Strange!!!

 

I wonder if the server was using windows server 2008 beta 3, since it was

reported that they was using it also on the Microsoft.com site?

 

Details>>

 

http://computerboom.blogspot.com/2007/07/microsoft-got-hacked.html

corbomite wrote:

> Strange!!!

>

> I wonder if the server was using windows server 2008 beta 3, since it was

> reported that they was using it also on the Microsoft.com site?

>

> Details>>

>

> http://computerboom.blogspot.com/2007/07/microsoft-got-hacked.html

>

>

Why don't the links work on that blog?

Why is the next blog in Arabic?

Never hear of MS using a beta online.

Rather strange.

Got anymore links that work?

Thanks.

Frank

Frank wrote:

> corbomite wrote:

>

>> Strange!!!

>>

>> I wonder if the server was using windows server 2008 beta 3, since it

>> was reported that they was using it also on the Microsoft.com site?

>>

>> Details>>

>>

>> http://computerboom.blogspot.com/2007/07/microsoft-got-hacked.html

>>

> Why don't the links work on that blog?

> Why is the next blog in Arabic?

> Never hear of MS using a beta online.

> Rather strange.

> Got anymore links that work?

> Thanks.

> Frank

 

Here's one: http://www.zone-h.org/content/view/14780/31/

 

--

norm

That blog site is full of it. All their blogs is always completely false

 

--

Peter

 

Please Reply to Newsgroup for the benefit of others

Requests for assistance by email can not and will not be acknowledged.

 

"corbomite" <-> wrote in message news:46885f3f@newsgate.x-privat.org...

> Strange!!!

>

> I wonder if the server was using windows server 2008 beta 3, since it was

> reported that they was using it also on the Microsoft.com site?

>

> Details>>

>

> http://computerboom.blogspot.com/2007/07/microsoft-got-hacked.html

>

>

* Peter Foldes:

> That blog site is full of it. All their blogs is always completely false

 

http://www.infoworld.com/article/07/06/29/Microsoft.uk-SQL-injection-attack_1.html

 

A hacker successfully attacked a Web page within Microsoft's U.K. domain on Wednesday,

resulting in the display of a photograph of a child waving the flag of Saudi Arabia.

 

It was "unfortunate" that the site was vulnerable, said Roger Halbheer, chief security advisor

for Microsoft in Europe, the Middle East and Africa, on Friday.

 

The problem has since been fixed. However, the hack highlights how large software companies

with technical expertise can still prove vulnerable to hackers.

 

The hacker, who posted his name as "rEmOtEr," exploited a programming mistake in the site by

using a technique known as SQL (Structured Query Language) injection to get unauthorized access

to a database, Halbheer said. The site took SQL queries of a particular form, embedded in URLs

(uniform resource locators), and passed them to a database. By embedding a query with an

unexpected form in the requested URL, the hacker prompted the server to return error messages,

Halbheer said.

 

From those error messages, a hacker can get an idea of how the database is structured and

refine a SQL query that the database will process as an instruction to insert, rather than

retrieve, data. Eventually, the hacker found the right combination and inserted a link to an

external Web site into the database.

 

That meant when the normal Web page was called into a browser, the database would download data

from an external link. In this case, it was two photos and a graphic, a screen shot of which is

available on Zone-H.org , which tracks hacked Web sites.

 

There are two ways to avoid this style of attack. First, the database should not be allowed to

return error messages, Halbheer said. Secondly, the Web application should have validated the

URL the hacker entered and rejected ones that should not be processed, he said.

 

If a programmer makes a mistake, "the bad guy can leverage it," Halbheer said.

 

SQL injection attacks are on the rise, overall, since valuable data is held within databases,

said Paul Davie, founder and chief operating officer of Secerno, a security vendor that

develops technology to protect databases from SQL attacks.

 

"I don't think Microsoft are unique in this respect and shouldn't be held up as particularly

slipshod," Davie said. "This could have happened to practically anybody."

 

 

Talkback:

 

Williamh 2007-07-01 11:06:42

Amazing that microsoft with all that cash are too stingy to buy a web vulnerability scanner

from say Acunetix or SPI Dynamics that picks up SQL injection errors automatically. Then again

microsoft were always stingy...

