re[2]: [ACFUG Discuss] SQL Injection

[Mischa Uppelschoten]

Last time I advertised my property I ended with "SCAMMERS, DON'T BOTHER", and I still got emails from Lagos on where to send the check (advance fee fraud).   : Especially the bad English wording.  The original ad was lifted directly from :  my Realtor's postings.  The response to any enquiry was in *really* bad :  English. : -dhs :   : -- : Dean H. Saxe : "A true conservationist is a person who knows that the world is not given by :  his fathers, but borrowed from his children."  -- John James Audubon :   : On Nov 23, 2009, at 11:42 AM, shawn gorrell wrote: : My question is what kind of fool would actually believe you'd rent a house :  like yours for $700? You can hardly get a crappy apartment for $700, let :  alone a nice, new, big house. The whole thing had red flags all over it. : From: Dean H. Saxe <d...@fullfrontalnerdity.com> : To: discussion@acfug.org : Sent: Mon, November 23, 2009 2:36:49 PM : Subject: Re: [ACFUG Discuss] SQL Injection : Actually they found my house for sale, then looked at the tax records and :  created yahoo accounts as Mr. Saxe Dean H. to then try and rent it for $700. :  Bastards. : -- : Dean H. Saxe : "A true conservationist is a person who knows that the world is not given by :  his fathers, but borrowed from his children."  -- John James Audubon : On Nov 23, 2009, at 11:23 AM, Derrick Peavy wrote: : Dear Mr. Dean Saxe of USA, :     LMFAO! : Kindly and with God, : _____________________ : Derrick Peavy : derr...@derrickpeavy.com : 404-786-5036 : “Innovation distinguishes between a leader and a follower.” -Steve Jobs : _____________________ : On Nov 23, 2009, at 1:59 PM, Dean H. Saxe wrote: : You mean like the one who "rented" my house when it was for sale?  At least 2 :  people lost $1k in that scam.  And one of them showed up at my door ready to :  take possession of the house the day before I moved out! : -- : Dean H. Saxe : "A true conservationist is a person who knows that the world is not given by :  his fathers, but borrowed from his children."  -- John James Audubon : On Nov 23, 2009, at 10:54 AM, shawn gorrell wrote: : To each their own. The plus side of the Nigerian scammer types is they have :  many more lulz than APNIC or RIPE. : From: Derrick Peavy <derr...@derrickpeavy.com> : To: discussion@acfug.org : Sent: Mon, November 23, 2009 1:50:40 PM : Subject: Re: [ACFUG Discuss] SQL Injection : That being said.... : I still block Afrinic and will continue to do so. Too many past issues with :  Nigeria. It may be whackamole, but it's effective enough that i no longer :  have to deal with brute force attacks nearly as often. : I consider it low hanging fruit to knock off some of the subnets that are :  known to be nasty. Takes 10 minutes and then RONCO - "Set it and Forget it!" : _____________________ : Derrick Peavy : derr...@derrickpeavy.com : 404-786-5036 : “Innovation distinguishes between a leader and a follower.” -Steve Jobs : _____________________ : On Nov 23, 2009, at 11:01 AM, shawn gorrell wrote: : I was just getting ready to say that... : When I first started administering servers I used to get really freaked out by :  all of the attack traffic and spent a bunch of time blocking IP's at the :  router. Over time I realized that it was just playing whack-a-mole and was :  mainly a waste of my time. If you knock them down on one subnet, another will :  popup, and your overall attack traffic will be undiminished. All you've done :  is waste your own time and mental energy. A better approach is to make sure :  your network, server and applications are as tight as they can be (and :  validate that regularly), and quit worrying about botnets and script kiddies. :   : From: Dean H. Saxe <d...@fullfrontalnerdity.com> : To: discussion@acfug.org : Sent: Mon, November 23, 2009 10:55:25 AM : Subject: Re: [ACFUG Discuss] SQL Injection : You miss the point.  Attackers don't just originate from their home countries, :  they bounce through proxies around the world, including where your intended :  audience sits. : -dhs : -- : Dean H. Saxe : "A true conservationist is a person who knows that the world is not given by :  his fathers, but borrowed from his children."  -- John James Audubon : On Nov 23, 2009, at 7:49 AM, Troy Jones wrote: : I think that would depend on the intended scope and audience of your site or :  server's sites. For example, does someone in Beijing need to browse for a :  product that isn't available over the web or sold in any store outside the :  contiguous U.S.? Or would someone in Ulan Bator need to set up a pick-up :  laundry service in St. Louis? Of course there would be exceptions but I think :  it would be worth the small number of legitmate denials todo this. :   : <image001.jpg> : ______________________________________________________________________________ : _____________ : Troy Jones  |  Developer/Support Technician  |  Dynapp Inc  |  1-800-830-5192 :  ext. 603  |  dynapp.com  |  facebook.com/dynapp :   : From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe : Sent: Friday, November 20, 2009 10:08 PM : To: discussion@acfug.org : Subject: Re: [ACFUG Discuss] SQL Injection :   : Yeah sure, you CAN, but its not the solution to the problem.  On a recent :  incident response we had attacks originating from asia, south america and :  europe.  Do you plan on blocking them all? :   : -dhs : -- : Dean H. Saxe : "A true conservationist is a person who knows that the world is not given by :  his fathers, but borrowed from his children."  -- John James Audubon :   :   : On Nov 20, 2009, at 9:16 AM, Wes Byrd wrote: : You can block subnets.  On a couple of domestic sites, I have even blocked all :  requests from ALL OF ASIA (or close).  While I know this is a drastic :  measure…  all SQL Injection attack (and other hack attacks) attempts reduced :  by 98% with that done. :   : Here is a link that describes how to do this and why: :  http://www.parkansky.com/china.htm :   : From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe : Sent: Friday, November 20, 2009 11:59 AM : To: discussion@acfug.org : Subject: Re: [ACFUG Discuss] SQL Injection :   : Blocking IPs is useless, attackers will just use another proxy to change the :  apparently location of the originating attack.  You can't stop the attempts, :  you must instead prevent the exploitation of vulnerable code.  This means :  writing secure code using data validation on all input, data sanitization on :  output (in this case, parameterized queries using cfqueryparam) and following :  the principle of least privilege on the database access. :   : -dhs : -- : Dean H. Saxe : "A true conservationist is a person who knows that the world is not given by :  his fathers, but borrowed from his children."  -- John James Audubon :   :   : On Nov 20, 2009, at 3:47 AM, Rudi Shumpert wrote: : Hey folks, : I saw John's tweet earlier this week about a new wave of SQL Injection ( and :  link to a great article on it :  http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-again : st-sql-injection-and-xss), and sure enough I'm seeinga huge upswing in :  attempts.  Over 100 failed attempts last night alone. : We have taken the steps to prevent damage / harm, but I was wondering what :  folks are doing after they stop the attempt.  What kind of message if any do :  you provide ?  Are people checking the logs, and blocking IP's of the worst :  offenders?  Or something else? : -Rudi :   : ------------------------------------------------------------- : To unsubscribe from this list, manage your profile @ : http://www.acfug.org/?fa=login.edituserform : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by FusionLink : ------------------------------------------------------------- :   : No virus found in this incoming message. : Checked by AVG - www.avg.com : Version: 8.5.425 / Virus Database: 270.14.78/2521 - Release Date: 11/23/09 :  07:52:00 : ------------------------------------------------------------- : To unsubscribe from this list, manage your profile @ : http://www.acfug.org/?fa=login.edituserform : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by FusionLink : ------------------------------------------------------------- : ------------------------------------------------------------- : To unsubscribe from this list, manage your profile @ : http://www.acfug.org/?fa=login.edituserform : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by FusionLink : ------------------------------------------------------------- : ------------------------------------------------------------- : To unsubscribe from this list, manage your profile @ : http://www.acfug.org?fa=login.edituserform : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by FusionLink : ------------------------------------------------------------- : ------------------------------------------------------------- : To unsubscribe from this list, manage your profile @ : http://www.acfug.org?fa=login.edituserform : For more info, see http://www.acfug.org/mailinglists : Archive @ http://www.mail-archive.com/discussion%40acfug.org/ : List hosted by FusionLink : ------------------------------------------------------------- Mischa Uppelschoten VP of Technology The Banker's Exchange, LLC. 4200 Highlands Parkway SE Suite A Smyrna, GA 30082-5198 Phone:    (404) 605-0100 ext. 10 Fax:    (404) 355-7930 Web:    www.BankersX.com Follow this link for Instant Web Chat: http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN ----------------------- Original Message -----------------------    From: "Dean H. Saxe" <d...