News

Poor programming practices to blame for website hacks, analysts say

Warwick Ashford

Security advisors have blamed sloppy work by programmers for the latest round of China-based hacker attacks on hundreds of thousands of websites.

Up to 500,000 web sites, including some belonging to the UN, were reported to have been targeted by hackers from the middle of last week.

The hackers were passing malicious code on to visitors of infected websites by redirecting them to malicious servers using a common code injection method involving the database query language SQL.

Initial reports suggested that websites might have been compromised because of Microsoft vulnerabilities, but this week security investigators cleared the software producer.

Mary Landesman, senior security researcher at Scansafe, said in a report that the targeting was likely to be the result of poor coding practices.

Stephan Chenette, manager of US-based Websense Security Labs, said web programmers had failed to validate user input properly.

"Web developers should heed secure development practices because a fully patched host may still be susceptible to attack if code was not properly checked for vulnerabilities," he said.

However, end-users have been advised to ensure they have the most recent security updates for all their applications and to use web-filtering software to protect their users.

Landesman said the latest SQL injection attacks are connected with two earlier attacks in October and December last year.

She said all the attacks targeted the UN and the same code was used, indicating that the same persons or group of people was behind the attacks.

Chenette said the precise size of this attack was difficult to quantify because malicious sites were continually moving, but he said the number of infected sites has started to decrease because of widespread awareness of the attack.

Microsoft said on the company's security response center's blog that the attacks were not related to any known security issues related to Microsoft's Internet Information Services (IIS) 6.0, Active Server Pages (ASP), ASP.Net or Microsoft SQL technologies.





Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy