Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

5/30/2013
10:13 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

5 Big Database Breaches Of Spring 2013

Learning from the most recent impactful breaches of 2013

This spring's crop of database breaches has been about as abundant as the pollen count this time of year, and twice as likely to make security researchers' eyelids twitch. During the past couple of months, data breaches have ranged from the mundane to the fantastic, with each occurrence offering valuable lessons for security professionals with regard to locking down databases and the applications that access them.

The following five high-profile breaches offer some of the low lights of late and what organizations can learn from each of these incidents.

1. A Big Dam Deal
A compromise involving fraudulently obtained user credentials gave attackers unauthorized access to a special database held by the U.S. Army Corps of Engineers that contained the critical details of over 8,000 dams across the country. Though the Army revoked the credentials involved, the information was already exposed to attackers that officials believe were based in China.

Lessons Learned: Access controls are at the heart of solid database protection plans. In this case, Army an army spokesperson told the Washington Free Beacon, which broke the story, that access was "given to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information." Whether that means the organization's provisioning process was suspect or a malicious party managed to escalate privileges on the sly is up in the air, but it still offers a glimpse at how an access control issue can put databases at risk.

2. Bitcoin DB Blunder
As a currency mainstay for the cyber underworld, it is no surprise that Bitcoin exchanges has attracted the attention of malicious hackers, who have taken to attacking the exchanges that trade in this virtual currency. In addition to a high profile DDoS attack against the exchange Mt. Gox in April, cyber crooks also took so many liberties with the databases held by the exchange Instawallet that it had to close up shop. The firm reported that due to the fraudulent access to its databases, it was "impossible to reopen the service as-is."

Lessons Learned: Databases -- particularly those run by high-risk, financial transaction intensive businesses -- form the foundation of how businesses operate today. Failing to fully secure the most mission-critical databases within an organization can have potentially catastrophic ramifications for the business, as this recent shutdown of Instawallet illustrates.

3. $45 Million Database Deficiency
In the running for winning props as one of the biggest cybercrime cases of the year, the complex $45 million ATM cyber heist discovered by investigators this spring had its roots in a database hack. The masterminds at work hired hackers to break into databases containing details about prepaid debit cards so that they could adjust certain cards to be tied with unlimited pools of cash, clone those cards and hire cashers and money mules to tap into the accounts at ATMs in New York.

Lessons Learned: Often times the breach of a database is the first and most fundamental step in carrying out burns, scams and other larceny that would be otherwise difficult to pull off without that kind of access. Authorities aren't releasing info on how the pre-paid debit databases were breached, but security pundits are surmising that due to the crummy state of security at financial organizations within developing countries that odds are high that it could have been something as simple as a SQL injection attack that started it all.

[Why do injection attacks still stand on top of the OWASP Top 10 2013? See Myth-Busting SQL- And Other Injection Attacks.]

4. Living Social Lost Data
LivingSocial committed the ultimate social faux pas when it allowed thieves to pillage a database containing the personal details of 50 million of its customers. Security experts said that given the number of exposed details and the type of information stolen, the likelihood was high that the breach was caused by the run-of-the-mill SQL injection attack or an attack that leveraged framework vulnerabilities.

Lessons Learned: The passwords contained within the breached database were encrypted, which is a good first start. But organizations must continue to be vigilant about sanitizing input coming from web applications, parameterizing queries into the database and engaging in the kind of coding hygiene that prevents SQL injection. Additionally, organizations that want to avoid this kind of incident would do well to improve their framework patching procedures to limit their exposure on that front.

5. Google Bungles Database Defense
News came out last week that the breach of a little-known internal Google database could have wide-reaching national security implications. The attack actually occurred back in 2010 as a part of the Operation Aurora attacks. But the Washington Post just recently uncovered how a penetration occurred within a system the company uses to archive information about surveillance requests coming from law enforcement authorities working to investigate specific Google users. Federal officials believe the breach was carried out by Chinese operatives looking for a way to learn more about which one of its operatives the US had been investigating.

Lessons Learned: This breach offers a prime example of how dangerous the consolidated nature of information stored within databases can truly be. Information that is pooled together for efficiency's sake can also make a thief's life that much easier as well. Individually, these requests by government officials only held so much value but in one big repository they offer a stunning look into the details of who's under the government eye. Often times organizations miss the strategic value of databases like these that may seem as boring as can be. This breach goes to show how important it is to consider during risk analysis not just the value of the information to the organization, but also its value to potential attackers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...