Application Security // Database Security
5/30/2013
10:13 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

5 Big Database Breaches Of Spring 2013

Learning from the most recent impactful breaches of 2013

This spring's crop of database breaches has been about as abundant as the pollen count this time of year, and twice as likely to make security researchers' eyelids twitch. During the past couple of months, data breaches have ranged from the mundane to the fantastic, with each occurrence offering valuable lessons for security professionals with regard to locking down databases and the applications that access them.

The following five high-profile breaches offer some of the low lights of late and what organizations can learn from each of these incidents.

1. A Big Dam Deal
A compromise involving fraudulently obtained user credentials gave attackers unauthorized access to a special database held by the U.S. Army Corps of Engineers that contained the critical details of over 8,000 dams across the country. Though the Army revoked the credentials involved, the information was already exposed to attackers that officials believe were based in China.

Lessons Learned: Access controls are at the heart of solid database protection plans. In this case, Army an army spokesperson told the Washington Free Beacon, which broke the story, that access was "given to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information." Whether that means the organization's provisioning process was suspect or a malicious party managed to escalate privileges on the sly is up in the air, but it still offers a glimpse at how an access control issue can put databases at risk.

2. Bitcoin DB Blunder
As a currency mainstay for the cyber underworld, it is no surprise that Bitcoin exchanges has attracted the attention of malicious hackers, who have taken to attacking the exchanges that trade in this virtual currency. In addition to a high profile DDoS attack against the exchange Mt. Gox in April, cyber crooks also took so many liberties with the databases held by the exchange Instawallet that it had to close up shop. The firm reported that due to the fraudulent access to its databases, it was "impossible to reopen the service as-is."

Lessons Learned: Databases -- particularly those run by high-risk, financial transaction intensive businesses -- form the foundation of how businesses operate today. Failing to fully secure the most mission-critical databases within an organization can have potentially catastrophic ramifications for the business, as this recent shutdown of Instawallet illustrates.

3. $45 Million Database Deficiency
In the running for winning props as one of the biggest cybercrime cases of the year, the complex $45 million ATM cyber heist discovered by investigators this spring had its roots in a database hack. The masterminds at work hired hackers to break into databases containing details about prepaid debit cards so that they could adjust certain cards to be tied with unlimited pools of cash, clone those cards and hire cashers and money mules to tap into the accounts at ATMs in New York.

Lessons Learned: Often times the breach of a database is the first and most fundamental step in carrying out burns, scams and other larceny that would be otherwise difficult to pull off without that kind of access. Authorities aren't releasing info on how the pre-paid debit databases were breached, but security pundits are surmising that due to the crummy state of security at financial organizations within developing countries that odds are high that it could have been something as simple as a SQL injection attack that started it all.

[Why do injection attacks still stand on top of the OWASP Top 10 2013? See Myth-Busting SQL- And Other Injection Attacks.]

4. Living Social Lost Data
LivingSocial committed the ultimate social faux pas when it allowed thieves to pillage a database containing the personal details of 50 million of its customers. Security experts said that given the number of exposed details and the type of information stolen, the likelihood was high that the breach was caused by the run-of-the-mill SQL injection attack or an attack that leveraged framework vulnerabilities.

Lessons Learned: The passwords contained within the breached database were encrypted, which is a good first start. But organizations must continue to be vigilant about sanitizing input coming from web applications, parameterizing queries into the database and engaging in the kind of coding hygiene that prevents SQL injection. Additionally, organizations that want to avoid this kind of incident would do well to improve their framework patching procedures to limit their exposure on that front.

5. Google Bungles Database Defense
News came out last week that the breach of a little-known internal Google database could have wide-reaching national security implications. The attack actually occurred back in 2010 as a part of the Operation Aurora attacks. But the Washington Post just recently uncovered how a penetration occurred within a system the company uses to archive information about surveillance requests coming from law enforcement authorities working to investigate specific Google users. Federal officials believe the breach was carried out by Chinese operatives looking for a way to learn more about which one of its operatives the US had been investigating.

Lessons Learned: This breach offers a prime example of how dangerous the consolidated nature of information stored within databases can truly be. Information that is pooled together for efficiency's sake can also make a thief's life that much easier as well. Individually, these requests by government officials only held so much value but in one big repository they offer a stunning look into the details of who's under the government eye. Often times organizations miss the strategic value of databases like these that may seem as boring as can be. This breach goes to show how important it is to consider during risk analysis not just the value of the information to the organization, but also its value to potential attackers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.