Blog|Login|Chinese German Japanese|Follow @imperva
August 27, 2010
 Hackers accidentally give Microsoft their code
Share

Best security article this week--maybe from the past several months.  I can't figure out who is more complacent:  developers and hackers...  Anyways, highlights below

http://www.zdnet.com.au/hackers-accidentally-give-microsoft-their-code-339305548.htm

When hackers crash their systems while developing viruses, the code is often sent directly to Microsoft, according to one of its senior security architects, Rocky Heckman.When the hacker's system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.

"People have sent us their virus code when they're trying to develop their virus and they keep crashing their systems," Heckman said. "It's amazing how much stuff we get."

At a Microsoft Tech.Ed 2010 conference session on hacking today, Heckman detailed to the delegates the top five hacking methods and the best methods for developers to avoid falling victim to them. Heckman explained how to create malicious code that could be used in cross-site scripting or SQL injection attacks and, although he said it "wasn't anything you couldn't pick up on the internet", he suggested delegates use the code responsibly to aid in their protection efforts.

According to Heckman, based on the number of attacks on Microsoft's website, the company was only too familiar with what types of attacks were most popular.

"The first thing [script kiddies] do is fire off all these attacks at Microsoft.com," he said. "On average we get attacked between 7000 and 9000 times per second at Microsoft.com," said the senior security architect.

"I think overall we've done pretty good, even when MafiaBoy took down half the internet, you know, Amazon and eBay and that, we didn't go down, we were still up."

Heckman said there were two reasons why the top hacking methods of cross-site scripting and SQL injection had not changed in the past six years.

"One, it tells me that the bad guys go with what they know, and two, it says the developers aren't listening," he said.

Heckman said that developers should consider all data input by a user as harmful until proven otherwise.


Share |

Posted by Rob Rachwald at 07:39:03 AM | ADC Team, Rob Rachwald


Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

« Web app vulns now 50% of flaws | Main | Risk Homeostasis and RSnake »