Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Database
    • Networking

    Security Firm Barracuda Networks Embarrassed by Hacker Database Break-in

    By
    Fahmida Y. Rashid
    -
    April 12, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Security software producer Barracuda Networks was hit by a SQL injection attack launched on April 9 while the company’s own Barracuda Web Application Firewall was offline for scheduled maintenance, Michael Perone, Barracuda Network executive vice president, wrote April 12 on the corporate blog.

      The attacker uncovered email addresses of select Barracuda employees with their passwords as well as name, email address, company affiliations and phone numbers of sales leads generated by the company’s channel partners. Barracuda does not store any financial information in that database.

      “The bad news is that we made a mistake,” Perone said.

      Barracuda’s firewall was accidentally put into passive monitoring mode, which means it lets all the traffic through without doing any analysis or blocking and was essentially doing nothing since late evening April 8. This gave the attacker sufficient time to poke around via an automated script to crawl the site.

      It took approximately two hours of “nonstop” probing before the intruder discovered a SQL injection flaw in a PHP script used to display customer case studies. That error allowed the attacker entry into the database used for marketing programs and sales lead development efforts. The customer case study database was on the same system as the one used for marketing programs.

      The initial reconnaissance attempts came from one IP address, and another IP address joined the attack three hours later, Perone said.

      While the exposed employee passwords were encrypted, they were stored using the MD5 hashing algorithm, which is considered to be an outdated encryption method. The good news is the hashes were “salted,” making them harder to crack using commonly available tools.

      The incident is highly embarrassing for Barracuda, as it provides security services to its corporate customers. Barracuda learned the hard way that a Website can’t be left unprotected for a full day and companies can’t be complacent about coding practices or other processes just because there is a firewall in place to block threats. Finally, even if the database itself is secure, coding vulnerabilities elsewhere can compromise the data.

      “Security companies don’t always practice what they preach, leaving themselves vulnerable to attacks like this,” Jason Reed, director of security and compliance at SystemExperts, told eWEEK.

      SQL injection flaws are usually introduced in the Website because the developers are in a hurry to implement features, Reed said. Applications shouldn’t be using an administrator account to connect to the database and it shouldn’t use direct SQL statements in scripts. Separating out code from data prevents attackers from passing in malicious SQL code.

      The attacker, under the name Fdf, posted the email addresses and other stolen information as proof of the attack on a Tumblr blog. Since this is the only post currently on the “HMSec Full Disclosure” blog, it’s safe to say that Fdf created the Tumblr blog specifically for this attack. Fdf also thanked nine other individuals and “other Malaysian hackers” on the post.

      Fdf obtained a full list of databases on the server and viewed the contents of at least five tables on one of the databases using a blind SQL injection attack.

      A blind SQL injection attack means the errors and results from the malicious SQL queries are not displayed directly to the attacker. Instead, the attacker has to write complicated code to expose little bits of the data at a time and then re-create the information. Oracle’s MySQL.com and Sun.com sites were both recently targeted by blind SQL injection attacks.

      Barracuda apologized for the incident in the blog post and said it was notifying affected individuals.

      Fahmida Y. Rashid
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×