Bloggy Stuff
I feel really bad about being so late in acknowledging John McKay’s eighth blogiversary™. archy is among the small group of paleo-blogs still active. He is also getting close to finishing his first draft on his book.
Jams O’Donnell just hit his fifth at Poor Mouth, and is celebrating by scaling back so he can spend more time with his photography.
At some point I will probably update to the newest version of WordPress, but I’m still waiting for the bug fix release. I wouldn’t bother, but it hardens some things that people think might be subject to attack. The attacks won’t gain access, but it is possible they might “break something”.
If you don’t update, you end up with messes like this from the BBC: Sites hit in massive web attack
Security firm Websense has been tracking the attack since it started on 29 March. The initial count of compromised sites was 28,000 sites but this has grown to encompass many times this number as the attack has rolled on.
Websense dubbed it the Lizamoon attack because that was the name of the first domain to which victims were re-directed. The fake software is called the Windows Stability Center.
The re-directions were carried out by what is known as an SQL injection attack. This succeeded because many servers keeping websites running do not filter the text being sent to them by web applications.
…Early reports suggested that the attackers were hitting sites using Microsoft SQL Server 2003 and 2005 and it is thought that weaknesses in associated web application software are proving vulnerable.
SQL injection attacks are old news, and everyone using any SQL server software should have taken precautions to prevent them. In this case, iTunes was attacked, but nothing happened because iTunes automatically checks input. They know they were attacked because they found the malignant script in their data base, but it was “neutered” when it was accepted.