@fullfrontalnerdity.com> To: discussion@acfug.org Date: Mon, 23 Nov 2009 12:13:33 -0800 Subject: Re: [ACFUG Discuss] SQL Injection    Especially the bad English wording.  The original ad was lifted directly from my Realtor's postings.  The response to any enquiry was in *really* bad English. -dhs -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children."  -- John James Audubon On Nov 23, 2009, at 11:42 AM, shawn gorrell wrote: My question is what kind of fool would actually believe you'd rent a house like yours for $700? You can hardly get a crappy apartment for $700, let alone a nice, new, big house. The whole thing had red flags all over it.  From: Dean H. Saxe <d...@fullfrontalnerdity.com> To: discussion@acfug.org Sent: Mon, November 23, 2009 2:36:49 PM Subject: Re: [ACFUG Discuss] SQL Injection Actually they found my house for sale, then looked at the tax records and created yahoo accounts as Mr. Saxe Dean H. to then try and rent it for $700.  Bastards. -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children."  -- John James Audubon On Nov 23, 2009, at 11:23 AM, Derrick Peavy wrote: Dear Mr. Dean Saxe of USA, LMFAO! Kindly and with God, _____________________ Derrick Peavy derr...@derrickpeavy.com 404-786-5036 “Innovation distinguishes between a leader and a follower.” -Steve Jobs _____________________ On Nov 23, 2009, at 1:59 PM, Dean H. Saxe wrote: You mean like the one who "rented" my house when it was for sale?  At least 2 people lost $1k in that scam.  And one of them showed up at my door ready to take possession of the house the day before I moved out! -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children."  -- John James Audubon On Nov 23, 2009, at 10:54 AM, shawn gorrell wrote: To each their own. The plus side of the Nigerian scammer types is they have many more lulz than APNIC or RIPE.  From: Derrick Peavy <derr...@derrickpeavy.com> To: discussion@acfug.org Sent: Mon, November 23, 2009 1:50:40 PM Subject: Re: [ACFUG Discuss] SQL Injection That being said.... I still block Afrinic and will continue to do so. Too many past issues with Nigeria. It may be whackamole, but it's effective enough that i no longer have to deal with brute force attacks nearly as often.  I consider it low hanging fruit to knock off some of the subnets that are known to be nasty. Takes 10 minutes and then RONCO - "Set it and Forget it!" _____________________ Derrick Peavy derr...@derrickpeavy.com 404-786-5036 “Innovation distinguishes between a leader and a follower.” -Steve Jobs _____________________ On Nov 23, 2009, at 11:01 AM, shawn gorrell wrote: I was just getting ready to say that... When I first started administering servers I used to get really freaked out by all of the attack traffic and spent a bunch of time blocking IP's at the router. Over time I realized that it was just playing whack-a-mole and was mainly a waste of my time. If you knock them down on one subnet, another will popup, and your overall attack traffic will be undiminished. All you've done is waste your own time and mental energy. A better approach is to make sure your network, server and applications are as tight as they can be (and validate that regularly), and quit worrying about botnets and script kiddies.  From: Dean H. Saxe <d...@fullfrontalnerdity.com> To: discussion@acfug.org Sent: Mon, November 23, 2009 10:55:25 AM Subject: Re: [ACFUG Discuss] SQL Injection You miss the point.  Attackers don't just originate from their home countries, they bounce through proxies around the world, including where your intended audience sits. -dhs -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children."  -- John James Audubon On Nov 23, 2009, at 7:49 AM, Troy Jones wrote: I think that would depend on the intended scope and audience of your site or server's sites. For example, does someone in Beijing need to browse for a product that isn't available over the web or sold in any store outside the contiguous U.S.? Or would someone in Ulan Bator need to set up a pick-up laundry service in St. Louis? Of course there would be exceptions but I think it would be worth the small number of legitmate denials to do this.   <image001.jpg> ___________________________________________________________________________________________ Troy Jones  |  Developer/Support Technician  |  Dynapp Inc  |  1-800-830-5192  ext. 603  |  dynapp.com  |  facebook.com/dynapp   From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe Sent: Friday, November 20, 2009 10:08 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] SQL Injection   Yeah sure, you CAN, but its not the solution to the problem.  On a recent incident response we had attacks originating from asia, south america and europe.  Do you plan on blocking them all?   -dhs -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children."  -- John James Audubon     On Nov 20, 2009, at 9:16 AM, Wes Byrd wrote: You can block subnets.  On a couple of domestic sites, I have even blocked all requests from ALL OF ASIA (or close).  While I know this is a drastic measure…  all SQL Injection attack (and other hack attacks) attempts reduced by 98% with that done.   Here is a link that describes how to do this and why:  http://www.parkansky.com/china.htm   From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe Sent: Friday, November 20, 2009 11:59 AM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] SQL Injection   Blocking IPs is useless, attackers will just use another proxy to change the apparently location of the originating attack.  You can't stop the attempts, you must instead prevent the exploitation of vulnerable code.  This means writing secure code using data validation on all input, data sanitization on output (in this case, parameterized queries using cfqueryparam) and following the principle of least privilege on the database access.   -dhs -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children."  -- John James Audubon     On Nov 20, 2009, at 3:47 AM, Rudi Shumpert wrote: Hey folks, I saw John's tweet earlier this week about a new wave of SQL Injection ( and link to a great article on it http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-against-sql-injection-and-xss), and sure enough I'm seeing a huge upswing in attempts.  Over 100 failed attempts last night alone. We have taken the steps to prevent damage / harm, but I was wondering what folks are doing after they stop the attempt.  What kind of message if any do you provide ?  Are people checking the logs, and blocking IP's of the worst offenders?  Or something else? -Rudi   -------------------------------------------------------------  To unsubscribe from this list, manage your profile @  http://www.acfug.org/?fa=login.edituserform  For more info, see http://www.acfug.org/mailinglists  Archive @ http://www.mail-archive.com/discussion%40acfug.org/  List hosted by FusionLink  -------------------------------------------------------------   No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.425 / Virus Database: 270.14.78/2521 - Release Date: 11/23/09 07:52:00 -------------------------------------------------------------  To unsubscribe from this list, manage your profile @  http://www.acfug.org/?fa=login.edituserform  For more info, see http://www.acfug.org/mailinglists  Archive @ http://www.mail-archive.com/discussion%40acfug.org/  List hosted by FusionLink  ------------------------------------------------------------- -------------------------------------------------------------  To unsubscribe from this list, manage your profile @  http://www.acfug.org/?fa=login.edituserform  For more info, see http://www.acfug.org/mailinglists  Archive @ http://www.mail-archive.com/discussion%40acfug.org/  List hosted by FusionLink  ------------------------------------------------------------- -------------------------------------------------------------  To unsubscribe from this list, manage your profile @  http://www.acfug.org?fa=login.edituserform  For more info, see http://www.acfug.org/mailinglists  Archive @ http://www.mail-archive.com/discussion%40acfug.org/  List hosted by FusionLink  ------------------------------------------------------------- -------------------------------------------------------------  To unsubscribe from this list, manage your profile @  http://www.acfug.org?fa=login.edituserform  For more info, see http://www.acfug.org/mailinglists  Archive @ http://www.mail-archive.com/discussion%40acfug.org/  List hosted by FusionLink  ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------