Hyperguarding your Web Applications

Posts Tagged ‘SQL injection’

Some Rocky Times for RockYou

Posted by hyperguard on January 13, 2010

SQL injections are one of the biggest problems in web application security—we’ve seen it with Heartland, 7-Eleven and Hannaford Brothers, and now RockYou.  These attacks are widely known and publicized; however, it still takes companies, who have experienced attacks, 67 days to resolve these issues!

Early December, RockYou, provider of third-party apps for Facebook, MySpace and other social-networking, suffered a data breach that exposed nearly 32 million RockYou users’ e-mails and passwords.  This information had been stored in plain text and was vulnerable through a SQL security hole.  Now, Alan Claridge, an affected user, filed for a proposed class action lawsuit on December 28 for failing to properly secure his data, allowing hacker ‘igigi’ to gain access to it and failing to promptly notify him about it.

Although, we are not certain of the exact technology being used by RockYou, but if a dWAF was being used it could have prevented this hack and saved the company from this disaster.  More importantly, RockYou could have protected its’ customers’ PII (personal identifiable information).  Because a dWAF is flexible it allows patches to be applied with minimal disruption to the network—quite helpful for situations like these.

Moving forward RockYou will be further investigating the breach, reviewing its security protocols and implementing new practices:

  • Encrypting all passwords
  • Upgrading the legacy platform with the same infrastructure and industry standard security protocols we employ on our partner applications platforms
  • Reviewing our current data security features and ensuring that they meet industry standards and best practices

To read more background on the RockYou breach check out SC Magazine’s article.

Follow this discussion on Twitter @hyperguard

Posted in Post | Tagged: , , | 1 Comment »

Burglars, Rush Hour and Web Application Firewalls

Posted by hyperguard on October 1, 2009

Who would have thought a carpool service web site could be the stuff of pulp novels and Hollywood capers? After reading about the early September plight of RideMatch.info in the New York Times, you might not see the connection since ‘Agent Smith’ reported technically about this run-of-the-mill SQL injection attack on the popular Southern California commuter website. Dig into the details and you will assuredly start to crave popcorn and your favorite soda!

The opening shot would pan stage-left to settle on a robed gentleman at his PC. Steaming cup of java in hand, our subject clicks his mouse on SEND to whisk his phone number, address, commute time, work location, employee ID number and name to RideMatch’s member database to find a suitable carpool. Satisfied, our man walks slowly off camera.

Camera fades to black as the narrator sets the stage for drama to come, “little did Joe know his life was about to crash into those of a cat burglar, overworked web application developer and an eager hacker.”

Because a hacker had exploited a coding flaw in RideMatch’s site – the infamous SQL injection – a hacker was able to see every user’s data, pinpointing who was home when, employment information and social security numbers (a.k.a. employee ID numbers), whose value was only in the sale of this information to others. While the burglary didn’t actually happen, it isn’t much of a stretch to see that it very well could have. Would a web application firewall (WAF) have prevented this and saved RideMatch from certain liability? If configured correctly, yes.

How prevalent is this issue? Very. Here are just a few of the interesting public cases.

On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack. In reportedly “the biggest case of identity theft in American history”, the man stole cards from a number of corporate victims after researching their payment processing systems. Among the companies hit were credit card processor Heartland Payment Systems, convenience store chain 7-Eleven, and supermarket chain Hannaford Brothers.

In 2008, at least April through August, a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft’s IIS web server and SQL Server database server. The attack doesn’t require guessing the name of a table or column, and corrupts all text columns in all tables in a single request. [21] A HTML string that references a malware JavaScript file is appended to each value. When that database value is later displayed to a website visitor, the script attempts several approaches at gaining control over a visitor’s system. The number of exploited web pages is estimated at 500,000

On April 13, 2008, Sexual and Violent Offender Registry of Oklahoma shuts down site for ‘routine maintenance’ after being informed that 10,597 social security numbers from sex offenders had been downloaded by SQL injection

Posted in Post | Tagged: , , | 1 Comment »