I have a personal web site I set up years ago, mainly so I could post stuff for my extended family and kind of keep a log of my life. Back then it was a "weblog" instead just a blog and there wasn’t much software around for the Windows world. Plenty for the *nix world, and there was Moveably Type, but I wanted a SQL Server based solution. So I wrote my own, added some simple features and it worked great for me.
I added in some other interests, and like many people in the 2000-2001 timeframe, I assumed most people would come to look at the site and not attack it. After all, it’s just pictures and thoughts and comments from me.
Apparently not!
Last week, F-Secure, a security vendor, got hit by a SQLInjection attack, which is also what happened to my site a few weeks back. I was on my way back from the UK, arrived at home to find Google had marked my site as a malicious site. I ended up spending hours cleaning out the database, even whacking some data, and eventually removing all the “script” stuff that had been inserted.
Embarrassing for me, but way worse for a security vendor.
We all want to get things done, be effective, and sometimes that means quick and dirty, throwing up pages on a web site to put out information quickly. However those quick and dirty efforts still need to conform to some good security practices. Especially these days, with worms like Conficker out there.
No comments:
Post a Comment