Looks like MySQL isn’t the only company to be succeptable to a SQL Injection Attack (looking at you Barracuda)

Apparently Barracuda (who is in the network security business) had one of their applications broken into this week as reported by CNet.  While no source code was stolen from Barracuda, it still has to be embarrassing to have names and email addresses of employees, leads and partners to be downloaded all thanks to a poorly written PHP application.  Passwords were also downloaded as part of the data dump, but the passwords were only stored as MD5 hashes.  However MD5 isn’t considered to be very secure any more (which is one of the reasons that SQL Server “Denali” is including SHA2 which is still considered to be secure).

Apparently the website which was attacked is normally secured using a Barracuda Web Application Firewall, but it was taken offline during a maintenance window on Friday night (April 8th, 2011).  On Saturday night at about 5pm a script being crawling the website looking for SQL Injection weaknesses, which is found about two hours later.

Sadly this isn’t the first SQL Injection attack to happen recently.  Just a couple of weeks ago MySQL.com’s website was attacked also using SQL Injection and a large amount of information was taken from their database as well.

You can read more about the Barracuda breach on CNet or on Barracuda’s own blog.

Denny

4 Thoughts.

  1. This is very sad news. How do we secure our system from this type of attacks.

    We have to discuss about this among DBA’s to get clear picture.

    How can we protect our server?
    Is there any way(s) the we can implement in the organization?

  2. This is the catch with SQL Injection, as DBAs we can’t protect the databases from SQL Injection. This must be done from the application layer before the data gets to the SQL Server. By the time it gets to the SQL Server it is just to late. I talk about SQL Injection in chapter 6 of “Securing SQL Server”, there are lots of other books available on SQL Injection specifically.

  3. If you only allow your app to hit stored procedures, you can prevent a hacker from running ad-hoc queries through SQL injection. When the web-dev groupo says they need ad-hoc SQL queries, just say no. If you really have to give ad-hoc access, grant it only to a DMZ schema and take care what you put in there.

Leave a Reply

Your email address will not be published. Required fields are marked *