Security Company Gets Hacked {6}

by Edwin T
The article i chose for this week is titled “Security Firm Barracuda Networks Embarrassed by Hacker Database Break-in”. Barracuda took down their firewall for maintenance for no more than a few hours before an attacker was able to infiltrate it. According to barracuda, the attacker discovered an SQL injection flaw in a PHP script used to display customer case studies. The attacker was able to get employee passwords that were encrypted using MD5 hashing algorithm, which is considered outdated by today’s standards. Jason Reed, director of security and compliance at SystemExperts states “Security companies don’t always practice what they preach, leaving themselves vulnerable to attacks like this.”. According to the article, the attacker used a blind SQL injection attack which means “the errors and results from the malicious SQL queries are not displayed directly to the attacker. Instead, the attacker has to write complicated code to expose little bits of the data at a time and then recreate the information.”. Barracuda apologized for the incident in the blog post and said it was notifying affected individuals. read more...

More than 20,000 websites are likely infected with malware {Comments Off on More than 20,000 websites are likely infected with malware}

by Taylor G
Google warned this week that as many as 20,000 websites could have been hacked and injected with JavaScript redirect malware.  Google sent out a message this week that said, “Specifically, we think that JavaScript has been injected into your site by a third party and may be used to redirect users to malicious sites.”  They warned owners to look for files containing “eval(function(p,a,c,k,e,r)”.  Apparently the code can be placed in HTML, JavaScript, or even PHP files.  The malware could’ve even affected the owner’s configuration files.  Google wanted to make it clear that this malware should be removed to fix the vulnerability to protect site visitors, as well as updating this software and maintaining contact with their web hosts for technical support.  This isn’t the first time Google has had an anti-malware campaign, in July Google excluded more than 11 million URLs from a specific domain, “co.cc”, because they were said to be used by cybercriminals to spread antivirus programs and conduct drive-by attacks. read more...

iPhone gets iPwned {4}

by Kevin Q
The article I read about was quite short but interesting nonetheless. I was about a yearly competition that is held called the Pwn2Own, which is a hacking competition in which teams of people compete to hack systems and devices. With the growth in popularity of smart phones, Vincenzo Iozzo and Ralf-Philipp Weinmann set there sight on hacking the infamous iPhone. By simply visiting a malicious website that they had setup, the iPhone with no user input, had its entire SMS database stolen without consent. The entire SMS database on smart phones would include text messages, picture messages, contacts, emails and more. It only took 20 seconds to lift all that data from the iPhone, and Apple was gladly ready to award the $15k reward in order to study these two hackers exploitative findings. The previous year smart phones did not recieve any malicious harm, so it was somewhat of a thrill at the competition to see the first successful hacking. read more...

Not so Sweet for Team Meat {2}

by Kevin Q

My article is on an event that took place last December. It involves a Video Game Developer know as Team Meat and their PC version of the game Super Meat Boy. Super Meat Boy is a single player game that tests peoples platforming skills(think Mario Brothers on Crack) and allows users to compete and place on leader boards for best times and earn achievements for completing insanely hard levels. Last December a user reportedly tried to notify Team Meat that their MySQL servers were not secure via Twitter. The users concerns were brushed off by Team Meat saying, “Trust me. It’s fine. I’ve done this stuff for awhile now.” Later that day their game was attacked by the users known as Anonymous. Leader boards became unstable, people couldn’t upload their data to the Team Meat SQL servers, and worst of all levels had their title names changed to write out not so nice sentences to the developer Team Meat. One sentence read across multiple levels reads, “This is why you don’t connect to a remote MySQL Database in your game.” Team Meat still tried to brush this event off as not being a security hole, but the fact that other paying users were strongly affected by this shows bad professionalism on their part. read more...

Big Data, Big Problems {8}

by Jongwoo Y
Zappos and 6PM, two of the largest online clothing retailers in the United States, have recently experienced a security breach in their big data. This cyber attack has effected the information of 24 million customers, the largest amount since the attacks that Sony had received last year. Barbara Scott, a director of a technology services business and victim to these recent attacks, believes that this type of attack should not be viable for companies with so much financial backing. “You would think companies like eBay or Amazon have the financial backing wherewithal to take the proper security measures.(Perlroth, 2012)” The attacks have been able to retrieve the customer names, encrypted passwords, phone numbers, e-mail addresses, and the last four digits of customer credit cards. What was even more outrageous than the attacks was the email that millions of Zappos customers received from the CEO, Tony Hsieh (who is usually held in high regard). In the email, Hseih apologizes, but instructs customers to send emails for questions rather than calling the support lines because they “simply aren’t capable” of taking the expected number of calls(Perlroth, 2012). This incident has left a sour taste in many Zappos customers, not only did they feel less secure with the breach, but also as if they have been not taken care of after the incident had occurred. read more...

