tagged w/ SQL
-
Anonymous is developing a new DDoS tool which is said to exploit SQL vulnerabilities to support the group's future campaigns. So far, what they have is something that is platform neutral, leveraging JavaScript and vulnerabilities within SQL to create a devastating impact on the targeted website. Previously, Low Orbit Ion Canon (LOIC) was the go to weapon for Anonymous supporters during various Operations .However, LOIC is also the reason scores of people have been arrested in the last year, so many feel its time is at an end.
According to Developer "RefRef is a revolutionary DoS java site. Basically, by using an SQL and .js vulnerability, you can send a page request packet from your home computer with embedded .js file, because of the vulnerability in the SQL/Javascript engine on MOST websites, the site actually TEMPs the .js file on its own server. So now the .js is in place on the host of the site. Next since you still have the request, it picks up the .js file, and all of the requesting for packets power happens on the server, not the requestee. I send two packets from my iphone, and everything else happens on the server. Basically eats itself apart, because since both are on the server, its all a local connection."
The new tool, called #RefRef, is set to be released in September, according to an Anon promoting it on IRC this afternoon. Developed with JavaScript, the tool is said to use the target site’s own processing power against itself. In the end, the server succumbs to resource exhaustion due to #RefRef’s usage. An attack vector that has existed for some time, resource exhaustion is often skipped over by attackers who favor the brute force of a DDoS attack sourced from bots or tools such as LOIC.
The tool is very effective, a 17-seconds attack from a single machine resulting in a 42-minute outage on Pastebin yesterday. As expected, the Pastebin admins weren't very happy with their platform being used for such tests and tweeted "Please do not test your software on us again."
The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe organizations will rush to patch this flaw en masse before being hit.
This means there are a lot of possible targets out there that will be hit at least once. "This tool only makes you vulnerable if you don't keep your systems patched, perform the basic security, which is how Sony got caught with it's pants down," the RefRef developers said.
The tool works by turning the servers against themselves. It sends malformed SQL queries carrying the payload which in turn forces the servers to exhaust their own resources. However, the tool's GUI does have a field for inputting the refresh interval so it might combine traditional forms of HTTP hammering with the new technique.
Some security experts have been skeptical that the success of Anonymous's DDoS attacks can be explained through LOIC alone. They proposed that some of the group's supporters also have access to botnets, a theory that has partially proven to be correct.
http://www.thehackernews.com/2011/07/refref-denial-of-service-ddos-tool.htmlAnonymous is developing a new DDoS tool which is said to exploit SQL vulnerabilities... more
-
-
This is after I got my Laptop working with Flash,
for a long time it would not work with all types of flash.
it was a nice HoT Day so I went outside after fixing my Laptop.
in this Video you see me chating with my Viewers on Ustream.tv
http://e-tard.tv
http://twitter.e-tard.tvThis is after I got my Laptop working with Flash,
for a long time it would not work... more
-
-
ETARD
-
added this
-
3 years ago
- |
-
Many social media sites are set up so that a participant needs to endorse others in order to gain credibility; however, such endorsements may give the appearance that the company is actually giving the endorsement. Thus, the company has an interest to protect in connection with any social media account used that identifies an employee of the company.Many social media sites are set up so that a participant needs to endorse others in... more
-
-
With the perspective of six years of data breaches, the rise of cyber crime, phishing, identity theft, and information warfare - it seems laughable that the big issue of employees bringing malware infested laptops into the office spawned so many companies.With the perspective of six years of data breaches, the rise of cyber crime, phishing,... more
-
-
Cyber Security Awareness Month is a waste of time, energy, and tax payer money. All of which could be spent on improving security within the Federal government. They are the ones who are getting infected by malware spread by USB devices, or having their email read or their fighter jet designs stolen. They are the ones that cannot articulate a cyber defense strategy well enough to entice someone to take on the top job…Cyber Security Awareness Month is a waste of time, energy, and tax payer money. All of... more
-
-
As sites like Facebook, LinkedIn and Twitter have grown more popular, they have become a hot target for hackers. According to Kaspersky Lab, malicious code distributed via social networking sites is ten times more effective than malware spread via e-mail. Here are the Top 8:As sites like Facebook, LinkedIn and Twitter have grown more popular, they have become... more
-
-
The US Defense Information Systems Agency announced that it is going to released a Request For Information this month. Anyone responding to DISA’s RFI would do well to study the methodology that Barrett Lyon describes using the open source SQUID proxy and caching server. The technique spelled out by Barrett involves putting a bank of high end servers running SQUID in front of the potential targets.The US Defense Information Systems Agency announced that it is going to released a... more
-
-
The idea of having confidential records shopped to competitors and then offered up for sale to the highest bidder would be enough to keep any CIO up at night. Yet, as scary as this scenario is, cyber extortion remains rare. The bigger threat - one that should legitimately keep IT professionals up at night - is on the inside.The idea of having confidential records shopped to competitors and then offered up for... more
-
-
Lexis-Nexis Breach Linked to Crime Family: One of the “old school” tactics that the organized crime figures use is going to the local watering holes and seducing young girls and finding out where they work. The mob’s tactic of dating new employees who work at companies that have access to customer data leads to Litan’s warning, “He’s not after your heart; he’s after your data.”Lexis-Nexis Breach Linked to Crime Family: One of the “old school” tactics... more
-
-
Analyzing an incident when the manufacturer claims that it’s an operator error and the operator claims that it is an application error is one of the most daunting tasks of a security officer. And this is a type of incident that the security officer will be called upon to investigate simply because the management needs an independent observer and has doubts both in the operator as well as the manufacturer. Here is what to do when thrown into the fire…Analyzing an incident when the manufacturer claims that it’s an operator error... more
-
