Securing SQL Server

Looks like MySQL isn’t the only company to be succeptable to a SQL Injection Attack (looking at you Barracuda)

Apparently Barracuda (who is in the network security business) had one of their applications broken into this week as reported by CNet.  While no source code was stolen from Barracuda, it still has to be embarrassing to have names and email addresses of employees, leads and partners to be downloaded all thanks to a poorly written PHP application.  Passwords were also downloaded as part of the data dump, but the passwords were only stored as MD5 hashes.  However MD5 isn’t considered to be very secure any more (which is one of the reasons that SQL Server “Denali” is including SHA2 which is still considered to be secure).

Apparently the website which was attacked is normally secured using a Barracuda Web Application Firewall, but it was taken offline during a maintenance window on Friday night (April 8th, 2011).  On Saturday night at about 5pm a script being crawling the website looking for SQL Injection weaknesses, which is found about two hours later.

Sadly this isn’t the first SQL Injection attack to happen recently.  Just a couple of weeks ago MySQL.com’s website was attacked also using SQL Injection and a large amount of information was taken from their database as well.

You can read more about the Barracuda breach on CNet or on Barracuda’s own blog.

Denny