Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Mass Site Hack Proves no Site is Truly Safe

There has been a lot of coverage of a widespread (estimated at more than half a million sites) set of web server attacks that have been taking place for a number of weeks using an unfortunately-common SQL injection opportunity to take control of back end databases, and sites themselves. So much concern and confusion has surrounded what is going on that Microsoft's Security Response Center have released a statement to clarify the nature of the attacks as reported to them. Although there has been a new IIS vulnerability disclosed in recent weeks, the attacks are only making use of poor site and database maintenance practices - using SQL injection to exploit sites.

For site visitors who visit an affected site, JavaScript is used to try and download / run malware that then targets a number of commonly used technologies in order to gain full control over the system.

It goes to show that input validation is a critical component of the security picture for a site and it is a problem that is still not being properly addressed by many sites, including a lot that should know better.

If anything else is needed to concern site operators, it is research from David Litchfield that demonstrates an almost-generic attack method against Oracle databases.

In one simple set of attacks, previously trustworthy sites can now no longer be considered trustworthy and it is another blow to services that tout their ability to mark a site as being 'Hacker Safe' or otherwise safe for visiting (like SiteAdvisor).

28 April 2008

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.