Wednesday, June 25, 2008
Is your website safe?
Microsoft has taken the unusual step of issuing a security bulletin for something called "Rise in SQL Injection Attacks". Although not a particularly attention-grabbing title, this is an exceptional subject for a security bulletin because it's not about a specific Microsoft product that's patchable, but rather coding practices in general.
"SQL Injection" is a technique used to "hack" websites, and unfortunately, a great deal of websites are vulnerable to it (some estimates suggest "hundreds of thousands", but it may be many, many more). Hackers typically use automated tools to find vulnerable sites, and then "inject" malicious code that can do any number of things. In recent weeks there has been a huge surge in the volume of these attacks.
These range from simply adding code that causes a virus infection on a visitors browser, to editing or changing any content on the website, or in the extreme case, completely wiping out the website. The consequences of an attack should be pretty clear - for less extreme attacks, the website owner may not even realise there's a problem, but it's more likely that the attack may cause inconvenience or embarrassment. In the extreme case, a well-crafted attack can have disastrous implications to a business-critical website, totally disabling a business, or result in the theft of credit card data and associated financial loss.
The depressing thing is that this problem isn't new... SQL Injection has been around since the day programmers started building database-driven websites, but sadly, too many "web professionals" still haven't heard of it, even over 10 years on. It has never been caused by a bug in webserver software, but merely poor-quality web development, and can occur in any website language - ASP, ASP.net, PHP, Java, etc (and is equally preventable in all of them).
We're proud to say that at Design Haus, we've already completed a thorough audit of every line of code we've ever written, and installed extra security tools on our webservers, to prevent attacks like this from happening. It was a huge project we undertook some time ago, but an essential one for any professional web development agency.
It's alarming, yet at the same time reassuring, to see our scanning tools stopping countless numbers of attacks every day. But at least we can sleep well, knowing that our clients are safe. Are you...?
(http://www.microsoft.com/technet/security/advisory/954462.mspx)