MICHAEL wrote:

>

> * Peter Foldes:

>

>>That blog site is full of it. All their blogs is always completely false

>

>

> http://www.infoworld.com/article/07/06/29/Microsoft.uk-SQL-injection-attack_1.html

>

> A hacker successfully attacked a Web page within Microsoft's U.K. domain on Wednesday,

> resulting in the display of a photograph of a child waving the flag of Saudi Arabia.

>

> It was "unfortunate" that the site was vulnerable, said Roger Halbheer, chief security advisor

> for Microsoft in Europe, the Middle East and Africa, on Friday.

>

> The problem has since been fixed. However, the hack highlights how large software companies

> with technical expertise can still prove vulnerable to hackers.

>

> The hacker, who posted his name as "rEmOtEr," exploited a programming mistake in the site by

> using a technique known as SQL (Structured Query Language) injection to get unauthorized access

> to a database, Halbheer said. The site took SQL queries of a particular form, embedded in URLs

> (uniform resource locators), and passed them to a database. By embedding a query with an

> unexpected form in the requested URL, the hacker prompted the server to return error messages,

> Halbheer said.

>

> From those error messages, a hacker can get an idea of how the database is structured and

> refine a SQL query that the database will process as an instruction to insert, rather than

> retrieve, data. Eventually, the hacker found the right combination and inserted a link to an

> external Web site into the database.

>

> That meant when the normal Web page was called into a browser, the database would download data

> from an external link. In this case, it was two photos and a graphic, a screen shot of which is

> available on Zone-H.org , which tracks hacked Web sites.

>

> There are two ways to avoid this style of attack. First, the database should not be allowed to

> return error messages, Halbheer said. Secondly, the Web application should have validated the

> URL the hacker entered and rejected ones that should not be processed, he said.

>

> If a programmer makes a mistake, "the bad guy can leverage it," Halbheer said.

>

> SQL injection attacks are on the rise, overall, since valuable data is held within databases,

> said Paul Davie, founder and chief operating officer of Secerno, a security vendor that

> develops technology to protect databases from SQL attacks.

>

> "I don't think Microsoft are unique in this respect and shouldn't be held up as particularly

> slipshod," Davie said. "This could have happened to practically anybody."

>

>

> Talkback:

>

> Williamh 2007-07-01 11:06:42

> Amazing that microsoft with all that cash are too stingy to buy a web vulnerability scanner

> from say Acunetix or SPI Dynamics that picks up SQL injection errors automatically. Then again

> microsoft were always stingy...

 

 

Thanks Michael.

Know if there is any truth about the site being on 2008 b3 server?

Just curious.

Frank

Thanks for the info.

 

It's sad to see any site is being hacked, but SQL injection has been

repeatedly warned by security experts in recent months as the top security

threat to the degree that even we, a small company, have done the review and

corrections on web applications and database.

 

Unbelievable.

 

 

"MICHAEL" <u158627_emr2@dslr.net> wrote in message

news:O0IqZqFvHHA.3364@TK2MSFTNGP02.phx.gbl...

>

>

> * Peter Foldes:

>> That blog site is full of it. All their blogs is always completely false

>

> http://www.infoworld.com/article/07/06/29/Microsoft.uk-SQL-injection-attack_1.html

>

> A hacker successfully attacked a Web page within Microsoft's U.K. domain

> on Wednesday,

> resulting in the display of a photograph of a child waving the flag of

> Saudi Arabia.

>

> It was "unfortunate" that the site was vulnerable, said Roger Halbheer,

> chief security advisor

> for Microsoft in Europe, the Middle East and Africa, on Friday.

>

> The problem has since been fixed. However, the hack highlights how large

> software companies

> with technical expertise can still prove vulnerable to hackers.

>

> The hacker, who posted his name as "rEmOtEr," exploited a programming

> mistake in the site by

> using a technique known as SQL (Structured Query Language) injection to

> get unauthorized access

> to a database, Halbheer said. The site took SQL queries of a particular

> form, embedded in URLs

> (uniform resource locators), and passed them to a database. By embedding a

> query with an

> unexpected form in the requested URL, the hacker prompted the server to

> return error messages,

> Halbheer said.

>

> From those error messages, a hacker can get an idea of how the database is

> structured and

> refine a SQL query that the database will process as an instruction to

> insert, rather than

> retrieve, data. Eventually, the hacker found the right combination and

> inserted a link to an

> external Web site into the database.

