News broke today of a large data breach against Yahoo Voices, resulting in more than 400,000 username/password combinations being posted in clear text. The compromise involved a basic SQL-injection attack against an exposed Yahoo server (dbb1.ac.bf1.yahoo.com). Similar to other recent events, the account data was reportedly stored in an unencrypted state.
We see this type of attack over and over. Most recently LinkedIn and eHarmony were in the news with similar issues. This Yahoo breach is just the latest in a series of similar attacks that occur in multiples every day.
The attack was launched by the D33DS Co., whose release included this:“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure.”
D33DS is probably correct in that latter sentence. But are their methods and motivation ethical or legal? That’s a different story. Regardless, Yahoo’s overlooking basic countermeasures against basic attacks (such as SQL injection) cannot be excused.
This is not the first time that Yahoo has been compromised in this way. During the last five years, Yahoo Local Neighbors, Yahoo Kids, Yahoo Classifieds, and others have been successfully targeted.
Ironically, there is a blog on SQL-injection prevention on Yahoo Voices. It was posted in 2009.
What else is interesting about the latest breach?
More than just @yahoo.com usernames and accounts were exposed. If there was ever a time to heed warnings about password reuse, especially across public and high-traffic social systems, this is it. Yahoo may have been the focus of this attack, but data in the dump could be used to target specific users from AOL, Microsoft, Google, Comcast, SBC Global, and others.
Here is a breakdown of associated domains that appear in the D33Ds release:
I’ll leave you with several McAfee resources for understanding SQL injection:
- WebSec 101 – SQL Injection. http://www.mcafee.com/us/resources/audio/transcripts/websec101-sqlinjection-slides.pdf
- McAfee Security Scanner for Databases. http://www.mcafee.com/us/products/security-scanner-for-databases.aspx
- Threat Brief – LizaMoon. http://www.mcafee.com/us/resources/solution-briefs/sb-lizamoon-sql-injection.pdf
- White paper on Real-time Database Monitoring, Auditing, and Intrusion Prevention. http://www.mcafee.com/us/resources/white-papers/wp-real-time-database-monitoring.pdf