100,000 MySQL injection attacks in a few days

Recently my site has been hit with huge numbers of injection attacks. Right now, I trap them and return a static page.

Here’s what my URL looks like:


/products/product.php?id=1

This is what an attack looks like:


/products/product.php?d=-3000%27%20IN%20BOOLEAN%20MODE%29%20
UNION%20ALL%20SELECT%2035%2C35%2C35%2C35%2C35%2C35%2C35%2C35
%2C35%2C35%2C35%2C35%2C35%2C%27qopjq%27%7C%7C%27ijiJvkyBhO%27
%7C%7C%27qhwnq%27%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35
%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35
%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35

I know for sure that this isn’t just a bad link or fat-fingered typing so I don’t want to send them to an overview page. I also don’t want to use any resources on my site delivering a ‘missing’ page.

Based on a couple of comments on Stackoverflow, I looked up how to return ‘page not found’. This Stackoverflow answer by icktoofay suggests using a 404 and then the die(); – the bot thinks that there isn’t a page and might even go away, and no resources are used to display a page not found message.

Here’s what mostly works.


header("HTTP/1.0 404 Not Found");
die();

I still get attempts, but they usually only try 20 or so times and then they go away for a few days.

Reason #42 why you don’t want to pay me by the hour.

My mother-in-law is coming to stay for a while and she has trouble with steps. We put grab bars by all the places she has trouble with—the tub, the two steps up into the living room, the steps up from the garage, and on the stairs. We’re getting quite good at installing them securely.

Deck Stair Rail

So I figured, how hard could it be to install a rail up to the deck? It wasn’t particularly hard, but it took 11 hours. Though to be fair, about an hour of that time was googling, talking to people about how to do it, and seeing how they installed a rail at the nearby hardware store.

In the end, it is very secure—no wobble at all. The posts are just about perfectly plumb in both directions and the top rail doesn’t wobble.

I think I could do the other side in a couple of hours. The first problem I ran into was that I couldn’t get the top post to sit on the step. Then it occurred to me that they had sloped the step just a tad to let the water flow off. Several iterations on the chop saw and I had it sitting flush on the step.

The next problem was tacking the rails up so that I could cut the tops. I ended up getting some 5 inch nails so that I could keep the posts in place while I marked the angle for the top rail. I had pre-drilled the holes, but none of my drill bits were 4″ long so they wouldn’t go all the way through the post. I ended up using the lag bolts to go through the post, then drilling a pilot hole where they dimpled the wood.

The angle for the rail ended up being 40° so it was easy to cut on the chop saw. There is an anchor piece under the rail that also has the same angle for each end.

I made the anchor piece and the top rail out of scrap redwood from an old deck. The surface was pitted and cracked, so I used the table saw to plane the edges. I tried to plane the top of the rail but the riv knife in the saw kept the board from going through the saw. A belt sander worked to smooth off the top and bottom. The edges were rounded for better grip with a router.

Password Security

A couple of recent posts on identity theft, card readers on gas pumps, and break-ins to the computer systems of large companies has prompted me to finish writing up my thoughts on how you can increase the security of your credit cards and on-line transactions.

Summary for those who don’t have time to read the whole thing. Crackers are not targeting you. They are looking for the low-hanging fruit and it’s not that hard to make it not worth their time to mess with your accounts.

1. Change your password on your email and all bank accounts, brokerage, phone plans, etc. to have at least 13 characters—upper, lowercase, at least a few numbers, and few special characters.

2. Use a different email address for your financial accounts than you use for general email.

3. Do not ever re-use the same password. It’s not as hard as you might think to have a different password for each site. For example, I have a generic password for sites that don’t have any financial information and I just prefix it with the first two letters of the site. Since lots of sites have two word site names, I use the first letter of each word. So BeachTalk is BTbazmarle! The ‘word’ in the middle isn’t a dictionary word (or words) or something that pops up on Google. Make the password 9 letters or more.

Here’s a simplified version of what crackers are doing. Crackers sometimes break into sites and steal the entire password file. If the site has even rudimentary security the passwords are encrypted—but surprisingly enough not all sites do this. But even if they are encrypted, computers are fast enough now that they can compare the encrypted passwords to a ‘rainbow table’ of encrypted passwords and decrypt them. Basically, they can compare the password to all possible combinations of letters, numbers, and symbols. At the moment rainbow tables are easy to construct for 8 character passwords. It’s basically impossible to construct rainbow tables for 13 characters. Longer passwords are still subject to dictionary attacks, so you don’t want to make a password by combining two dictionary words.

The first thing they’ll do when the get the passwords is try to use them to log in to banks, Amazon, Best Buy, etc. Many people use the same email and password for all their logins, so they get a lot of logins for places they care about from small sites that aren’t secure. My server gets thousands of break-in attempts every day and I don’t have anything worth stealing. I can’t even imagine how many attempts that sites with millions of users get.

Unless you are someone famous, you don’t have to worry about using things that you know as your password. So you can use the initials of your family for the first four letters, JMJD, then append one or two made-up words that you can remember—maybe you fly a TSIO Bonanza, tsiobonan, your street address is 874 and your the special characters corresponding to your birth year are %&. So your easy to remember password is JMJDtsiobonan874%&

If you use a laptop, don’t let the computer remember your passwords for financial sites. You should write them down, but don’t keep them in your wallet.

Now, here’s why you want a separate email address for your financial accounts. I have a different one for each of my accounts. If I get an email sent to john@LF about my bank account being overdrawn, or a shipment has been made, I know it’s a fishing attack. If I get an email to BofAJohn@LF then I am fairly confident that it’s legit. But that’s not the main reason I use a different email. Most sites will let you change your password if you forgot yours by requesting a new one with an email. Once someone has your email address and can log in to your account, they’ll start requesting a password reset everywhere they can think of. Banks are getting better at requiring another authentification factor, like your favorite candy, but not every site does this. If your bank has an email address that you only use for them, crackers won’t be able to reset the password.

Spammers will pay for cracked accounts. I’ve gotten spam from people who have had their Yahoo, Hotmail, or Facebook accounts hacked. Outright thieves will pay for other accounts. Cracked iTunes accounts are worth $8, AT&T and Verizon accounts are worth $4 and Twitter and Facebook are worth $2.50.

These techniques won’t stop the NSA, Rupert Murdoch, or someone who is targeting you specifically, but will make it less likely that some random cracker will get your info.

Developing Apps for iOS

Recently several high-profile developers and teams shared their list of tools that helped them make apps for iPhone and iPad. I’m not as experienced with app development as they are but I though it might be useful for some new developers to see what I use to make my apps.

Obviously I use Xcode extensively for writing and compiling code. In a previous article I discussed how I turned on most of the compiler options so that my code is more robust. I’m still not fluent in ‘find and replace’ operations and Xcode crashes on me when I try to duplicate files, so I use BBEdit a lot for tweaking the code. I’ll take existing .m and .h, dup them in the finder and then use BBEdit to make global changes so that the new method name is changed everywhere in the file. I also use BBEdit to edit the .sql files that contain my data. Which brings me to the next most important program I use.

Most of the apps that I wrote are based on existing CDs or web pages. We used Filemaker Pro when we made the wordlists for the original CDs but we’ve switched to a web-based editing format instead. We have a bunch of PHP scripts that edit data in MySQL databases. It allows distributed editing of the content and we have a script that takes the data from MySQL and writes it out to an Xcode readable .sql file. We use a Firefox plug-in, SQLite Manager to verify the SQLite files that our scripts produce and occasionally we edit them as well.

Our graphic designer likes Flash so we use an older version to make the icons and graphics in the game. All of the photos were originally edited in Photoshop and we use it occasionally if we need to adjust the photos so they look better on devices. Because we have hundreds or thousands of images in our apps, we turned off automatic compression in the compiler and use ImageOptim to reduce the file size of the images and graphics. It makes a significant difference in the app size as I discussed in this article. I use Acorn to do quick edits to icons and to make placeholders. I had the free version but upgraded when they had a sale. I don’t do much in the way of photo editing, but if I did I’d use Graphic Converter. It has tons of filters and features for massaging photos and is only $40.

We do a lot of moving files back and forth from the server to the desktop and use Cyberduck for SFTP transfer. We used to have our own server but now we use a VPS hosted at Linode and are very happy with it—not to mention the fact that it costs $25/month (including backups) rather than $200.

We have a bunch of bash scripts for renaming sound files and Flash file exports and use Renamer 4 to rename files.

Since almost all of our apps rely extensively on sounds, we spent a lot of time in SoundStudio recording, cutting, and cleaning up the sounds. Audacity has matured enough that we use it on machines that we don’t have a SoundStudio license for or when we hire extra people to do massive amounts of sound cutting. We use a simple bash script to convert the files from .aiff to .m4a format.

From time to time we need to use formatted HTML in our apps. For example, we might want to highlight the target word in a sentence. We’ll export the sentences from the database and use Bean to color the target word red. Then export the text to HTML, clean up in BBEdit, and import to MySQL.

The import, export, and editing of the database is done with PHPMyAdmin and occasionally command line imports.

Unlike other teams, we don’t really need much communication. The little communication we do is by email and occasional in-person meetings.

I keep track of what needs to be done in a simple list in Notes.

That’s about it. I just bought a Mac Mini for around $1,000 since my Laptop won’t run Mountain Lion. Our total investment in software is $99 per year for the Xcode developer license and $25/month for the server. I’ve been using BBEdit forever so I don’t know how much I’ve paid for it, but a new copy is $49. You can get a free copy of TextWrangler from them that does most of what BBEdit does. Most of the rest of the programs that we use are either fee or cheap. We’ve donated a couple hundred dollars to Cyberduck and Audacity since they are so incredibly useful. We have old versions of Photoshop and Flash but if you were starting from scratch there are lots of replacements that are inexpensive. Acorn and Pixelmator work just as well as Photoshop for most or our graphics. If you are on a budget, you can easily get started on app development for less that $1,000. But even if you have money to burn, you don’t need to spend more than $2,000 to get all the tools you need.