MySQL.com, the official website of the database management system of the same name, was today subjected to an attack whereby hackers used SQL injection exploits to gain access to a complete list of usernames and passwords on the site.

News of the attack surfaced when the attackers posted details of the compromise on the Full Disclosure mailing list, publicly listing the contents of database tables used to store member and employee data, but also a small sample of user logins and password hashes.

Owned by Oracle, MySQL is used by millions of websites to store and deliver information, with some of the most popular online services and platforms including WordPress and Joomla utilising the software.

The attack was achieved using “blind SQL injection”, targeting MySQL.com, MySQL.fr, MySQL.de and MySQL.it, but also two Sun domains.

It appears that the attacks were not due to flaws in the MySQL software itself, but flaws in the implementation of their websites.

After a year of hardcore development, sqlmap 0.9 is out!

Introduction:
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL Injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration testor and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Download: sqlmap-0.9.tar.gz

The entire user database of Groupon’s Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google.

The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”.

“A few hours and tweaks later, this database came up,” he said. “I started scrolling, and scrolling and I couldn’t get to the bottom of the file. Then I realised how big it actually was.”

Grzelak contacted Risky.Biz after the Sosasta discovery to seek advice on disclosure. This website contacted the CEO of Groupon, Andrew Mason, who called back personally within 24 hours of initial contact.

The database was removed immediately and the company has launched an internal investigation to find out how it wound up publicly accessible in the first place.

Groupon is notifying all its Sosasta users of the incident and is advising them that the passwords they used on the website are now compromised and cannot be relied upon to secure other accounts.

Source: Risky.Biz

Ubertooth One is a cheap, open-source Bluetooth network sniffer. Unlike Wi-Fi, which has had a wide range of free network monitoring tools for years, Bluetooth has remained pretty closed. Michael Ossman is about to change this, with his Ubertooth Kickstarter project.

The Ubertooth One is a USB plug with an antenna, and a ARM Cortex-M3 processor-based board in-between. Plug it into your computer and you can use it with various wireless monitoring tools like Kismet. The Ubertooth allows you to use Bluetooth in monitoring mode. This “promiscuous” mode makes the radio pass everything that it picks up onto the host computer. Normally, wireless receivers will ignore anything not addressed to them. In promiscuous mode, you can sniff and gather data meant for other devices.

These tools can be used for testing network security, or for hacking. Kismet, for example (and derivatives like the Mac OS X version KisMac) can be used to crack Wi-Fi networks’ passwords.

Until now, Bluetooth monitoring hardware would cost upward of $1,000. Ossman’s device will cost just $100 and, because both the software and hardware are open-source, you can build your own.

Ossman demonstrated the Ubertooth One at the ShmooCon hackers convention on Friday. Future software updates will enable Bluetooth injection and expanded monitoring modes.

More Info:
Project Ubertooth [Sourceforge]

Ubertooth One on Kickstarter [Michael Ossman’s blog

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system.

Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks – from small to very large heterogeneous networks.

What you can do with PacketFence :

Download: packetfence-2.1.0.tar.gz

When you connect to another computer with this tool, you can remotely use the computer, just like you’d use a local computer.

Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
…….
………..

Once you are connected to a remote system, you can access the drives of that server via Windows shares such as \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt.

Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.

F-Secure Lab detected Morto components as Backdoor:W32/Morto.A andWorm:W32/Morto.B.

Google’s servers can be used by cyber attackers to launch DDoS attacks, claims Simone “R00T_ATI” Quatrini, a penetration tester for Italian security consulting firm AIR Sicurezza.

Quatrini discovered that two vulnerable pages – /_/sharebox/linkpreview/ and gadgets/proxy? – can be used to request any file type, which Google+ will download and show – even if the attacker isn’t logged into Google+.

By making many such request simultaneously – which he managed to do by using a shell script he’s written – he practically used Google’s bandwidth to orchestrate a small DDoS attack against a server he owns.

He points out that his home bandwidth can’t exceed 6Mbps, and that the use of Google’s server resulted in an output bandwidth of at least 91Mbps.

“The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs,” says Quatrini. “But beware: igadgets/proxy? will send your IP in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/.”

He says he has discovered the flaws that allow the attack on August 10 and that he contacted Google’s Security center about it. After 19 days of receiving no reply from Google, he published his findings.