Mass web attack grows, 520,000 webpages infected

[Jack]

Quote:

The sophisticated mass infection that's injecting attack code into hundreds of thousands of reputable web pages is growing and even infiltrated the website of the Department of Homeland Security. While so-called SQL injections are nothing new, this latest attack, which we we reported earlier, is notable for its ability to infect huge numbers of pages using only a single string of text. At time of writing, Google searches here, here and here showed almost 520,000 pages containing the infection string, though the exact number changes almost constantly. Other hacked sites include those belonging to the United Nations and the UK Civil Service. The attack causes infected sites to redirect visitors to destinations that attempt to install malware on vulnerable machines. At time of writing, the malicious payloads attacked vulnerabilities that already have been patched. And in any case all three of the redirection sites were down, possibly because they were unable to handle the demand. But should the attackers get their hands on a newer exploit - say, one targeting a zero-day vulnerability in QuickTime - it would be relatively easy for them to swap out the payload. One reason the infection has spread so widely is the attackers have managed to find a single attack string that seems to work on tens of thousands of different sites. Most web applications are custom -built for a particular site, so attackers likewise have to custom design attack parameters to exploit weakness. Not so here. "These guys look like they've found a methodology to get a successful SQL injection generically across [many] websites," said Jeremiah Grossman, CTO of WhiteHat Security, which helps companies secure web applications. "That right there is like a skeleton key." While the number of pages that have been infected is high, not all are able to launch an attack once a user visits them, according to Roger Thompson, chief research officer of anti-virus provider AVG. "Very often they're on a page but the stuff doesn't actually fire when you get there," he said. "This is not a cunning, premeditated task; it's just a blast. They're just planting the stuff where they can and the result is a lot of pages [that] don't do anything." But webmasters should not be complacent about removing the injected code from their sites and fixing buggy web apps to make sure more don't spring up. "It's the cleanup effort that's just going to be monstrous," said Grossman, who said affected companies will have to either remove each overwritten table record one at a time, or revert to a recent backup. "Either way, it's going to take forever."

Department of Homeland Security website hacked! | The Register

Once again we're being reminded of the weaknesses inherent in our growing dependence on computers connected to the internet.

[Anmon]

If these guys are caught, is there a serious jail sentence attached to what they have done?

[Jack]

If the country they are in considers this a crime, yes. But most of these attacks come from countries without cyber-laws, like China and a few European nations.

[thx1138]

We were warned about this in the film "2001 A Space Odyssey" but we did listen then and I don't think we will listen now.

[Rainbow]

Quote:

Quote by: Jack Department of Homeland Security website hacked! | The Register Once again we're being reminded of the weaknesses inherent in our growing dependence on computers connected to the internet.

I would say that guys have no clue on devices they interact with and/or operate and/or create hardware/software for.
That is the result of wide-spread hacking all over the internet. I blame both sides :
- computer hardware and software business companies
- personnel handling and/or managing computer devices
In both cases the fundamental factor goes into the same direction :
- money, over quality and/or qualifications and/or skills, etc.

[Compugasm]

My last computer consulting job was for a school district. I recommended fixes to SQL injection attacks, and the "higher ups" decided against it. What is really amazing, is that they don't know what is wrong with their software to begin with. So, they hire a consultant (me in this case) to explain it, and make recommendations. Then they hold meeting after meeting, producing reams of meeting minutes to make it sound like they know exactly what they're doing.

Ultimately, the meetings are all about why nothing needs to be done. I got paid $5000 and I'd say it was totally pointless, but then again my job isn't on the line for the shoddy software they make. There was probably some internal political struggle that I'm not privvy too, and my fee probably bought someone leverage. So good luck to them.