Netcraft: Hacker redirects Barack Obama's site to hillaryclinton.com. Okay, folks, here's the thing: never trust any place where a user can enter text into your website and have it displayed back at you. Never trust any text that comes from a form field on your site. Because if you do, smart and devious people like Mox here can use your trust to do embarrassing things to your visitors.

On the (very) slightly mitigating side, the attack was not against the main Obama website but his community blog platform, and the vulnerability that was exploited has already been closed. But this type of vulnerability, Cross Site Scripting, is insidious unless you begin your web application with the assumption that all user input needs to be sanitized. And even then, it’s not enough to check your code; you need to check all the third party code that makes up your site.

It would be immodest of me to mention that my company’s service can do just such a check, without requiring you to build security expertise inhouse and for a modest fee.

In what is shaping up to be a fine security trifecta (see yesterday’s post about an as-yet unpatched cross-site scripting vulnerability at CIA.gov), yesterday’s Daily WTF posting concerned a naked SQL Injection vulnerability on the Oklahoma Department of Corrections website. The vulnerability allowed anyone who cared to download lots of details from Oklahoma’s sex offender registry that shouldn’t have been accessible, including social security numbers (identity theft, anyone?), and also allowed access to other tables in the database, including information on corrections staff members. The page is now, mercifully, offline, though not before a commenter claimed that he was able to insert someone’s name into the database using a different SQL statement in the URL.

Little Bobby Tables at xkcd illustrates this type of vulnerability as well. Moral of the story: don’t trust user input!

Wired ThreatLevel Blog: Look Ma, I'm on CIA.gov. Wired’s security blog reports a cross-site scripting vulnerability in the CIA’s web site and gives a convenient demo exploit. The exploit is benign enough, illustrating how JavaScript can be used to load an iframe on the CIA’s search results page containing arbitrary content. But the potential for mischief is significant. Imagine loading a phishing site this way. Or imagine this vulnerability on your bank’s home page.

Too often security vulnerabilities are abstract. This one, thanks to Wired, is pretty real. I’m surprised it’s still up, actually.

Quick pointers to a few awards Veracode has won recently:

1. Readers Choice Award, Information Security Magazine and SearchSecurity.com
2. Gartner Cool Vendor Award, Application Security and Authentication category

It’s great for Veracode to get this kind of recognition. I’m really proud to work at a company that can make a difference to how companies address application security.

—Oops. Almost forgot to mention: Looks like I’ll be at the Gartner IT Security Summit in early June in Washington, DC. I’m looking forward to getting the long view on the industry. And from the speaker list, it looks like I might get a chance to get Bruce Sterling’s signature next to William Gibson’s on my copy of The Difference Engine.

It is, for a change, a very good question from CNet. If you know that security vulnerabilities exist in your software, and you’ve already patched those vulnerabilities, and you have a well-documented process for slipstreaming patches into existing installs, and you have an automatic update process...

... why in the hell would you have that automated update service push the unpatched software rather than fully patched versions?

The short time between install and patch isn’t a good enough reason. Even if Microsoft automatically forced a re-run of Windows Update after each update session, as Mac OS X does, history shows that it doesn’t take long for unpatched, vulnerable software to be exploited. There is relatively little cost to Microsoft to prepare fully patched downloads, and the payback is huge risk avoidance. Fix it, already, guys.