Security news15 August 2008
Sophos podcast demystifies the biggest security threat on the web: SQL injection attacks Administrators and web surfers are offered free advice to safeguard themselves against becoming a victim
Fraser Howard talks to Carole Theriault about how SQL web attacks are flooding the web.
IT security and control firm Sophos today announced the availability of a new podcast discussing how SQL injection attacks, where malicious and automated code attacks poorly configured websites running databases, are a significant contributor to the continued rise in web threats.
SophosLabs now sees a newly infected webpage every five seconds, up from one every fifteen seconds in 2007.
In the podcast, Fraser Howard, principal malware researcher at SophosLabs, is interviewed by Carole Theriault about how innocent websites are being compromised in order to infect larger numbers of surfers. Howard also offers free advice for administrators and web surfers on how to avoid becoming victimised by these automated attacks.
SQL injection attacks are designed to exploit security vulnerabilities and insert malicious code - in this case script tags - into a website running a database. The attack takes advantage of user input, for instance, on a webform not being correctly filtered or checked, thereby allowing it to execute as code, peppering the database with malicious instructions.
Once organizations realize they have been hit, they clean up their databases but don't fix the underlying problem that got them attacked in the first place, which results in the site getting infected again, often in a number of hours.
"This is the biggest online threat today, and firewalls cannot offer help because they are configured to allow web traffic. Most online shopping sites, where the web surfer needs to enter data, have databases, so, if improperly coded as many seem to be, the risks are daunting," said Carole Theriault host of the Sophos podcasts. "Basically, this is a case where ignorance isn't bliss. With so many administrators potentially unaware that their databases are poorly coded and threatening to compromise their visitors, I quizzed Fraser on what web administrators can do to mitigate the threat and how web surfers can try to avoid becoming infected."
All Sophos podcasts are available for download at www.sophos.com/podcasts. Past podcasts have covered topics such as corporate security policies, rootkits, protecting educational establishments, and the latest trends in viruses and spam.
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
About Sophos
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.
