How to not have your Web site hacked like Sony's

A SQL injection attack was used to plant malicious code on pages of two popular Sony Playstation games - SingStar Pop and God of War, reports security company Sophos. Hundreds of Web pages from other businesses have also been compromised.

The US Sony Playstation Web site is the latest high-profile victim of a hacker attack on business sites that's spreading malware at breakneck pace, says a security vendor.

Sophos reported that Sony had suffered an SQL injection attack last Wednesday. Malicious code was planted on pages of two popular Playstation games -- SingStar Pop and God of War.

The digital security company alerted Sony to the problem, and it was fixed as of early last Thursday morning, says Graham Cluley, senior technology consultant with Sophos headquartered in the UK.

While the Playstation site is now clean, hundreds of other Web sites have been compromised by the same attack, he says. Affected sites are wide ranging, says Cluley, "from Brazilian and Chinese government sites to a garden pond supplier in Canada."

The SQL injection attack is an old hacker trick that has found new life.

Its usage in recent months has soared, as cyber criminals use automated programs to scour the Web for pages and sites vulnerable to such exploits.

The attacks have transformed thousands of credible business Web pages on sites such as MSNBC into malware-peddling portals.

Attacks have ballooned in recent months. There is now a new malware-infected Web page every five seconds, according to Sophos. That's three times the rate of infection compared to last year. Eight out of 10 Web sites suffering from the attack are legitimate business Web sites.

"There's been a spate of attacks being called by a botnet named Asprox," Cluley says. "It's using innocent people's computers to go on the Web and find vulnerable targets."

An automated attack is to blame for the Sony hack, he adds. It wasn't launched by a person, but an automated program that stumbled upon the code vulnerability on the Playstation pages and took advantage.

The attacks don't exploit a specific software vulnerability, but take advantage of poor coding practices, according to a Microsoft Security Advisory. Companies that access and manipulate data in a relational database such as SQL Server from a Web site are at risk.

It comes down to a problem with a Web application, says Brian Bourne, president of Canada-based security analyst firm CMS Consulting. Developers are failing to do proper code checking to prevent the attacks.

"They're not doing input validation," he explains. "They're not looking at it and saying 'hey, this is not regular user input' -- that's the simple version."

But Web administrators have to shoulder the burden of blame too, Bourne adds. They're responsible for creating a layered security approach to protect against known and yet-to-be-discovered exploits.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Brian Jackson

ITBusiness.ca
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?