Sophos podcast demystifies the biggest security threat on the web: SQL injection attacks

August 15, 2008 Sophos Press Release
Fraser Howard
Fraser Howard talks to Carole Theriault about how SQL web attacks are flooding the web.

IT security and control firm Sophos today announced the availability of a new podcast discussing how SQL injection attacks, where malicious and automated code attacks poorly configured websites running databases, are a significant contributor to the continued rise in web threats.

SophosLabs now sees a newly infected webpage every five seconds, up from one every fifteen seconds in 2007.

In the podcast, Fraser Howard, principal malware researcher at SophosLabs, is interviewed by Carole Theriault about how innocent websites are being compromised in order to infect larger numbers of surfers. Howard also offers free advice for administrators and web surfers on how to avoid becoming victimised by these automated attacks.

SQL injection attacks are designed to exploit security vulnerabilities and insert malicious code - in this case script tags - into a website running a database. The attack takes advantage of user input, for instance, on a webform not being correctly filtered or checked, thereby allowing it to execute as code, peppering the database with malicious instructions.

Once organizations realize they have been hit, they clean up their databases but don't fix the underlying problem that got them attacked in the first place, which results in the site getting infected again, often in a number of hours.

"This is the biggest online threat today, and firewalls cannot offer help because they are configured to allow web traffic. Most online shopping sites, where the web surfer needs to enter data, have databases, so, if improperly coded as many seem to be, the risks are daunting," said Carole Theriault host of the Sophos podcasts. "Basically, this is a case where ignorance isn't bliss. With so many administrators potentially unaware that their databases are poorly coded and threatening to compromise their visitors, I quizzed Fraser on what web administrators can do to mitigate the threat and how web surfers can try to avoid becoming infected."

All Sophos podcasts are available for download at www.sophos.com/podcasts. Past podcasts have covered topics such as corporate security policies, rootkits, protecting educational establishments, and the latest trends in viruses and spam.