Olympics Coverage Injected with Malware
Sophos technology consultant Graham Cluley, and his associate from SophosLabs, Paul Baccas, are reporting a SQL injection attack on syndicated Beijing Olympics content.
A SQL injection allows a hacker's script to manipulate code in a Web form and inject malware that installs viruses, spyware, or can be hacked to capture personal identifiable information from innocent folks who unknowingly visit the infected site.
While the threat itself appears to only have affected syndicated content from Agence France-Presse for those companies that appear not to be managing their database particularly well (in this case, New Delhi Television Limited), the fact that it is syndicated to news sites across the globe when the Olympics popularity is high is a bit concerning. The world isn't ending, and this isn't the first (remember the Super Bowl hack or more recent Obama hack?) or last, but it's getting mighty embarrassing for those involved with managing large news events and selling products that are in demand.
From Cluley's blog:
One of the products that AFP makes available to its customers is a ready-made ".net" micro-website offering background to events at the games, including flash animations and descriptions of the rules of different sports. This rich digital content is a boon to websites that want to have customers coming back to their website time and time again.In this instance it appears that Indian news website NDTV is syndicating AFP's ready-made Olympic content, but has not properly secured their backend ASP/SQL infrastructure to avoid their sites being "peppered" with an infection.
It's important to realise that AFP is not to blame - but if you are syndicating content around the web you might be wise to inform your customers and users of the importance of properly hardening their infrastructure to avoid bringing your company's name into disrepute.
Here's an image from AFP on the syndicated content itself, which is based on Microsoft's .Net Web services platform.
Chalk this up to poor database implementation and database management from those companies who receive the content-as-a-service. But, on the business end of things, think about the potential for lost business, customer finger-pointing and public embarrassment. Here's where Web services, software-as-a-service and in-the-cloud applications can hurt companies on both ends.
Not every company has the same level of IT expertise, especially when it comes to database management where the security experience can be hard to come by and the cost to have good dbas can be high. Agence France-Presse unfortunately has their name dragged through this when in reality the issue is with their client. Being very explicit about how to setup, secure and maintain the service becomes absolutely essential to doing this kind of business, regardless of service level guarantees and no-fault contracts.
This suggests to me that companies in this software-as-a-service business need to have a security auditor that would be granted the ability to access and document customer infrastructure, and be able to check in quarterly or some regularly scheduled timeframe. From a legal liability standpoint, this would make some sense.
Unfortunately, some may read this as guilty by association for AFP, which is simply incorrect, but it's what happens when security researchers are monitoring and reporting the unfortunate bad news, and companies readily sell and distribute in the open, free Internet cloud.
Here's some more detailed information on SQL injection attacks from the eWEEK Q&A article with Robert Graham, CEO of Errata Security. His take on .Net made the usually dormant lightbulbs go off in my head:
Q: How does SQL injection work?
A: The way it works is very simple. An improperly programmed Web form can inadvertently allow data and executable code to get mixed up. Suppose the site has a page where a user has to type in some data--maybe just a user name, a blog comment, or a description of an item for sale. A hacker can hijack a data entry field on this Web form by entering a value that is completely different in type from what the programmer intended. For example, SQL uses the single quote character () as an escape character. This tells the database that whatever comes next is no longer data but executable code. All the hacker has to do is insert a piece of live SQL after the escape character. The database engine will see that code and think it is expected to execute it. In that way it can be tricked into performing a task of the hackers choice--perhaps inserting fictitious values into the database or retrieving data the hacker shouldnt see, or even maliciously deleting an entire table.
Q: How can sites protect themselves against SQL injection?
A: The best defense is to design your database-backed Web site properly to make sure it always separates SQL code and user data. You basically have a choice between programming tools that are specifically designed to prevent you from making this kind of mistake and those that allow you to get into trouble if youre not careful. Roughly speaking, this corresponds to the difference between the newer Microsoft .Net tools and their older tools or open source frameworks like PHP. The pre-.Net Microsoft tools in particular were very vulnerable to attack and at the same time very easy to use. You had a lot of people building Web sites with them who really had no clue how to defend themselves from attackers. Since then Microsoft has rearchitected its products and the current generation of .Net tools makes it much more difficult to expose yourself to SQL injection unless you do something really strange.
I guess New Delhi Television Limited did something 'really strange'?