Hacker Breaks into Barracuda Networks Database via SQL Injection

Paul Mah
Slide Show

Eight IT Projects SMBs Should Implement

New developments and products are changing the shape of IT implementations for SMBs.

Yet another security company was embarrassed over the weekend after a hacker broke into its marketing database. Barracuda Networks, which has an impressive security portfolio that includes the Barracuda Spam & Virus Firewall, Barracuda Web Firewall, as well as VPN and Web Application Firewall appliances, saw the names and email addresses of its employees and partners splashed online. Also posted were the MD5 hashes of passwords, as well as a list of databases on the server, leaving little doubt as to the authenticity of the digital break-in.

 

Responding to the news late on Monday, Executive Vice President and CMO Michael Perone confirmed the compromised information on Barracuda's company blog. Apologizing for the inconvenience to those whose email addresses were exposed, Perone wrote:

The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords. However, all active passwords for applications in use remain secure.

The bad news though, was what led to the compromise by the hacker. In a nutshell, the Barracuda Web Application Firewall (WAF) that was deployed to protect the company's website was mistakenly placed in "passive maintenance mode" during a maintenance window-which, ironically, offered a detailed insight into the attack as it unfolded. Anyway, the effective removal of the WAF from the equation opened the door to an automated script that trawled the website in search of parameters that were not properly validated.

 

It was understood that the script started running on Saturday evening and managed to find a flaw in a "simple" PHP script used to serve up customer case studies after just two hours. A second IP address was detected hours later that presumably was commandeered by a human who went on to exploit the vulnerability, which was confirmed by Perone to involve an SQL injection attack.


 

So what can SMBs learn from this latest episode involving a security vendor? While I can't comment about the need for a WAF for smaller businesses, two points do immediately come to mind.

 

Patch Regularly and Without Delay

 

The rise of sophisticated automated tools has dramatically upped the stakes in the cat-and-mouse game of defending online resources. As Barracuda Networks discovered to its embarrassment, even a vulnerability window measured in mere hours was more than adequate to let an automated script run its course and for a hacker to break in. Certainly, businesses should do the appropriate testing and due diligence when rolling out new security patches and software updates. However, the responsible SMB must now prioritize patching and not relegate them to "non-peak seasons" as they may have in the past.

 

Train Your Developers to Code Defensively

 

The entire situation makes it clear that it is inadequate to merely hire developers that are only able to code Web applications that work. Given the evolving tools and attacks on the Web front, it is imperative that programmers be trained to code defensively against common exploit vectors.

 

Hiring interns to work on that "simple" side project to be hosted on the company website? Well, either make sure at the onset that they are adequately trained or arrange to have the relevant code fastidiously reviewed by an experienced staffer before letting it to go "live."



Add Comment      Leave a comment on this blog post

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.