back to article Drive-by download attacks menace UK.gov

The number of drive-by download attacks has tripled and they are beginning to affect government websites as well as small business operations. Malicious downloads from compromised websites have replaced infected email attachment as the favourite tactic for malware authors. During the first half of 2008, web security firm …

COMMENTS

This topic is closed for new posts.
  1. Graham
    Unhappy

    The funny thing is....

    You would think a savvy bunch of folks from a technologically capable country like good old blighty would have fixed this issue by now. It makes the mind spin to think that our own government and retail websites are still being subject to this sort of attack.

    I'd love to see a system which names and shames the owners of these sites in order to get a bit of urgency injected into the minds of the webmasters so they can pull their collective fingers out and actually do some work.

    True I understand that implementing such fixes aren't that straightforward, especially with larger sites, but when you pair it up with the potential loss of customer or trust which the company/organization will have to suffer, I think its worth a few bent noses on the way if the ends justify the means.

  2. groovyf

    The truth should out!

    Making it known which sites to stay away from would be most helpful. Name and shame that infected council site

  3. Inspector_Morse
    Stop

    NOW tell gov.uk.....

    .. how good you feel about:

    The NHS Spine

    HMRC

    Identity & Passport Service

    Work and Pensions

    and so on and so forth

    In a sane world gov.uk would wind the clock back, dump internet transactions, and revert to hard copy snail mail*. The e-vermin are VERY smart, and the good guys are always playing catch-up.

    I am not a Luddite. I probably grasped the internet before most readers of this post. But above all else a government's role in a democracy is to protect its citizens. Right now we are being exposed to fraud by inept (and probably overpaid) civil servants.

    Enough is enough.

    *Added Bonus: Post Offices saved.

  4. Anonymous Coward
    Linux

    Big Brothers Guidance

    So it is now as dangerous to look up Goverment websites as it is to look up extreme porn.

  5. Stuart Castle Silver badge

    RE: The Funny thing is

    It's a case of swings and roundabouts.. I have heard of cases where a company has been too quick to a apply patches, installed one that was not properly testing, and torpedoed their systems in the process..

    Admittedly, that is still better than someone hacking in and adding something to their website that just happens to infect some of the users, but it still loses them customers..

    I know that where I work, we do regularly patch servers, but we do ensure the patches are tested first.

    Still, if they didn't bother patching at all, that's their problem.

  6. Tony Hoyle
    Stop

    Like wot he said...

    The council that was affected should not only be named and shamed - their IT should be fired.

    How badly configured would your site have to be to give the web server write access to the pages it serves up? Modifying pages externally should be impossible without compromsing the login of a site admin.

  7. Anonymous Coward
    Coat

    @inspector_morse

    "But above all else a government's role in a democracy is to protect its citizens"

    what a quaint idea ...

  8. Anonymous Coward
    Thumb Up

    Linkscanner to the rescue

    It can offer decent protection from such comrpromised websites, not that El Reg likes it much these days.

    Webmasters resume your hate campaign now.

  9. Jim
    Boffin

    @Tony Hoyle

    Oh to live in a world of static html only...

    Three letters - CMS

  10. Chris
    Boffin

    @Tony Hoyle

    I think most, if not all, of these attacks were on pages where you could leave comments, using SQL injection. So rather than leaving a comment which says "Hello" you leave one which says "Hello' UPDATE blah blah" and add a script tag with a link to nihal.js or whatever to a field which is written to the screen. A good reason to replace < and > with &lt; and &gt; out of fields before you display them, as well as just when you update them.

    Still pretty unforgivable, but perhaps slightly less negligent than actually letting people modify the pages. Just slightly tho..

  11. Jon Kale
    Unhappy

    @Stuart Castle, re: The Funny Thing is

    Vendor-provided patches won't help you here: the SQL injection attacks that the article refers to are mostly down to having clueless incompetents writing bespoke apps/web-sites. Resolving the problem would require IT departments to be able to a) identify, b) hire and c) retain competent developers.

    Unfortunately, IME developers, development managers, IT managers and HR departments display a clueless:clueful ratio of about 9:1 (ever tried hiring? If not, I recommend it sometime, if only to piss yourself laughing at some of the CVs that'll cross your desk) and even among the clueful ones the level of security knowledge is remarkably - and worryingly - low. Until such time as this situation is resolved, there'll continue to be a permanent festival of shit code out there...

