Security news
Security news15 August 2008
Sophos podcast demystifies the biggest security threat on the web: SQL injection attacks Administrators and web surfers are offered free advice to safeguard themselves against becoming a victim
Fraser Howard talks to Carole Theriault about how SQL web attacks are flooding the web.
IT security and control firm Sophos today announced the availability of a new podcast discussing how SQL injection attacks, where malicious and automated code attacks poorly configured websites running databases, are a significant contributor to the continued rise in web threats.
SophosLabs now sees a newly infected webpage every five seconds, up from one every fifteen seconds in 2007.
In the podcast, Fraser Howard, principal malware researcher at SophosLabs, is interviewed by Carole Theriault about how innocent websites are being compromised in order to infect larger numbers of surfers. Howard also offers free advice for administrators and web surfers on how to avoid becoming victimised by these automated attacks.
SQL injection attacks are designed to exploit security vulnerabilities and insert malicious code - in this case script tags - into a website running a database. The attack takes advantage of user input, for instance, on a webform not being correctly filtered or checked, thereby allowing it to execute as code, peppering the database with malicious instructions.
Once organizations realize they have been hit, they clean up their databases but don't fix the underlying problem that got them attacked in the first place, which results in the site getting infected again, often in a number of hours.
"This is the biggest online threat today, and firewalls cannot offer help because they are configured to allow web traffic. Most online shopping sites, where the web surfer needs to enter data, have databases, so, if improperly coded as many seem to be, the risks are daunting," said Carole Theriault host of the Sophos podcasts. "Basically, this is a case where ignorance isn't bliss. With so many administrators potentially unaware that their databases are poorly coded and threatening to compromise their visitors, I quizzed Fraser on what web administrators can do to mitigate the threat and how web surfers can try to avoid becoming infected."
All Sophos podcasts are available for download at www.sophos.com/podcasts. Past podcasts have covered topics such as corporate security policies, rootkits, protecting educational establishments, and the latest trends in viruses and spam.
Readers Choice Awards 2009Information Security Magazine
- Please vote for Sophos and Utimaco!
- Subscribe to the Information Security
newsletter to vote.
About Sophos
Sophos enables enterprises all over the world to secure and control their IT infrastructure. Sophos's network access control, endpoint, web and email solutions simplify security to provide integrated defenses against malware, spyware, intrusions, unwanted applications, spam, policy abuse, data leakage and compliance drift. With over 20 years of experience, Sophos protects over 100 million users in nearly 150 countries with its reliably engineered security solutions and services. Recognized for its high level of customer satisfaction and powerful yet easy-to-use solutions, Sophos has received many industry awards, as well as positive reviews and certifications.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com
