Official advice from the source — ASP.NET developers take heed.
Armed with advanced server-side technologies like ASP.NET and powerful database servers such as Microsoft® SQL Server™, developers are able to create dynamic, data-driven Web sites with incredible ease. But the power of ASP.NET and SQL can easily be used against you by hackers mounting an all-too-common class of attack—the SQL injection attack. The basic idea behind a SQL injection attack is this: you create a Web page that allows the user to enter text into a textbox that will be used to execute a query against a database. A hacker enters a malformed SQL statement into the textbox that changes the nature of the query so that it can be used to break into, alter, or damage the back-end database.
[ Full Story @ MSDN Magazine Sept 2004 ]
Source: MSDN Magazine Sept 2004 © 2004 Microsoft
Related websites (not necessarily endorsed by In The Faith):
MSDN
A must-read for web developers everywhere. Although, Colin’s article specifically handles SQL injection attacks for the ASP.NET environment, his advice can be applied to any data-driven web application. Let us be secure from intrusion.
Every day I see messages on various forums asking for help with SQL. Nothing wrong with that. People want to understand how something works, or have a partial understanding but something is keeping them from completing their task. However, I frequently also see messages that have SQL statements being built in C# or VB.NET that are extremely susceptible to injection attack. Sometimes it is from the original poster and, while they really need to learn to defend their systems, that is fine as they are trying to learn. Nevertheless there is also a proportion of people responding to these questions that give advice that opens up gaping security holes in the original poster’s system, if they follow that advice.
[ Full Story @ Stuff that’s in my head ]
Source: Stuff that’s in my head © 2004 Colin Angus Mackay
Adds penalties of up to five years in prison
WASHINGTON - The House on Thursday passed the second bill in three days that would outlaw “spyware,” irritating software that quietly monitors the activities of Internet users.It would add penalties of up to five years in prison for people convicted of installing such programs without a computer user’s permission.
The bill, known as the “Internet Spyware Prevention Act,” passed 415-0. It would give the Justice Department $10 million to crack down on companies and others that secretly install spyware and those who attempt to trick victims into disclosing personal details and financial information in e-mail scams popularly known as “phishing.”
Source: MSNBC.com © 2004 MSNBC.com
Finally, something that makes a lot of sense. Pass legislation against those spyware creeps. Dump Internet Explorer and take control of your life with FireFox, Opera, Lynx, a homing pigeon, something… just NOT IE…
WASHINGTON (AP) — Companies and others that secretly install “spyware” programs on people’s computers to quietly monitor their Internet activities would face hefty federal fines under a bill the House passed Tuesday.The most egregious behaviors ascribed to the category of such software — secretly recording a person’s computer keystrokes or mouse clicks — are already illegal under U.S. wiretap and consumer protection laws.
The House proposal, known as the “Spy Act,” adds civil penalties over what has emerged as an extraordinary frustration for Internet users, whose infected computers often turn sluggish and perform unexpectedly.
Source: CNN.com © 2004 Cable News Network
Related websites (not necessarily endorsed by akv):
FireFox Web Browser
Opera Web Browser