Stephen Wynkoop, founder of SSWUG (SQL-Server World-wide Users Group) shares an interesting update in today's SSWUG Newsletter, related to the recent SQL Injection attacks. Over 500,000 web pages were infected with malware related scripts.
The attacks were due to web developers taking short-cuts (e.g., not fully editing input sent to the SQL-Server environment). While the website might work with normal input from the user, it's also important to have safeguards in for malicious injection attempts as well.
QUOTE: SQL Injection Hack Attack -- Poor Coding Techniques to Blame
There are SO many people writing about this whole IIS hack attack that I wrote about yesterday. What's odd is the very few of them that get it. I've seen the issues blamed on everything from SQL Server not having granular-enough permissions controls to flaws in the OS. I don't get it. This is just about coding techniques, nothing more. It's not a "feature" or "bug" being exploited.
When you accept input from a user and pass it blindly to the database engine, you are asking for trouble. When you don't control the input, don't control how it's presented to the engine for processing, you're asking for trouble. It really is that simple.
It's too easy for people to build sites with "dynamic SQL" - making changes to the SQL statements on the fly. "Select * from " + user_input is asking for trouble.
It's simple. if your applications accept input from users, you need to make sure you've taken steps to properly pass information from your application to the server and back again as you display it. If you're not doing this now, if you have not built this into your application design, review and development processes, you're asking for people to exploit your system. If you're not sure - find out. Learn what was built into the application. Consider using a tool to stay on top of new techniques and approaches.
Hacker Safe is one such tool - take a look at what they're doing and you'll get a great idea of the types of things to be aware of. (Not affiliated)
McAfee's "Hacker Safe" - Site Verification Tool
SQL-Server World-wide Users Group (SSWUG) - Home Page
Yesterday, Sunbelt issued a warning for several sites that are spelled closely like the true Microsoft related sites. Most of the URLs are plural (e.g., microsofts or microsoftes). Please do not attempt to go to these sites, as malware could be automatically and silently installed on vulnerable PCs.
These URLs could be used in future phishing or targeted attacks, as they closely ressemble the true Microsoft naming conventions. Always be careful of URLs and performing any actions as a result of email or visiting a website.
Sunbelt Blog - Fake Microsoft-like sites