Yahoo! Breach: SQL Injection

As the Yahoo story breaks, I will continue to preach the “due-diligence” approach. These attacks occur because companies do not pay attention.  D33ds claims this is a “wake-up call” – I would say to everyone, not just Yahoo.

As the story breaks we are learning more details, but lets examine three areas of “fail” on Yahoo’s part from what is speculated at this point.

  • Fail 1.  Encrypting Data at Rest – The credentials were reported to be found in clear text
  • Fail 2.  Monitoring – It is reported that over 2,000 database tables and/or column names along with 298 MySQL variables were captured.  The amount of network traffic this attack would have generated should of set off the lightest of IDS rules
  • Fail 3.  Least privilege – D33ds was reported to have gained administrative access to the database.  Clearly the concept of least privileged was not used for the application service account

As a bonus, what happened to Security as part of the Development Life-cycle – How did a SQL-based injection make it to production?
“What constitutes proper due diligence?”
The answer:  Due diligence is a relative term; properly inventorying assets and assessing risk enables an organization to recognize gaps and implement controls and/or mitigation processes and polices. 

Understanding the business objectives, processes, and data provide organizations with a foundation for how to build the proper controls, processes, and policies. 

The basics – such as requiring strong passwords, monitoring, disabling and filtering unnecessary services, and least privileged account access are still being missed today.  How we implement these items is specific to our business, but is crucial to staying safe.
www.systemexperts.com

15 replies
  1. http://tinyurl.com/
    http://tinyurl.com/ says:

    Hey There. I discovered your blog the use of msn. That is a really well written article.
    I’ll make sure to bookmark it and return to read extra of your useful information. Thanks for the post.

    I will definitely comeback.

  2. ps4 games
    ps4 games says:

    you’re really a good webmaster. The site loading speed is amazing.
    It sort of feels that you’re doing any unique trick. Moreover, The contents are masterpiece.
    you have done a excellent task on this matter!

  3. quest bars cheap
    quest bars cheap says:

    I’ve been exploring for a little for any high-quality articles or blog posts in this
    sort of house . Exploring in Yahoo I eventually stumbled upon this web site.
    Studying this info So i am satisfied to express that I have a
    very just right uncanny feeling I discovered exactly what I needed.
    I so much indubitably will make certain to do not fail to
    remember this site and provides it a look regularly.

  4. quest bars cheap
    quest bars cheap says:

    My partner and I stumbled over here from
    a different website and thought I should check things out.
    I like what I see so now i’m following you. Look
    forward to checking out your web page yet again.

  5. ps4 games
    ps4 games says:

    Hmm is anyone else encountering problems with the images on this blog loading?
    I’m trying to figure out if its a problem on my end or if it’s the blog.
    Any feedback would be greatly appreciated.

  6. ps4 games
    ps4 games says:

    I’m curious to find out what blog platform you have been working with?

    I’m experiencing some small security problems with my latest website and I
    would like to find something more secure. Do you have any suggestions?

  7. ps4 games
    ps4 games says:

    We stumbled over here different page and thought I might check things out.
    I like what I see so i am just following you.
    Look forward to checking out your web page for
    a second time.

  8. ps4 games
    ps4 games says:

    Thank you for the auspicious writeup. It in fact was a
    amusement account it. Look advanced to far added agreeable from
    you! By the way, how can we communicate?

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.