Weaknesses in cloud security and third-party code allowed a hacker to compromise Yahoo! systems last month, according to an analysis of the purported breach. In December, an Egyptian nicknamed ViruS_HimA claimed he cracked the web giant's security systems, acquired full access to 12 databases and broke into an unspecified …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 29th January 2013 17:19 GMT Destroy All Monsters

May I be the first to say that the subheading, this time, takes the cake.

"The weak link in the Yahoo! attack was not programmed by Yahoo! developers, nor was it even hosted on the Yahoo! servers, and yet the company found itself breached as a result of third-party code,"

Legislation in force in certain european countries imply that your arse will be hauled in front of the beak for that and you may be looking at 1 year jailtime and fines of up to 125'000 EUR. Pucker up!

1 0
Tuesday 29th January 2013 17:24 GMT Mystic Megabyte

stranger

Is ViruS_HimA tall and dark?

1 0
1. This post has been deleted by its author
Tuesday 29th January 2013 19:05 GMT Valeyard

SQL creep

I hate how SQL has these kinds of features. command shell?!

my site was compromised a few months back and the logs should it was using the outfile command to place a backdoor onto the server. I mean for fuck's sake, why does SQL even HAVE that command and why did I have to actively revoke the permissions?

SQL->database

That's how simple it should be. anything else you want should be handled by the scripts your calling sql with imo

1 1
1. Tuesday 29th January 2013 21:43 GMT Anonymous Coward
  
  Re: SQL creep
  
  "my site was compromised a few months back and the logs should it was using the outfile command to place a backdoor onto the server. I mean for fuck's sake, why does SQL even HAVE that command and why did I have to actively revoke the permissions?"
  
  Just to avoid confusion... outfile is MySQL, but the article is about MSSQL.
  
  Anyway, by default, the xp_cmdshell option is disabled on new installs. It can be enabled, usually by running the sp_configure system stored proc. Mind you, only a raving lunatic would do that willingly.
  
  1 0
  1. Wednesday 30th January 2013 03:14 GMT Robert Carnegie
    
    Re: SQL creep
    
    xp_cmdshell is useful, but is also very misusable. Disallowing its use by the web site account would be wise.
    
    1 0
  2. Wednesday 30th January 2013 09:38 GMT Valeyard
    
    Re: SQL creep
    
    yeah but I think the problem lies across all flavours. They should only interface with a database to and from a script, given too much functionality and setting some of these functions to enabled and fully permissioned by default as some webhosts do is just opening up unnecessary avenues of attack
    
    1 0
Tuesday 29th January 2013 19:40 GMT Anonymous Coward

SQL injection attacks?

SQL injection attacks are where a client side app can inject unauthorized SQL commands into a server process, someone in security should do something about this ... :)

0 0
This post has been deleted by its author
1. Tuesday 29th January 2013 21:10 GMT Destroy All Monsters
  
  Re: I tried the following:
  
  Mafia takes just one "f". Try again.
  
  3 0
Tuesday 29th January 2013 21:19 GMT Cubical Drone

Haven't these people met little Bobby Tables?

4 0
Wednesday 30th January 2013 03:46 GMT Anonymous Coward

I hope that 'Imperva' didn't pay much for their branding. Next up - a porn company named Arousa! It's brilliant, yet subtle!

1 0
Wednesday 30th January 2013 06:25 GMT Martin Budden

Where's Eadon?

This article is like a red rag to a bull~~shit artist~~.

2 1
1. Wednesday 30th January 2013 13:55 GMT hplasm
  
  Re: Where's Eadon?
  
  Obvious MS flaw is obvious.
  
  You don't need Eadon for that.
  
  0 0