Security software producer Barracuda Networks was hit by a SQL injection attack launched on April 9 while the company's own Barracuda Web Application Firewall was offline for scheduled maintenance, Michael Perone, Barracuda Network executive vice president, wrote April 12 on the corporate blog.
The attacker uncovered email addresses of select Barracuda employees with their passwords as well as name, email address, company affiliations and phone numbers of sales leads generated by the company's channel partners. Barracuda does not store any financial information in that database.
"The bad news is that we made a mistake," Perone said.
Barracuda's firewall was accidentally put into passive monitoring mode, which means it lets all the traffic through without doing any analysis or blocking and was essentially doing nothing since late evening April 8. This gave the attacker sufficient time to poke around via an automated script to crawl the site.
It took approximately two hours of "nonstop" probing before the intruder discovered a SQL injection flaw in a PHP script used to display customer case studies. That error allowed the attacker entry into the database used for marketing programs and sales lead development efforts. The customer case study database was on the same system as the one used for marketing programs.
The initial reconnaissance attempts came from one IP address, and another IP address joined the attack three hours later, Perone said.
While the exposed employee passwords were encrypted, they were stored using the MD5 hashing algorithm, which is considered to be an outdated encryption method. The good news is the hashes were "salted," making them harder to crack using commonly available tools.
The incident is highly embarrassing for Barracuda, as it provides security services to its corporate customers. Barracuda learned the hard way that a Website can't be left unprotected for a full day and companies can't be complacent about coding practices or other processes just because there is a firewall in place to block threats. Finally, even if the database itself is secure, coding vulnerabilities elsewhere can compromise the data.
"Security companies don't always practice what they preach, leaving themselves vulnerable to attacks like this," Jason Reed, director of security and compliance at SystemExperts, told eWEEK.
SQL injection flaws are usually introduced in the Website because the developers are in a hurry to implement features, Reed said. Applications shouldn't be using an administrator account to connect to the database and it shouldn't use direct SQL statements in scripts. Separating out code from data prevents attackers from passing in malicious SQL code.
The attacker, under the name Fdf, posted the email addresses and other stolen information as proof of the attack on a Tumblr blog. Since this is the only post currently on the "HMSec Full Disclosure" blog, it's safe to say that Fdf created the Tumblr blog specifically for this attack. Fdf also thanked nine other individuals and "other Malaysian hackers" on the post.
Fdf obtained a full list of databases on the server and viewed the contents of at least five tables on one of the databases using a blind SQL injection attack.
A blind SQL injection attack means the errors and results from the malicious SQL queries are not displayed directly to the attacker. Instead, the attacker has to write complicated code to expose little bits of the data at a time and then re-create the information. Oracle's MySQL.com and Sun.com sites were both recently targeted by blind SQL injection attacks.
Barracuda apologized for the incident in the blog post and said it was notifying affected individuals.