And as is now clear, hackers bearing proof of the pwnage are more than willing to do the talking. But Kaspersky does itself no favors by being so stingy with details of this attack. No doubt, it's been a tough week for Kaspersky, and it sure didn't help that many of the company's employees happened to be in Puerto Rico this weekend for a partner conference.
This was active the entire day yesterday. "Once you find the number of columns in the initial SELECT statement (using ORDER BY injection attacks) you can basically get access to the information_schema database, find out table and column names and then you're home free. Kaspersky Update Utility is portable and includes two ways to run - with the GUI (UpdateUtility-Gui.exe) or command-line (UpdateUtility-Console.exe). The reader, who was able to duplicate the attack Unu laid out here, continued: Kaspersky Update Utility is a freeware app for downloading updates for any installed Kaspersky Lab products. "This was a typical UNION injection attack that enables SELECT statements to be poisoned with information from foreign tables," according to one Reg reader account that was confirmed by Tocsixu. It allowed any Jedi knight who knew the secret passphrase to trick the website into dumping entire tables in its database.
Not so with the SQL injection that visited Kaspersky. Often, the compromise is fairly innocuous and comes in the form of a simple site defacement. With the wave of a hand and a discreetly placed suggestion - in this case SQL database commands buried deep inside a long URL - hackers are able to turn weak-minded websites against themselves. SQL injections are like Jedi mind tricks.
0 kommentar(er)
