Menu
How to not have your website hacked like Sony's

How to not have your website hacked like Sony's

The U.S. Sony Playstation website is the latest high-profile victim of a hacker attack on business sites that's spreading malware at breakneck pace, says a security vendor. Sophos reported that Sony had suffered an SQL injection attack Wednesday. Malicious code was planted on pages of two popular Playstation games -- SingStar Pop and God of War. The digital security company alerted Sony to the problem, and it was fixed as of early Thursday morning, says Graham Cluley, senior technology consultant with Sophos headquartered in Abingdon, U.K. While the Playstation site is now clean, hundreds of other websites have been compromised by the same attack, he says. Affected sites are wide ranging, says Cluley, "from Brazilian and Chinese government sites to a garden pond supplier in Canada." The SQL injection attack is an old hacker trick that has found new life. Its usage in recent months has soared, as cyber criminals use automated programs to scour the Web for pages and sites vulnerable to such exploits. The attacks have transformed thousands of credible business web pages on sites such as MSNBC into malware-peddling portals. Attacks have ballooned in recent months. There is now a new malware-infected Web page every five seconds, according to Sophos. That's three times the rate of infection compared to last year. Eight out of 10 Web sites suffering from the attack are legitimate business websites. "There's been a spate of attacks being called by a botnet named Asprox," Cluley says. "It's using innocent people's computers to go on the web and find vulnerable targets." An automated attack is to blame for the Sony hack, he adds. It wasn't launched by a person, but an automated program that stumbled upon the code vulnerability on the Playstation pages and took advantage. The attacks don't exploit a specific software vulnerability, but take advantage of poor coding practices, according to a Microsoft Security Advisory. Companies that access and manipulate data in a relational database such as SQL Server from a website are at risk. It comes down to a problem with a web application, says Brian Bourne, president of Toronto-based security analyst firm CMS Consulting Inc. Developers are failing to do proper code checking to prevent the attacks.

"They're not doing input validation," he explains. "They're not looking at it and saying 'hey, this is not regular user input' -- that's the simple version." But web administrators have to shoulder the burden of blame too, Bourne adds. They're responsible for creating a layered security approach to protect against known and yet-to-be-discovered exploits. Here are the tools and tips passed on by Microsoft and Bourne: Detect: Hewlett Packard has developed a free scan that can identify whether a website is susceptible to SQL injection attacks. HP Scrawlr can be downloaded at the HP Security Centre. Test: Toronto-based company Security Compass has a suite of plug-in tools that can be used with the Firefox browser. Web developers have the convenience of looking for SQL injection vulnerabilities with the click of a button. Download SQL Inject-Me. Defend:Scrutinise more carefully the HTTP requests being made by SQL commands on a website. A Microsoft security tool will allow you to put restrictions on what the Internet Information Services will process from the server. It could block harmful requests from ever getting to the web application. Download URLScan Tool 3.0 Beta. Identify: For those using ASP code on their websites, another Microsoft tool can analyse the code and then output a display of the areas that are vulnerable to SQL injection. The tool also comes with documentation that actually tells users how to fix the different problems that could be found in the code analysed. Download the Microsoft Source Code Analyser for SQL Injection at Microsoft Knowledge Base Article 954476.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags international news

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments