:42
> Amazing that microsoft with all that cash are too stingy to buy a web
> vulnerability scanner
> from say Acunetix or SPI Dynamics that picks up SQL injection errors
> automatically. Then again
> microsoft were always stingy...
 
* Frank:
> MICHAEL wrote:
>> * Peter Foldes:
>>
>>> That blog site is full of it. All their blogs is always completely false
>>
>> http://www.infoworld.com/article/07/06/29/Microsoft.uk-SQL-injection-attack_1.html
>>
>> A hacker successfully attacked a Web page within Microsoft's U.K. domain on Wednesday,
>> resulting in the display of a photograph of a child waving the flag of Saudi Arabia.
>>
>> It was "unfortunate" that the site was vulnerable, said Roger Halbheer, chief security advisor
>> for Microsoft in Europe, the Middle East and Africa, on Friday.
>>
>> The problem has since been fixed. However, the hack highlights how large software companies
>> with technical expertise can still prove vulnerable to hackers.
>>
>> The hacker, who posted his name as "rEmOtEr," exploited a programming mistake in the site by
>> using a technique known as SQL (Structured Query Language) injection to get unauthorized access
>> to a database, Halbheer said. The site took SQL queries of a particular form, embedded in URLs
>> (uniform resource locators), and passed them to a database. By embedding a query with an
>> unexpected form in the requested URL, the hacker prompted the server to return error messages,
>> Halbheer said.
>>
>> From those error messages, a hacker can get an idea of how the database is structured and
>> refine a SQL query that the database will process as an instruction to insert, rather than
>> retrieve, data. Eventually, the hacker found the right combination and inserted a link to an
>> external Web site into the database.
>>
>> That meant when the normal Web page was called into a browser, the database would download data
>> from an external link. In this case, it was two photos and a graphic, a screen shot of which is
>> available on Zone-H.org , which tracks hacked Web sites.
>>
>> There are two ways to avoid this style of attack. First, the database should not be allowed to
>> return error messages, Halbheer said. Secondly, the Web application should have validated the
>> URL the hacker entered and rejected ones that should not be processed, he said.
>>
>> If a programmer makes a mistake, "the bad guy can leverage it," Halbheer said.
>>
>> SQL injection attacks are on the rise, overall, since valuable data is held within databases,
>> said Paul Davie, founder and chief operating officer of Secerno, a security vendor that
>> develops technology to protect databases from SQL attacks.
>>
>> "I don't think Microsoft are unique in this respect and shouldn't be held up as particularly
>> slipshod," Davie said. "This could have happened to practically anybody."
>>
>>
>> Talkback:
>>
>> Williamh 2007-07-01 11:06:42
>> Amazing that microsoft with all that cash are too stingy to buy a web vulnerability scanner
>> from say Acunetix or SPI Dynamics that picks up SQL injection errors automatically. Then again
>> microsoft were always stingy...
>
>
> Thanks Michael.
> Know if there is any truth about the site being on 2008 b3 server?
> Just curious.
> Frank

I haven't heard which version it was. But, I think Microsoft's rollout
of Server 2008 has been of a limited nature.

I'm sure we'll hear about it soon enough. ;-)


-Michael
 
Back
Top