Tim Almond

I’ll try and keep this non-technical (from The Times) …

Cyber-criminals have attacked key government and consumer websites, allowing them to steal the personal details of anyone browsing the sites, The Times has learnt.

Eastern European hackers are suspected of placing the Asprox virus on more than a thousand British websites, including those run by the NHS and a local council, in the past two weeks.

Experts described the Asprox virus as an alarming departure from commonplace viruses, which tend to be spread through rogue e-mails and unregulated websites.

I had a little look around for information about Asprox, and sure enough stumbled across this technical article which confirmed what I’d assumed. The Asprox virus isn’t really that much of an “alarming departure” because it’s based on the same idea behind a clever little virus that came around in late April this year called nihaorr1.

Both viruses only work if there’s a particular hole in the website input validation which allows for what’s known as a SQL injection attack. This is a type of attack on websites that every database developer I know is aware of, and are aware of what defences to put in place.

When Nihaorr1 struck, one of the websites it hit was North Somerset council. Unicef were also hit. So, you’d like to think that someone in charge of data security in the government might have taken this seriously, or that developers of other government websites might have been made aware of such threats after the event*, but the Asprox virus managed to damage 12 council websites. Putting in adequate protection against this particular attack (but not all SQL Injection attacks) would have taken a matter of hours.

I won’t be at all surprised if there’s a whole load more websites that get hit by this…

H/T Tim Worstall

Tags: Software Development //