  12. RW
    Paris Hilton

    What's going on

    Real simple: sound website & network design and implementation is a difficult, specialized type of work. The number of people competent at it is much, much smaller than the number needed.

    Hence, most websites are built by incompetents.

    A contributory element is the ready availability of point-and-drool development tools that you don't need much specialized knowledge, if any, to use. These tools try to dumb down a difficult task so Everyman can do it (also Everywoman), and in the process make the construction of insecure systems even easier.

    Given what I've read today about the fiasco in San Francisco, it sounds like there's only one competent person in the city's IT department. And he's in jail.

    Paris, because surely she points and drools sometimes.

  13. Anonymous Coward
    Alert

    Default Write Access

    I used to work for a company producing web based Health and Safety courses for the work place. The results were dumped into an SQL - or even worse Access database!!

    When I started there, I was stunned that the programmers idea of a default install was to open up write access to the WHOLE directory tree to ANYONE!! (Of course, using the default "sa" username and password!!)

    These were .Net (or VB) programmers living in a very strange world. They had no idea about security (but how many small companies actually bother with training?)

    I had to argue to get security locked down... not as if the software was being used in any important location... This stuff was installed on PUBLIC FACING websites in Councils, Police, Fire and even Banks!!

    The reason behind this slackness? The salesmen just wanted their sales. Commission was all that was important to them - no care at all for security or properly trained staff.

    It's the drive to make money that means companies just plain don't care about your data or security. (And I think Hackney was one of ours... so it wouldn't surprise me if they got in through our product... LoL!!!)

    (Oh - and as you can guess... I was "let go" due to the costs I was causing on site trying to lock down the mess caused by the programmers....)

  14. Anonymous Coward
    Flame

    To boil it down

    it's plain and simple ignorance not of how to stop it, but of how highly skilled you need to be to stop it. I could rant for hours about the time it takes to acquire the specialized skills needed to maintain safe web sites, and proper SQL data-base design/configuration, but whats the point the people in charge won't listen they know best after all they're in charge aren't they.

  15. Anonymous Coward
    Anonymous Coward

    It's no surprise

    People just don't want to bother with security.

    I had a programming teacher in college who showed us example code prone to SQL injection, he didn't see the immediate problem even after I pointed it out.

  16. Anonymous Coward
    Thumb Up

    RE: To boil it down

    >> it's plain and simple ignorance not of how to stop it, but of how highly skilled you need to

    >> be to stop it. I could rant for hours about the time it takes to acquire the specialized

    >> skills needed to maintain safe web sites, and proper SQL data-base

    >> design/configuration, but whats the point the people in charge won't listen they know

    >> best after all they're in charge aren't they.

    That is very true, however you can massively improve the security of a webserver without highly specialized skills - however it does require intelligence, knowledge, willingness to read up the issues and acceptance that it is a real and present danger. Large organisations and .govs could improve their security massively by getting Breach* (or some such) in to install web application firewalls and the like.

    *I am in no way affiliated with Breach, unless you count being a grateful user of ModSecurity.

  17. Anonymous Coward
    Paris Hilton

    I guess no-one does proper error checking anymore!

    I guess this isn't done and there is no "escape" used to basically render some of the code unusable as I don't think UPDATE this.field WHERE that.field &gt; 0 would work etc..

    I mean scan for .(anything) as really we shouldn't stop one sentence and start another right away.or should we. No just doesn't make sense

    Gee I was taught programming in COMAL ffs on a BBC master and we had to do error checking on it, and testing, guess the "error checking" is half-hearted and the "testing" that's what the customers are for (oh wait that sounds so much like an MS programmer - lol).

    hmm

    $match='<>!=?||'>

    if (preg_match($match,$this->value))

    { $this->value=clean_field($this->value); }

    or something like that anyway check for rogue values before it goes near the SQL statment

    Paris because she probably has more of a clue about "checking"

  18. Anonymous Coward
    Anonymous Coward

    Re: It's no surprise

    >> I had a programming teacher in college who showed us example code prone to SQL

    >> injection, he didn't see the immediate problem even after I pointed it out.

    Is that college in the UK or US (university) sense? If it is in the UK sense, it is certainly no surprise, most FE I(C)T lecturers teach their students to make database applications using Excel.

  19. Charles Manning

    @Graham

    "tech savvy blighty"

    Bah! Poms won't be able to make good websites until they can figure out how to make them leak oil.

This topic is closed for new posts.

Other stories you might like