>

> That meant when the normal Web page was called into a browser, the

> database would download data

> from an external link. In this case, it was two photos and a graphic, a

> screen shot of which is

> available on Zone-H.org , which tracks hacked Web sites.

>

> There are two ways to avoid this style of attack. First, the database

> should not be allowed to

> return error messages, Halbheer said. Secondly, the Web application should

> have validated the

> URL the hacker entered and rejected ones that should not be processed, he

> said.

>

> If a programmer makes a mistake, "the bad guy can leverage it," Halbheer

> said.

>

> SQL injection attacks are on the rise, overall, since valuable data is

> held within databases,

> said Paul Davie, founder and chief operating officer of Secerno, a

> security vendor that

> develops technology to protect databases from SQL attacks.

>

> "I don't think Microsoft are unique in this respect and shouldn't be held

> up as particularly

> slipshod," Davie said. "This could have happened to practically anybody."

>

>

> Talkback:

>

> Williamh 2007-07-01 11:06:42

> Amazing that microsoft with all that cash are too stingy to buy a web

> vulnerability scanner

> from say Acunetix or SPI Dynamics that picks up SQL injection errors

> automatically. Then again

> microsoft were always stingy...

* Frank:

> MICHAEL wrote:

>> * Peter Foldes:

>>

>>> That blog site is full of it. All their blogs is always completely false

>>

>> http://www.infoworld.com/article/07/06/29/Microsoft.uk-SQL-injection-attack_1.html

>>

>> A hacker successfully attacked a Web page within Microsoft's U.K. domain on Wednesday,

>> resulting in the display of a photograph of a child waving the flag of Saudi Arabia.

>>

>> It was "unfortunate" that the site was vulnerable, said Roger Halbheer, chief security advisor

>> for Microsoft in Europe, the Middle East and Africa, on Friday.

>>

>> The problem has since been fixed. However, the hack highlights how large software companies

>> with technical expertise can still prove vulnerable to hackers.

>>

>> The hacker, who posted his name as "rEmOtEr," exploited a programming mistake in the site by

>> using a technique known as SQL (Structured Query Language) injection to get unauthorized access

>> to a database, Halbheer said. The site took SQL queries of a particular form, embedded in URLs

>> (uniform resource locators), and passed them to a database. By embedding a query with an

>> unexpected form in the requested URL, the hacker prompted the server to return error messages,

>> Halbheer said.

>>

>> From those error messages, a hacker can get an idea of how the database is structured and

>> refine a SQL query that the database will process as an instruction to insert, rather than

>> retrieve, data. Eventually, the hacker found the right combination and inserted a link to an

>> external Web site into the database.

>>

>> That meant when the normal Web page was called into a browser, the database would download data

>> from an external link. In this case, it was two photos and a graphic, a screen shot of which is

>> available on Zone-H.org , which tracks hacked Web sites.

>>

>> There are two ways to avoid this style of attack. First, the database should not be allowed to

>> return error messages, Halbheer said. Secondly, the Web application should have validated the

>> URL the hacker entered and rejected ones that should not be processed, he said.

>>

>> If a programmer makes a mistake, "the bad guy can leverage it," Halbheer said.

>>

>> SQL injection attacks are on the rise, overall, since valuable data is held within databases,

>> said Paul Davie, founder and chief operating officer of Secerno, a security vendor that

>> develops technology to protect databases from SQL attacks.

>>

>> "I don't think Microsoft are unique in this respect and shouldn't be held up as particularly

>> slipshod," Davie said. "This could have happened to practically anybody."

>>

>>

>> Talkback:

>>

>> Williamh 2007-07-01 11:06:42

>> Amazing that microsoft with all that cash are too stingy to buy a web vulnerability scanner

>> from say Acunetix or SPI Dynamics that picks up SQL injection errors automatically. Then again

>> microsoft were always stingy...

>

>

> Thanks Michael.

> Know if there is any truth about the site being on 2008 b3 server?

> Just curious.

> Frank

 

I haven't heard which version it was. But, I think Microsoft's rollout

of Server 2008 has been of a limited nature.

 

I'm sure we'll hear about it soon enough. ;-)

 

 

-Michael