Columns

Dr Crippen's grim reputation was largely unfounded: although a homeopathic physician in his native US, he was inadequately qualified to practice medicine in England; he murdered his wife, the commonest pattern of homicide, and the only truly distinctive features were his shocking methods of disposing of her body, and novel arrangement of his arrest by wireless telegram. Compared with the scale, enormity and horrific nature of Dr Harold Shipman's murders, Crippen was mundane. The most disturbing feature of Shipman's scores or even hundreds of victims was that they were his patients, and he remains the only medical practitioner to have been found guilty of that awful crime in England - the most profound betrayal of the trust that a patient must place in their doctor.

Internet security breaches are trivial in comparison, but when hundreds of thousands of sites are affected, their impact on society could be as great. Ever since Internet access became commonplace, and security became a concern, I and many others have led with a single exhortation: stick to trusted websites. April's mass attacks have shown that no website can now be deigned trustworthy.

Details remain controversial. Initial reports suggested that the attackers were exploiting a vulnerability in Microsoft's IIS server software, but this was denied by Microsoft, and others agreed that the attack started with SQL injection. In other words, the sites that were compromised used SQL database back-ends, and because of poor coding practices, the

If you visited a compromised page, it contained links to a group of malicious JavaScripts (some via VBScript intermediaries) on the attackers' server. Depending on which script caught you, a Windows computer could load one of a range of nasty exploits, attacking RealPlayer, Storm Player, or other applications, or installing a password stealer.

If you use a router or firewall to block connections to specific sites, you could perhaps have configured it to prevent following the injected links. However, different link addresses will probably be used in future attacks, ensuring that even well-managed networks provide ample victims. Anti-virus software and standard browser security settings are also unlikely to offer much protection. For the moment these attacks have been installed on Windows servers and affected Windows clients, but they could just as well appear on Linux or Mac OS X servers, affecting Linux or Mac users.

The key vulnerability that should not exist, of course, is the initial SQL injection. Just as an organisation that employed doctors with unchecked credentials is failing in its duty to its patients, so webmasters and developers of sites that leave SQL injection vulnerabilities are failing in their duty of care. It is a scandal that so many reputable sites should have been so vulnerable.

Just as the monstrous Shipman shook medicine to its very roots, so these April attacks will rewrite our approach to security. Great efforts are being made to try to ensure that no doctor can ever murder in the way that Shipman did, but I have yet to hear how we can browse in safety now that no website can ever be trusted again. Further attacks could compromise every activity that has been drawn to the Web, from online banking to filing your tax return. Just what is a 'trusted website' worth now?