Fraser Howard talks to Carole Theriault about how SQL web attacks
are flooding the web.
IT security and control firm Sophos today announced the
availability of a new podcast discussing how SQL injection attacks,
where malicious and automated code attacks poorly configured
websites running databases, are a significant contributor to the
continued rise in web threats.
SophosLabs now sees a newly infected webpage every five seconds,
up from one every fifteen seconds in 2007.
In the podcast, Fraser Howard, principal malware researcher at
SophosLabs, is interviewed by Carole Theriault about how innocent
websites are being compromised in order to infect larger numbers of
surfers. Howard also offers free advice for administrators and web
surfers on how to avoid becoming victimised by these automated
attacks.
SQL injection attacks are designed to exploit security
vulnerabilities and insert malicious code - in this case script
tags - into a website running a database. The attack takes
advantage of user input, for instance, on a webform not being
correctly filtered or checked, thereby allowing it to execute as
code, peppering the database with malicious instructions.
Once organizations realize they have been hit, they clean up
their databases but don't fix the underlying problem that got them
attacked in the first place, which results in the site getting
infected again, often in a number of hours.
"This is the biggest online threat today, and firewalls cannot
offer help because they are configured to allow web traffic. Most
online shopping sites, where the web surfer needs to enter data,
have databases, so, if improperly coded as many seem to be, the
risks are daunting," said Carole Theriault host of
the Sophos podcasts. "Basically, this is a case where ignorance
isn't bliss. With so many administrators potentially unaware that
their databases are poorly coded and threatening to compromise
their visitors, I quizzed Fraser on what web administrators can do
to mitigate the threat and how web surfers can try to avoid
becoming infected."
All Sophos podcasts are available for download at www.sophos.com/podcasts. Past podcasts have covered
topics such as corporate security policies, rootkits, protecting
educational establishments, and the latest trends in viruses and
spam.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.