How to not have your Web site hacked like Sony's
- 1
- 2
- 3
- < previous
- next >
The fake scan that surfers saw when exposed to the hack, graphic courtesy of Sophos.
The most common variety of the hack is a direct insertion of code into a place where a user inputs information. That gives hackers an opportunity to inject SQL commands that are executed blindly by the server.
Video game fans surfing on the Playstation Web site were subjected to a pop-up window that displayed a fake virus scan running, followed by a message their computer was ridden with viruses and Trojans. Then the surfer is offered a fake anti-virus software package for a fee.
Hackers could alter the malicious payload to be even worse, according to Sophos. The attacks are often used to collect personal information in identity theft scams, or to recruit more computers onto a botnet.
SQL injection is an "extremely effective" method of attack that can be easily hidden in the nooks and crannies of Web code, Cluley says. The problem lies with a lack of rigorous checking of code by the administrators affected.
"If they're not doing proper checking, hackers can start to embed and inject code into their database," the consultant explains. "[The database] ends up peppered with small pieces of code calling up third-party Web sites."
Such attacks have become so pervasive that Microsoft responded to the SQL Server user community last week with two free tools and a security advisory to help Web admins safeguard against SQL injection.
Here are the tools and tips passed on by Microsoft and Bourne:
Detect: Hewlett Packard has developed a free scan that can identify whether a Web site is susceptible to SQL injection attacks. HP Scrawlr can be downloaded at the HP Security Center.
Test: Canada-based company Security Compass has a suite of plug-in tools that can be used with the Firefox browser. Web developers have the convenience of looking for SQL injection vulnerabilities with the click of a button. Download SQL Inject-Me.
Defend: Scrutinize more carefully the HTTP requests being made by SQL commands on a Web site. A Microsoft security tool will allow you to put restrictions on what the Internet Information Services will process from the server. It could block harmful requests from ever getting to the Web application. Download URLScan Tool 3.0 Beta.
- 1
- 2
- 3
- < previous
- next >
Click here for case studies, whitepapers and other useful vendor content 
ARN Panel Sessions: Day 3The last of our panel sessions recorded live at CeBIT 2008. Today, the topic is storage. Data is growing at an enormous rate, so what does the future hold?
Weekly Tech News Update: 21st November 2008Yahoo's CEO says goodbye, Intel introduces a new processor, and robots run wild. All that news and more on this week's World Tech Update
Electronic voting in U.S. electionDoubts about voting machines are lingering in the minds of many Americans as they head to the polls.
When an IT disaster occurs, how handy it would be to push a button and start again as if nothing had happened.
Discover and learn more about CA XOSoft today.
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 20 November, 2008 17:34:00
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 20 November, 2008 12:06:00
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 20 November, 2008 12:04:00
NetApp Named 2008 Citrix Ready Solution of the Year by Citrix Systems 20 November, 2008 11:33:00
Extreme Networks Ethernet Transport lowers total cost of ownership for carrier metro networks 20 November, 2008 10:21:00
Bankstown Council streamlines their IT with Microsoft® Windows Server® 2008
Deciding it was time for more streamlined operations, Bankstown Council teamed up with OSS Infotech, a Microsoft Gold Certified Partner. The solution included Microsoft Windows Server, Microsoft SQL Server® and Microsoft Exchange®.
Buying Guides
