Poor programming practices to blame for website hacks, analysts say

Security advisors have blamed sloppy work by programmers for the latest round of China-based hacker attacks on hundreds of thousands of websites.

Security advisors have blamed sloppy work by programmers for the latest round of China-based hacker attacks on hundreds of thousands of websites.

Up to 500,000 web sites, including some belonging to the UN, were reported to have been targeted by hackers from the middle of last week.

The hackers were passing malicious code on to visitors of infected websites by redirecting them to malicious servers using a common code injection method involving the database query language SQL.

Initial reports suggested that websites might have been compromised because of Microsoft vulnerabilities, but this week security investigators cleared the software producer.

Mary Landesman, senior security researcher at Scansafe, said in a report that the targeting was likely to be the result of poor coding practices.

Stephan Chenette, manager of US-based Websense Security Labs, said web programmers had failed to validate user input properly.

"Web developers should heed secure development practices because a fully patched host may still be susceptible to attack if code was not properly checked for vulnerabilities," he said.

However, end-users have been advised to ensure they have the most recent security updates for all their applications and to use web-filtering software to protect their users.

Landesman said the latest SQL injection attacks are connected with two earlier attacks in October and December last year.

She said all the attacks targeted the UN and the same code was used, indicating that the same persons or group of people was behind the attacks.

Chenette said the precise size of this attack was difficult to quantify because malicious sites were continually moving, but he said the number of infected sites has started to decrease because of widespread awareness of the attack.

Microsoft said on the company's security response center's blog that the attacks were not related to any known security issues related to Microsoft's Internet Information Services (IIS) 6.0, Active Server Pages (ASP), ASP.Net or Microsoft SQL technologies.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...