Stay tuned to networkworld.tv this week as we bring you wall-to-wall coverage of Interop Las Vegas 2008. We've got a number of security experts and vendors slated to appear, so check back all week. Before that though, noted security researcher David Litchfield has found a new way to hack Oracle databases and 500,000 pages have been compromised by a mass SQL injection attacks.
Researcher finds new way to hack Oracle database
Security researcher David Litchfield has released technical details of a new type of attack that could give a hacker access to an Oracle database. Called a lateral SQL injection, the attack could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software, Litchfield said in an interview on Thursday. IDG News Service, 04/24/08.
David Litchfield's blog: A New Class of Vulnerability in Oracle: Lateral SQL Injection
**********
Three new updates from Debian:
xulrunner (programming error, code execution)
perl (heap overflow, code execution)
**********
Two new fixes from Mandriva:
OpenOffice.org (heap overflows, code execution)
**********
Three new patches from Gentoo:
**********
Today's malware news:
Some phishing gangs have a new technique. They're using trojan-spy applications. F-Secure blog, 04/25/08.
Huge Web hack attack infects 500,000 pages
Attacks on legitimate Web domains, including some belonging to the United Nations that began earlier this week, have expanded dramatically, security researchers said Friday, with hundreds of thousands of pages hacked by Friday. Computerworld, 04/27/08.
F-Secure: Mass SQL injection
iFrame attacks surge, security firm says
A flood of SQL injection attacks on Microsoft Internet Information Servers are leaving Web pages with malicious iFrames in them, and Panda Security is urging network managers to make sure their Web pages haven't been infected. Network World, 04/24/08.
**********
From the interesting reading department:
Microsoft mislabels Skype as adware
Skype users who have been getting strange error messages from Microsoft's security products over the past week can breathe easy now. It was all a mistake. IDG News Service, 04/23/08.
ISPs' Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses
Seeking to make money from mistyped website names, some of the United States' largest ISPs instead created a massive security hole that allowed hackers to use web addresses owned by eBay, PayPal, Google and Yahoo, and virtually any other large site. Wired, 04/19/08.
China worries hackers will strike during Beijing Olympics
While CNN recently faced distributed denial-of-service attacks from Chinese hackers angry about the television network's coverage of a recent Chinese crackdown in Tibet, Chinese security officials remain worried hackers will strike while the Olympic Games are being held in Beijing. IDG News Service, 04/24/08.
UConn bookstore sells drive holding personal data
University of Connecticut police are investigating how a hard drive containing personal documents and photos from about 10 students, faculty and non-university individuals was accidentally sold last week by the school's bookstore to a student on campus. Computerworld, 04/27/08.
Thieves pilfer backup tape holding 2M medical records
University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility. Computerworld, 04/26/08.
After Web defacement, university warns of data breach
Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised. IDG News Service, 04/24/08.
Spammers ramp up siege on Google's Blogger via bots
Spammers are using an automated method to create bogus pages on Google's Blogger service, again highlighting the diminishing effectiveness of a security system intended to stop mass account registrations, according to security vendor Websense. IDG News Service, 04/25/08.
He said, she said on Storm botnet destruction:
Researchers 'poison' Storm botnet
A group of German researchers has unveiled the first publicly released research attempting to actively disrupt a peer-to-peer botnet - using as their case study the notorious Storm worm. TechWorld, 04/25/08.
Microsoft didn't crush Storm, counter researchers
Microsoft didn't crush the Storm botnet as it has claimed, rival security researchers argued today. Instead, the criminals responsible for the army of compromised computers diversified last year to avoid attention and expand their business. Computerworld, 04/24/08.
Microsoft: We took out Storm botnet
Microsoft Tuesday took credit for crushing the Storm botnet, saying that the malware search-and-destroy tool it distributes to Windows users disinfected so many bots that the hackers threw in the towel. Computerworld, 04/22/08.