Microsoft's U.K. Web site hit by SQL injection attack
Hacker exploits programming error to link Web page to external site
IDG News Service -
A hacker successfully defaced a page on Microsoft Corp.'s U.K. Web site on Wednesday, resulting in the display of several images, including a photograph of a child waving the flag of Saudi Arabia.
Roger Halbheer, Microsoft's chief security advisor in Europe, the Middle East and Africa, said today that the security hole used in the attack has since been closed. But, he said, it was "unfortunate" that the U.K. site was vulnerable in the first place.
The hacker, who posted his name as "rEmOtEr," used a SQL injection attack to exploit a programming snafu and gain unauthorized access to a database that supports the Web site, Halbheer said. The site takes SQL queries embedded in URLs and passes them to the database, he explained. By embedding a query of an unexpected form into the address for a particular Web page, the hacker prompted the server to return error messages, Halbheer said.
From such error messages, an attacker can get an idea of how a database is structured and refine a query so that the database will process it as an instruction to insert, instead of retrieve, data. In Microsoft's case, Halbheer said, the hacker eventually found the right combination and inserted a link to an external Web site into the database.
When users accessed the Web page on Microsoft's site, the database downloaded two photos and a graphic from the external site. A screenshot of the defacement was posted on the Zone-H.org Web site, which tracks hacked sites.
There are two ways Microsoft could have avoided this type of attack, according to Halbheer. First, the database should not have been allowed to return error messages, he said. In addition, the Web application should have validated the external URL that the hacker entered into the database and rejected it. If a programmer makes a mistake, "the bad guy can leverage it," Halbheer said.
SQL injection attacks are on the rise as attackers try to get at valuable information that is held within databases, said Paul Davie, founder and chief operating officer of Secerno Ltd., an Oxford, England-based vendor that develops technology designed to protect databases from such attacks.
"I don't think Microsoft [is] unique in this respect, and [they] shouldn't be held up as particularly slipshod," Davie said. "This could have happened to practically anybody."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts