Terrible notice just read... a new flaw in TCP protocol was discovered.
The flaw affecting the Internet's "tranmission control protocol," or TCP, was discovered late last year by a computer researcher in Milwaukee, Paul "Tony" Watson, 36, who said he identified a method to reliably trick personal computers and routers into shutting down electronic conversations by resetting the machines remotely.
Routers continually exchange important updates about the most efficient traffic routes between large networks. Continued successful attacks against routers can cause them to go into a stand-by mode, known as "dampening," that can persist for hours.
It's really dangerous! A flaw like this could stop entire networks to operate. Can you imagine the consequences of this? I want to know more about this...
Just this morning I've posted the news that a big site of Telecom Italia was hacked with a SQL Injection attack...
This evening I've received via email a project for a little website from a friend. He asked me to do a little part of the site (pure ASP with an Access Database) and I've decided to help him.
I've opened the .zip of the project, I've checked the code written by him and... horror... I've discovered this files (for a User Login):
Login.htm File:
<form action="Login.asp" method="post">
Username: <input type="text" name="txtUser"><br>
Password: <input type="password" name="txtPassword"><br>
<input type="submit"></form>
Login.asp File:
<% Dim strUser, strPassword, objRS, strSQL
strUser = Request.Form("txtUser") strPassword = Request.Form("txtPassword") strSQL = "SELECT * FROM Utenti " & _
"WHERE Uname='" & strUser & _
"' and UPwd='" & strPassword & "'"
Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "..."
......... %>
This code is terrible... it's ready for a SQL Injection attack... I understand that a little personal website maybe will never be under attack, but writing a good code is really important.
The error in this piece of code is (unfortunately) quite common on lots of little site I've seen. Here, the user input can be used to build a dangerous SQL statement that can permit to an attacker to exploit the site and take its control.
If an attacker enter the string ' or ''=' on the input fields, the SQL statement really executed is something like this:
SELECT * FROM Utenti WHERE Uname='' or ''='' and UPwd = '' or ''=''
Do you understand what this query returns? It will return all the records contained in the Utenti tables... can you understand what an attacker could obtain?
Terrible... 
(Obviously, I've changed this code with something more secure 
)
Maybe I'll write more about this problem that must be clearly understood.