Worries of Cloud Computing {4}

by Cole O’C
This CNN Money/Tech Fortune article discusses several issues currently present with cloud computing, including cloud outages, security issues, server issues, and general confusion. After Amazon’s cloud outages, which affected both small companies and corporate giants, this monstrously powerful technology has come under more scrutiny. The article argues that, even with outages, cloud computing is still a far safer and more efficient method for most companies. It states that the visibility of cloud outages due to so many companies being affected is a somewhat unpleasant advantage, as an internal IT service could fail without anyone noticing for quite some time. The next topic discussed is cloud security and server separation, mainly focusing on how security issues of one company may affect the others. It uses an example of how Dropbox, a file-syncing startup company, had a programming glitch which enabled users to access accounts without inputting the correct password. While this would be quite disastrous even without cloud computing, it becomes more of a concern when an unsecure server is physically connected to other virtual machines running on the cloud that would be otherwise safe. Lastly, the article mentions the confusing nature of cloud computing, and how the majority of people (stated as 78% according to NPD Group) do not actually understand the concept of cloud computing, while an almost equally-sized majority (76%) uses cloud-based services, such as Hulu and Gmail. read more...

Oracle’s Approach to Database Security {Comments Off on Oracle’s Approach to Database Security}

by Daniel L
Last week my blog post talked about McAfee’s database security offerings and how they were handling the security concerns of businesses.  Since database security is a key issue these days, especially with all these server breaches making the headlines, I wanted to cover another company’s approach at database security.  Oracle, the company known for its database management systems, has teamed up with F5 Networks to deliver a database firewall to the market.  Oracle is gearing this service to go up against database activity monitoring services offered by companies like Imperva and IBM.  The way the firewall works is by creating a barrier around the database, scrutinizing any of the SQL statements coming its way, ultimately determining if any immediate action should be taken to block the statement.  The firewall is capable of logging statements, sending out alerts if they are out of the ordinary, and it can even substitute SQL statements.  A company using the firewall can set up whitelist and blacklist policies which play the role of gatekeeper to the database.  Companies shouldn’t worry if they aren’t using a database system built by Oracle, the firewall is compatible with non-Oracle database platforms.  Moreover, Oracle and F5 have also developed a web application firewall. read more...

Another Website Hacked {1}

by Joey L
LG’s Australian website was hacked and defaced recently.  The hacker team, calling itself “Intra” defaced LG’s homepage with a message:

“It seems as though your website has been hacked. How did we get past your security? ……. What security? ;).”

The breach has been archived by Zone-H.com, which is a database of defaced websites.  Most of the time, website defacements are limited to simple vandalism, but it is difficult to tell how deep the hackers have hacked into the database.  In LG’s case, the attacker had compromised the web server hosting LG’s site; the website home page has been replaced completely.  This is consider a deeper hack since hackers are accessing the web server itself rather than a common SQL injection, which exploits a hole in the web application. Usually whenever a website has been hacked via SQL injection or Stored Cross Site Scripting, you would still see the malicious code embedded in the HTML code.  LG has suspended the site until the incident has been fully investigated. read more...

Steam/Valve’s Database gets hacked!! {Comments Off on Steam/Valve’s Database gets hacked!!}

by Taylor G

For all of you PC gamers out there, who play games on Steam, watch out!  Last Sunday, November 6, Steam’s servers were hacked.  The hackers were able to access the user database and the user forums.  Initially the company thought that they were just hacking the forums, but later found out that they obtained information from the user database containing user names, hashed/salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.  The company said that they “do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked.”  They are still under investigation.  It was somewhat of a coincidence that this occurred just a little less than a week before the release of a new game on Steam called ‘Skyrim: The Elder Scrolls V’.  The company suggests the users change their passwords and watch their credit card and bank statements.  Now steam offers something called ‘Steam Guard’ which prevents unwanted users from accessing your computer unless you enter a code, delivered to your email. read more...

FBI Catches LulzSec Hacker {Comments Off on FBI Catches LulzSec Hacker}

by Asbed P
Many companies use SQL Databases to store company and customer information.  Sometimes these databases are not very well protected.  In Sony’s case, their databases were left open to a group of hackers known as LulzSec.  These loosely knit group of hackers like to create chaos and mischief for their own entertainment and not necessarily for profit.  On Thursday, September 22, 2011, a hacker named “Recursion” from the group LulzSec was tracked down and caught by the Federal Bureau of Investigation.  He attacked the database by using a technique also known as SQL injection that allowed him full access into Sony Pictures systems.  From there he was able to post massive amounts of data online as part of LulzSec’s data dumps which included email addresses and passwords of Sony customers.  The student from Phoenix, used an online proxy service and a hard drive cleaner to cover his tracks but that was not enough.  He could spend the next 15 years in prison if he is found guilty. read more...