Feeds

back to article They didn't predict that: Astrologers! blamed! after! Yahoo! hack!

Weaknesses in cloud security and third-party code allowed a hacker to compromise Yahoo! systems last month, according to an analysis of the purported breach. In December, an Egyptian nicknamed ViruS_HimA claimed he cracked the web giant's security systems, acquired full access to 12 databases and broke into an unspecified server …

COMMENTS

This topic is closed for new posts.
Silver badge
Holmes

May I be the first to say that the subheading, this time, takes the cake.

"The weak link in the Yahoo! attack was not programmed by Yahoo! developers, nor was it even hosted on the Yahoo! servers, and yet the company found itself breached as a result of third-party code,"

Legislation in force in certain european countries imply that your arse will be hauled in front of the beak for that and you may be looking at 1 year jailtime and fines of up to 125'000 EUR. Pucker up!

1
0
Silver badge

stranger

Is ViruS_HimA tall and dark?

1
0

This post has been deleted by its author

Bronze badge
FAIL

SQL creep

I hate how SQL has these kinds of features. command shell?!

my site was compromised a few months back and the logs should it was using the outfile command to place a backdoor onto the server. I mean for fuck's sake, why does SQL even HAVE that command and why did I have to actively revoke the permissions?

SQL->database

That's how simple it should be. anything else you want should be handled by the scripts your calling sql with imo

1
1
Anonymous Coward

Re: SQL creep

"my site was compromised a few months back and the logs should it was using the outfile command to place a backdoor onto the server. I mean for fuck's sake, why does SQL even HAVE that command and why did I have to actively revoke the permissions?"

Just to avoid confusion... outfile is MySQL, but the article is about MSSQL.

Anyway, by default, the xp_cmdshell option is disabled on new installs. It can be enabled, usually by running the sp_configure system stored proc. Mind you, only a raving lunatic would do that willingly.

1
0

Re: SQL creep

xp_cmdshell is useful, but is also very misusable. Disallowing its use by the web site account would be wise.

1
0
Bronze badge

Re: SQL creep

yeah but I think the problem lies across all flavours. They should only interface with a database to and from a script, given too much functionality and setting some of these functions to enabled and fully permissioned by default as some webhosts do is just opening up unnecessary avenues of attack

1
0
Anonymous Coward

SQL injection attacks?

SQL injection attacks are where a client side app can inject unauthorized SQL commands into a server process, someone in security should do something about this ... :)

0
0

This post has been deleted by its author

Silver badge

Re: I tried the following:

Mafia takes just one "f". Try again.

3
0

Haven't these people met little Bobby Tables?

4
0
Trollface

I hope that 'Imperva' didn't pay much for their branding. Next up - a porn company named Arousa! It's brilliant, yet subtle!

1
0
Silver badge
Trollface

Where's Eadon?

This article is like a red rag to a bullshit artist.

2
1
Silver badge
Windows

Re: Where's Eadon?

Obvious MS flaw is obvious.

You don't need Eadon for that.

0
0
This topic is closed for new posts.