Security software producer Barracuda Networks was hit by a
SQL injection attack launched on April 9 while the company’s own Barracuda
Web Application Firewall was offline for scheduled maintenance, Michael Perone,
Barracuda
Network executive vice president, wrote April 12 on the corporate blog.
The attacker uncovered email addresses of select Barracuda
employees with their passwords as well as name, email address, company
affiliations and phone numbers of sales leads generated by the company’s
channel partners. Barracuda does not store any financial information in that
database.
“The bad news is that we made a mistake,” Perone said.
Barracuda’s firewall was accidentally put into passive
monitoring mode, which means it lets all the traffic through without doing any
analysis or blocking and was essentially doing nothing since late evening April
8. This gave the attacker sufficient time to poke around via an automated
script to crawl the site.
It took approximately two hours of “nonstop” probing before
the intruder discovered a SQL injection flaw in a PHP script used to display
customer case studies. That error allowed the attacker entry into the database
used for marketing programs and sales lead development efforts. The customer
case study database was on the same system as the one used for marketing
programs.
The initial reconnaissance attempts came from one IP
address, and another IP address joined the attack three hours later, Perone
said.
While the exposed employee passwords were encrypted, they
were stored using the MD5 hashing algorithm, which is considered to be an
outdated encryption method. The good news is the hashes were “salted,” making
them harder to crack using commonly available tools.
The incident is highly embarrassing for Barracuda, as it
provides security services to its corporate customers. Barracuda learned the
hard way that a Website can’t be left unprotected for a full day and companies
can’t be complacent about coding practices or other processes just because
there is a firewall in place to block threats. Finally, even if the database
itself is secure, coding vulnerabilities elsewhere can compromise the data.
“Security companies don’t always practice what they preach,
leaving themselves vulnerable to attacks like this,” Jason Reed, director of
security and compliance at SystemExperts, told eWEEK.
SQL injection flaws are usually introduced in the Website
because the developers are in a hurry to implement features, Reed said.
Applications shouldn’t be using an administrator account to connect to the
database and it shouldn’t use direct SQL statements in scripts. Separating out
code from data prevents attackers from passing in malicious SQL code.
The attacker, under the name Fdf, posted the email addresses
and other stolen information as proof of the attack on a Tumblr blog. Since
this is the only post currently on the “HMSec Full Disclosure” blog, it’s safe
to say that Fdf created the Tumblr blog specifically for this attack. Fdf also
thanked nine other individuals and “other Malaysian hackers” on the post.
Fdf obtained a full list of databases on the server and
viewed the contents of at least five tables on one of the databases using a
blind SQL injection attack.
A blind SQL injection attack means the errors and results
from the malicious SQL queries are not displayed directly to the attacker.
Instead, the attacker has to write complicated code to expose little bits of
the data at a time and then re-create the information. Oracle’s MySQL.com and
Sun.com sites were both recently targeted by blind
SQL injection attacks.
Barracuda apologized for the incident in the blog post and
said it was notifying affected individuals.
IT Security & Network Security News & Reviews News & Reviews 
