How to not have your Web site hacked like Sony's
- 07 July, 2008 08:23
The US Sony Playstation Web site is the latest high-profile victim of a hacker attack on business sites that's spreading malware at breakneck pace, says a security vendor.
Sophos reported that Sony had suffered an SQL injection attack last Wednesday. Malicious code was planted on pages of two popular Playstation games -- SingStar Pop and God of War.
The digital security company alerted Sony to the problem, and it was fixed as of early last Thursday morning, says Graham Cluley, senior technology consultant with Sophos headquartered in the UK.
While the Playstation site is now clean, hundreds of other Web sites have been compromised by the same attack, he says. Affected sites are wide ranging, says Cluley, "from Brazilian and Chinese government sites to a garden pond supplier in Canada."
The SQL injection attack is an old hacker trick that has found new life.
Its usage in recent months has soared, as cyber criminals use automated programs to scour the Web for pages and sites vulnerable to such exploits.
The attacks have transformed thousands of credible business Web pages on sites such as MSNBC into malware-peddling portals.
Attacks have ballooned in recent months. There is now a new malware-infected Web page every five seconds, according to Sophos. That's three times the rate of infection compared to last year. Eight out of 10 Web sites suffering from the attack are legitimate business Web sites.
"There's been a spate of attacks being called by a botnet named Asprox," Cluley says. "It's using innocent people's computers to go on the Web and find vulnerable targets."
An automated attack is to blame for the Sony hack, he adds. It wasn't launched by a person, but an automated program that stumbled upon the code vulnerability on the Playstation pages and took advantage.
The attacks don't exploit a specific software vulnerability, but take advantage of poor coding practices, according to a Microsoft Security Advisory. Companies that access and manipulate data in a relational database such as SQL Server from a Web site are at risk.
It comes down to a problem with a Web application, says Brian Bourne, president of Canada-based security analyst firm CMS Consulting. Developers are failing to do proper code checking to prevent the attacks.
"They're not doing input validation," he explains. "They're not looking at it and saying 'hey, this is not regular user input' -- that's the simple version."
But Web administrators have to shoulder the burden of blame too, Bourne adds. They're responsible for creating a layered security approach to protect against known and yet-to-be-discovered exploits.
The fake scan that surfers saw when exposed to the hack, graphic courtesy of Sophos.
The most common variety of the hack is a direct insertion of code into a place where a user inputs information. That gives hackers an opportunity to inject SQL commands that are executed blindly by the server.
Video game fans surfing on the Playstation Web site were subjected to a pop-up window that displayed a fake virus scan running, followed by a message their computer was ridden with viruses and Trojans. Then the surfer is offered a fake anti-virus software package for a fee.
Hackers could alter the malicious payload to be even worse, according to Sophos. The attacks are often used to collect personal information in identity theft scams, or to recruit more computers onto a botnet.
SQL injection is an "extremely effective" method of attack that can be easily hidden in the nooks and crannies of Web code, Cluley says. The problem lies with a lack of rigorous checking of code by the administrators affected.
"If they're not doing proper checking, hackers can start to embed and inject code into their database," the consultant explains. "[The database] ends up peppered with small pieces of code calling up third-party Web sites."
Such attacks have become so pervasive that Microsoft responded to the SQL Server user community last week with two free tools and a security advisory to help Web admins safeguard against SQL injection.
Here are the tools and tips passed on by Microsoft and Bourne:
Detect: Hewlett Packard has developed a free scan that can identify whether a Web site is susceptible to SQL injection attacks. HP Scrawlr can be downloaded at the HP Security Center.
Test: Canada-based company Security Compass has a suite of plug-in tools that can be used with the Firefox browser. Web developers have the convenience of looking for SQL injection vulnerabilities with the click of a button. Download SQL Inject-Me.
Defend: Scrutinize more carefully the HTTP requests being made by SQL commands on a Web site. A Microsoft security tool will allow you to put restrictions on what the Internet Information Services will process from the server. It could block harmful requests from ever getting to the Web application. Download URLScan Tool 3.0 Beta.
Identify: For those using ASP code on their Web sites, another Microsoft tool can analyze the code and then output a display of the areas that are vulnerable to SQL injection. The tool also comes with documentation that actually tells users how to fix the different problems that could be found in the code analyzed. Download the Microsoft Source Code Analyzer for SQL Injection at Microsoft Knowledge Base Article 954476.
Fixing the actual root of the problem is important, Cluley says. A Web site that simply removes the injected code but doesn't patch up the exploit will find the code is re-inserted in short order by automated botnets.
It's not clear what steps Sony has taken with its Web site at this time. "We haven't heard directly back from their Web team," the Sophos consultant says.
ITBusiness.ca attempted to contact Sony, but did not receive a response.