Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Businesses

The History of SQL Injection, the Hack That Will Never Go Away (vice.com) 193

An anonymous reader writes with this history of SQL injection attacks. From the Motherboard article: "SQL injection (SQLi) is where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It's been used to steal the personal details of World Health Organization employees, grab data from the Wall Street Journal, and hit the sites of US federal agencies. 'It's the most easy way to hack,' the pseudonymous hacker w0rm, who was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a 'few hours.' But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of corporations and governments alike, SQLi is relatively easy to defend against. So why, in 2015, is SQLi still leading to some of the biggest breaches around?"
Security

WordPress Hacks Behind Surging Neutrino EK Traffic 51

msm1267 writes: More than 2,000 websites running WordPress have been compromised and are responsible for a surge this week in traffic from the Neutrino Exploit Kit. Attacks against sites running older versions of the content management system, 4.2 and earlier, were spotted by Zscaler. Those sites are backdoored and redirect a victim's browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits. The exploits generally target Internet Explorer, Zscaler said, and victims' computers are eventually infected with CryptoWall 3.0 ransomware. This analysis is in line with a similar report from the SANS Institute, which pointed the finger at a particular cybercrime group that had steered away from using the prolific Angler Exploit Kit and moved operations to Neutrino.
Wikipedia

The Bizarre and Complex Story of a Failed Wikipedia Software Extension 94

metasonix writes Originally developed by Wikia coders, "Liquid Threads" was intended to be a better comment system for use on MediaWiki talkpages. When applied to Wikipedia, then each Wikipedia talkpage or noticeboard would become something resembling a more modernized bulletin board, hopefully easier to use. Unfortunately, the project was renamed "Flow" and taken over by the Wikimedia Foundation's developers. And as documented in this very long Wikipediocracy post, the result was "less than optimal." After seven years and millions of dollars spent, even WMF Director Lila Tretikov admits "As such it is not ready for 'prime time' for us."
Security

Drupal Warns Users of Mass, Automated Attacks On Critical Flaw 76

Trailrunner7 writes The maintainers of the Drupal content management system are warning users that any site owners who haven't patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised. The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that's designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.
Security

Large DDoS Attack Brings WordPress Pingback Abuse Back Into Spotlight 58

angry tapir writes "Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri. The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours. The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that's used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007."
SuSE

OpenSUSE Forums Defaced, Email Addresses Leaked 82

sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution." SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.
Google

Google Bots Doing SQL Injection Attacks 156

ccguy writes "It seems that while Google could really care less about your site and has no real interest in hacking you, their automated bots can be used to do the heavy lifting for an attacker. In this scenario, the bot was crawling Site A. Site A had a number of links embedded that had the SQLi requests to the target site, Site B. Google Bot then went about its business crawling pages and following links like a good boy, and in the process followed the links on Site A to Site B, and began to inadvertently attack Site B."
Chrome

Google Chrome Is Getting Automatic Blocking of Malicious Downloads 138

An anonymous reader writes "Google today announced Chrome is getting an automatic download blocking feature for malware. Google has already added the new functionality to the latest build of Chrome Canary. All versions of Chrome will soon automatically block downloads and let you know in a message at the bottom of your screen. You will be able to "Dismiss" the message, although it's not clear if you will be able to stop or revert the block."
Security

PHP.net Compromised 189

An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."
Books

Book Review: Getting Started With Drupal Commerce 37

Michael Ross writes "An online store is one of the most common use cases for a website nowadays. For those web developers and business owners who choose the current version of Drupal as a basis for such an e-commerce project, the canonical solution is Drupal Commerce. There are numerous online resources for learning Commerce, and yet for the longest time no printed book. Now we have Getting Started with Drupal Commerce, written by Richard Jones." Read below for the rest of Michael's review.
Programming

The Most WTF-y Programming Languages 254

itwbennett writes "A couple of years ago, developer Sammy Larbi undertook a project to identify which languages had the most instances of the string 'WTF' in their GitHub code repositories. At the time, Objective C topped the list. ITworld's Phil Johnson has updated Larbi's research using GitHub data from the last 21 months, but instead of screen-scraping GitHub search results as Larbi had done, he queried the GitHub Archive for stand-alone instances of 'WTF' in the comments attached to GitHub commits to weed out cases where the string 'WTF' was legitimately used in the code. The three most baffling languages for 2012/13: C++, Lua, and Scala. Objective C comes in at #16."
The Almighty Buck

Crowdfunding Platform For Drupal Development Launches 38

angry tapir writes "A team of developers has launched a new crowdfunding platform — Drupalfund.us — that's designed to help accelerate development work on the open-source Drupal CMS, as well as potentially fund new training material and other projects of interest to community members. I had a long-ish chat to one of the co-founders about the goals of the platform and how crowdfunding can be used to push forward open source development."
Security

Drupal.org User Accounts Compromised 60

An anonymous reader writes "The Drupal.org team released a bulletin this evening notifying users of a breach in their infrastructure. From the bulletin: 'The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org. This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords... All Drupal.org passwords are both hashed and salted, although some older passwords on some subsites were not salted.' Users are encouraged to update their Drupal.org passwords and the passwords of any accounts that could be linked via the compromised information."
Open Source

Drupal's Creator Aims For World Domination 192

angry tapir writes "Open-source content management system Drupal has come a long way since it was initially released in 2001. Drupal now runs 2% of the world's websites — but Drupal's creator Dries Buytaert thinks that this could easily grow to 10%. I caught up with Dries to talk about Drupal's evolution from a pure CMS to a Web platform, cracking the enterprise market, and the upcoming release of Drupal 8, which features significant architectural changes — incorporating elements of the Symfony2 Web framework to replace Drupal's aging architecture."

Slashdot Top Deals

The universe is an island, surrounded by whatever it is that surrounds universes.

Working...