I got this link from Bob in Alaska which notes that some ad servers got hacked and were actually serving malicious code to clients. If you clicked on one of the affected ads, then you might want to double-check your anti-virus, anti-spyware, and any other anti-not-what-I-want software.
Apparently hackers decided to stop paying people to set up botnets and take advantage of the infrastructure built by some large advertising agents. This has happened in a few ways. The article above talked about a hacked server at one media company, serving ads with an infected IFRAME that could compromise those users that clicked on ads.
In another, and more disturbing case, criminals purchased advertising, posing as a legitimate business. They submitted a flash ad, which contained a hidden set of code that could be activated later to serve malware or redirect users to some other site. The advertising salespeople didn't have any tools in place to check the flash code for anything like this and assumed they were dealing with a legitimate company.
Now that's a creative exploit? Pose as a company buying advertising for HP, Microsoft, or some large company that doesn't typically buy their own ads. Send in an ad that looks legitimate, pay for it, and then include code you can later activate to perform malicious action. And if you buy ads at the end of the month or quarter, the salesperson on the other side is sure to push it through quickly to meet their quota.
This is scary, especially if you are a company that receives code from others that you expect to work on your site. It's just data to you, code that you include and for images, flash, or any number of formats, how can you be sure that it's valid?
How long before criminals start uploading funny videos to YouTube that might contain malicious code? Who thinks twice about viewing a video? How long before there's an exploit worth enough to buy an ad on NBC.com or some other video site and attack their audience?
As SQL Server gets used for more and more platforms, includes more and more media, it starts to make some sense to include some type of code validation or scanning on different types of binary data that you might store. After all, anyone in your company that retrieves data from your database, no matter what it's type, will assume it's clean.
You might be better off not making that same assumption.
Steve Jones
The Voice of the DBA Podcasts
The podcast feeds are now available at sqlservercentral.podshow.com to get better bandwidth and maybe a little more exposure :). Comments are definitely appreciated and wanted, and you can get feeds from there.
- Quicktime Podcast - 27.2MB
- Windows Media Podcast - 13.8MB WMV
- iPod Video Podcast - 10.7MB MP4
Today's podcast features music by Joe Sibol. If you like it, check out his stuff on iTunes or at www.joesibol.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.