Barracuda Networks' servers got hacked into, SQL injection style
April 11, 2011
Internet security provider Barracuda Networks just announced that it has sustained a serious attack on its servers that appears to have exposed sensitive data concerning the company's partners and employee login credentials.
Barracuda representatives didn't respond to emails seeking confirmation of the anonymous post, which claims the data was exposed as the result of a SQL injection attack. Screenshots showed what was purported to be names, email addresses and phone numbers for Barracuda partners from organizations including Fitchburg State University in Massachusetts and the U.K.'s Hartlepool College of Further Education.
But the anonymous post did appear to be authentic, according to some Internet security observers. The spilled contents also included what appeared to be the email addresses and hashed passwords of Barracuda employees authorized to log in to the company's CMS.
The passwords appeared to be hashed using the MD-5 algorithm method that is slowly being phased out in favor of algorithms that are considered more secure options. It was still unclear if the hashed passwords were salted to prevent them from being cracked using various free tools available on the Web.
Overall, SQL injections are the most common form of all Internet-based attacks and have been used as the starting point for an untold number of security breaches, including the one that exposed data for more than 130 million credit cards when confessed hacker Albert Gonzalez broke into credit card processor Heartland Payment Systems.
SQL injection techniques were also the cornerstone in a recent attack on HB Gary, the disgraced security firm that exposed tens of thousands of proprietary emails.
Overall, SQL injection attacks exploit poorly written Internet applications that fail to scrutinize user-supplied data entered into search boxes and other fields included on targeted Web sites. By passing database commands to the site's backend server, attackers can harness the vulnerabilities to view and even modify the confidential contents as much as they wish to.
In total, no less than twenty-two databases with full names including new_barracuda, information_schema and marketing_info were all exposed, according to the post, which was published today. The post indicated that the company's web apps ran on the ASP.net platform.
In other Internet security news
Microsoft said Friday that it is preparing itself for a new Patch Tuesday record with no less than 17 critical security bulletins to be posted tomorrow, nine rated very critical and eight classified as important, as part of the early April edition of its regular monthly updates that are always performed on Tuesdays.
Next Tuesday's security update batch for Windows computers and servers will collectively address a total of 64 security vulnerabilities. Security holes in Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework, Windows Server 2003 and Windows Server 2008 will all be patched.
Some of next Tuesday's security fixes will include a critical SMB Browser security flaw that affects all versions of Windows. Security vulnerability scanning firm Qualys warns that all supported versions of Office and Windows will both need updating, a task that is likely to result in plenty of overtime for sysadmins.
This is a huge update and system administrators should plan for deployment as all Windows systems including Server 2003 and 2008 and Windows 7 are all affected by critical security bulletins," said Amol Sarwate, manager of the Vulnerability Research Lab at Qualys.
Frequently used office software like Excel 2003 through 2010 and PowerPoint 2002 through 2010 are also critically affected.
Microsoft also released 17 bulletins in December 2010 but these addressed a total of 40 flaws-– fewer than the 64 security flaws due to be fixed next Tuesday, and only two of the end of year patch were deemed critical.
The April edition is therefore a much bigger concern than the December Patch and far in excess of the standard fare for Patch Tuesday, which probably approximates at three to four bulletins a month.
You can link to the Internet Security web site as much as you like.