Defense in Depth Subscribe to Defense in Depth
April 28, 2008 12:38 PM PDT

Security expert: Don't blame Microsoft for mass site defacements

Posted by Robert Vamosi

Progress was made Monday in mitigating thousands of SQL-based Web sites injected with malicious Javascript code. However, one security expert says we can expect more such attacks in the near future.

A traditional SQL injection attack allows malicious attackers to execute commands on an application's database by injecting executable code. "What's different about this latest attack is the size and the level of sophistication," said Jeremiah Grossman, CTO of WhiteHat Security.

On Monday, CNET found a few sites still infected with the latest SQL-injection attack.

In the past, attackers have gone after a small niche of the Internet--say travel sites or sports sites--but with this latest attack, attackers have a generic way to blast the Internet, and they've chosen to attack sites running MS-SQL.

On Friday, Microsoft denied that new vulnerabilities within Internet Information Services are to blame for a rash of Web site defacements. Microsoft insists it's the application developer's responsibility to follow the company's best practices. These include constraining and sanitizing input data, using type-safe SQL parameters for data access, and restricting account permissions in the database.

Grossman agreed it's not Microsoft's fault, and said the attacks could have easily targeted another vendor's software. If users surf to an SQL-injected site, their browser will attempt to download a variety of exploits, not all of which are Microsoft-based. One site from the Shadowserver Foundation lists exploits affecting Real and other vendors alongside various Microsoft Security bulletins.

Grossman said that just turning off Javascript won't necessarily protect end users from this latest round of attacks since the attackers can use traditional HTML as well.

"It's said that the attacks never get worse, they only get better," Grossman said. But in terms of the good guys closing the gap with the attackers, he remains optimistic. He said with more diligence and more care, we can protect Web sites from these attacks.

Recent posts from Defense in Depth
ZoneAlarm virtualizes the desktop Internet browser
Yahoo e-mail accounts compromised for spammers' use
Skeleton key unlocks Microsoft SQL servers in latest Web attack
Web browsers and other mistakes
Goodbye Storm, Hello Srizbi
Add a Comment (Log in or register) 3 comments (Page 1 of 1)
Why not blame Microsoft?
by AppleRocks1963 April 28, 2008 8:40 PM PDT
It's certainly a lot more entertaining.
Reply to this comment
News.com, heal thyself
by alegr April 29, 2008 9:16 AM PDT
The irony is that investor.news.com is also compromized. Cached page with a reference to 1.js can be found at http://209.85.173.104/search?q=cache:n2aGb4qANisJ:investor.news.com/Master_Picks_Track_Record.html%3FGUID%3D4496747%26Page%3DMEDIAVIEWER+1.js+site:news.com&hl=en&ct=clnk&cd=4&gl=us
Reply to this comment
So, what do we do about it?
by MEE-S31 May 4, 2008 5:14 PM PDT
Ok I think I am getting some traction on the don't blame the victim message, so now what do we do about it? My thought is that MS and McAffee, Avert, all the development houses are working at what they can do as fast as they can. With Microsoft and it's secure development lifecycle they are trying to make their software as safe as they can. The AV writers are working overtime keeping up to virus signatures. Governments, police and militaries seem to be handycapped, not enough manpower, poor focus or something. They have problems with finding and if they can find them, getting to major MalZ. We need to sit down, look at the issue and then figure out what to do about it. To this end I have started S31. A school of systems and applications experts and leaders in the internet martial arts. We have taken it onto ourselves to focus our attentions not on describing the problem or looking at ways to protect our systems; but what can be done to combat the attacks we have been subjected to for so long. Clearly trying to bring the MalZ to justice using arrests and prosecution is not working. This mostly falls into the problem of jurisdictions and the fact a lot of these are either by governement or allowed by governments that are not exactly frendly to the west. Also creating technical means to stop the attacks is not working to it's full potential. While these efforts have been good enough uptil now, good enough does not mean perfect. We and all who want to be free on the internet appreciate their efforts and encourage them to keep up what they are doing as it is very important. But we need something more. In the last few weeks we have been encouraged by other's efforts in testing techniques to possibly fight back. We need to keep up this research. S31 will be continuing these efforts in parrallel with other researchers ss well as defining requirements for the work ahead. So for now, patch your systems with every patch you can. Run a good virus scanner in an active scanning role. Use 2 fire walls, a hardware firewall at your internet connection and a software firewall on every sngle PC you own. Use good malware scanners, use two just to be sure. We also recommend using a second antivirus on a manual scan once in a while, once a week if you are on the net much, once a month otherwise. Be on the lookout for all and any social enmgineering, phishing and whaling. Educate the people around you. teach them how to protect themselves. And keep at it, people get complacent once they have been uninfected for a while. People don't want to have to be security experts, they just want to read their email and surf the web. We hope that in the future they can do just that. And remember don't blame the victim, it doesn't help anybody and makes us take our focus off of the people who are the real problem.
Reply to this comment
Powered by Jive Software
advertisement

  • About Defense in Depth

  • With over eight years at CNET covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews with the top security researchers making the news as well as offering the hands-on, non-technical advice you'll need to stay safe online.

Add this feed to your online news reader
Google
Yahoo
MSN

Defense in Depth topics

Latest blog posts from News.com

Featured blogs

Beyond Binary by Ina Fried A look at how technology is changing our lives and at the people behind all that life-changing stuff.

Coop's Corner by Charles Cooper Charles Cooper weighs in on Silicon Valley hijinks, and he doesn't suffer fools gladly.

Geek Gestalt by Daniel Terdiman At the tech culture nexus of video games, fire art, and virtual worlds.

Green Tech Fresh green tech news and commentary.

One More Thing by Tom Krazit Tom Krazit takes on the tech phenomenon that is Apple, and keeps a close watch on the chip industry.

Outside the Lines by Dan Farber When business and technology meet, that's when things get interesting.

The Iconoclast by Declan McCullagh Exploring the intersection of politics and technology.

The Social by Caroline McCarthy Exploring all facets of social media and tech culture.

Underexposed by Stephen Shankland Coverage of digital photography, science, and open-source software.

advertisement
Welcome (log out) |View profile
Log in | Sign up Why join?
On CHOW: Does drinking ice water burn calories?
Advanced
search
advertisementStart Doing More with Windows Mobile
Advanced
search
Visit other CNET Networks sites: