Posted by: Robert Westervelt
Security Vendor News, SQL injection, website vulnerabilities
The security vendor’s corporate website was compromised via a SQL injection attack.
Web security giant Barracuda Networks, acknowledged Monday that a hacker used a SQL injection attack to gain access to its corporate website.
The hacker made off with Barracuda encrypted passwords and email addresses of channel partners, sales leads and some Barracuda employees, according to Michael Perone, Barracuda’s executive vice president and chief marketing officer. Most of the data consisted of names and email addresses, Perone wrote in the Barracuda Labs blog.
“Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords. However, all active passwords for applications in use remain secure.”
Perone acknowledged that the attacker bypassed the Barracuda Web application firewall that was in place to protect the website. The firewall was placed into monitoring mode for maintenance on April 8. A day later, an automated script began crawling the website looking for vulnerabilities.
“After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market,” Perone said.
The customer case study database shared the SQL database used for marketing programs which contained the names and email addresses. “The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later,” Perone wrote.
Most of the exposed data were email addresses associated with sales leads for Barracuda channel partners. Some of the contents included email addresses and hashed passwords of Barracuda employees authorized to manage the website. Perone said the passwords were also “salted” preventing an attacker from using a tool to crack the hashing algorithm.
The website breach was reported Monday by the Register. The hacker, who called himself Fdf, claimed responsibility for the Barracuda attack, posting the stolen information on his website Monday.
Hackers have taken a keen interest in targeting security firms in 2011. A similar website breach occurred to security giant McAfee. Cross-site scripting errors were to blame. More serious breaches occurred to other security vendors. Last month, RSA, the security division of EMC Corp. announced a breach of its systems resulting in the compromise of its SecurID two-factor authentication products. In February hackers infiltrated HBGary Federal, bilking the firm of thousands of email messages.
Security experts from across the spectrum say that the breaches are an indication that no one is immune to an attack and that no single security technology is a silver bullet.