| iness today would consider it foolhardy not to use an | | | | can allow the hacker to view information in the |
| antivirus program on their office machines. Practically | | | | database or completely delete it. If you run a website |
| all businesses would also have some built-in | | | | with any such features such as search pages, login |
| redundancy for their data storage just in case there is | | | | forms, shopping carts, contact forms or feedback |
| a hard drive crash or other catastrophic failure caused | | | | forms, your web site is a candidate for SQL Injection |
| by fire or flooding. | | | | attacks. The same fields that your website visitors are |
| But what most business owners don’t realize is | | | | asked to fill out are open doors hackers can use to |
| that their websites are just as open to attacks by | | | | destroy your databases and expose sensitive data. |
| online hackers and viruses as their local machines. And | | | | Cross Site Scripting is another very common hacking |
| especially if your websites are hosted on a virtual | | | | technique that takes advantage of vulnerabilities in a |
| server meaning that multiple sites are hosted using | | | | dynamic website’ allowing the attacker to |
| the same hardware. Virtual services are attractive | | | | send malicious code to the end-user and extract data |
| because of their low pricing but this form of hosting | | | | from the victim. |
| also leaves the other websites hosted on that server | | | | You see, a webpage is made up of HTML code and |
| vulnerable to one bad apple. | | | | the actual text. So-called static pages’ are |
| For example, in May of 2007, over 90,000 websites | | | | created when the browser interprets this code to |
| were hijacked by cybercriminals to illegally install | | | | show a single-option page. But in order to give the user |
| malicious software on visitor’s computers when | | | | some level of control over how the page looks, web |
| they clicked on the Google search results. A research | | | | applications are used to create dynamic |
| conducted by StopBadware found that about 10 | | | | pages’. It is in such dynamic pages that hackers |
| percent of those sites were hosted by one particular | | | | can inject malicious code and trick the user into running |
| hosting company. This hosting company had nearly | | | | this script on their local machine in order to steal their |
| 250,000 malicious websites. | | | | sensitive data. These attacks come in the form of |
| This incident is not a strike against virtual servers but | | | | JavaScript, VBScripts, ActiveX and Flash making |
| to warn online merchants that you cannot depend on | | | | many users very careful about running these scripts |
| your web hosting company to secure your websites. | | | | from their browsers. |
| This is your responsibility and you will have to accept | | | | CRLF is simply the acronym for Carriage Return / Line |
| the dire consequences if you are not proactive in | | | | Feed. When you use a word processer such as |
| securing your business sites. | | | | Microsoft Word, you can press the Enter key to |
| Now there are several different methods that hackers | | | | go to a new line but no characters appear on the |
| can use to break into your website but here | | | | screen. However, if you choose to look at the hidden |
| we’ll look at three of the main web attack | | | | formatting you will see the symbols used for the |
| mechanism. These are SQL Injection, Cross Site | | | | CRLF. |
| Scripting and CRLF injection. | | | | A CRLF injection attack does not come through a |
| SQL Injection is one of the most common web | | | | security hole or the software run by the server but |
| attacks used today. Many web applications allow | | | | takes advantage of the way the web application was |
| website visitors to submit and retrieve data from a | | | | coded. For example, a hacker can input a statement |
| database, one of the most common applications being | | | | into a form including the code for the CR and LF |
| a user forum. Every time forum members make a | | | | characters and the web application can then |
| post this information is saved in a database to be | | | | mistakenly take this for a CRFL that was used in the |
| retrieved later when the post is viewed. Databases | | | | original coding itself. Part of the security measure to |
| make possible a website’s ability to show | | | | overcome this attack will be to filter out any CRFL |
| payment information, company statistics, user data and | | | | code that a user can input at your website. Such |
| a host of other types of information. The Internet as | | | | attacks can completely disable a website. |
| you know it would not be possible without databases. | | | | The purpose of this article was not to make you an |
| SQL Injection is a hacking technique that sends false | | | | Internet security expert like myself, but to build your |
| or illegal requests to a database in an attempt to | | | | awareness that your business security shield must go |
| manipulate the information in some way. Such attacks | | | | beyond your local machine to your web sites. |