08 January 2008

Automated SQL Injection Attack

Computer World is reporting Mass hack infects tens of thousands of sites. The Slashdot discussion has some very good posts.

This is interesting on numerous levels. One being how many sites fail at numerous levels to implement security. Why do application accounts have access to so many tables? Why aren't you using stored procedures? At a minimum, why aren't you scrubbing your inputs? People can say, 'Yeah, Microsoft--bad security, big surprise,' but this is not a DBMS issue. This is a complete failure to abide by any best practices.

Fortunately, the attack was small. Unfortunately, the lesson learned will be minimal. SQL Slammer managed to get a Wired article and a lot of saber rattling, but five years later and how much has changed?

No comments: