Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/27/2011
01:55 PM
50%
50%

Five Infamous Database Breaches So Far In 2011

An alarming trend of security companies getting hacked serves as a wake-up call that no one is immune

In today's era of the massive data breach, 2011 seems to have only continued the trend of database exposures slamming organizations large and small. According to the Privacy Rights Clearinghouse, the first half of 2011 has seen 234 breaches that affected more than hundreds of millions of individuals.

Here’s a look at some of the most impactful database exposures so far this year, all of which lessons for IT security pros:

1. Victim: HBGary Federal
Assets Stolen/Affected: 60,000 confidential emails, executive social media accounts, and customer information.

Following an announcement by security firm HBGary Federal that it was planning on exposing information about the renegade Anonymous hacking community, the firm was assaulted by Anonymous members. Anonymous hacked into HBGary's CMS database through a vulnerable front-end Web application, stealing credentials that they were able to then leverage to break into the company's executives' e-mail, Twitter, and LinkedIn accounts. They were also able to access, and then dump publicly, the email spools of HBGary proper via the HBGary Federal hack.

Lessons Learned: This attack proves once again that SQL injection remains a hacker's prime tool to jimmy into database systems; Anonymous used this method to make its first foray into HBGary Federal's systems. But the attack probably wouldn't have been able to go deeper if the credentials stored within the affected database had been hashed with something stronger than MD5. More disconcerting, though, was the fact that the passwords used by the executives were simple and the credentials were reused across many accounts.

2. Victim: RSA
Assets Stolen/Affected: Proprietary information about RSA's SecurID authentication tokens.

After an employee retrieved a spear phishing e-mail from the Junk folder and opened an infected attachment contained within, the hackers responsible for this breach were able to dig deep enough into the RSA network to find a database containing sensitive information pertaining to RSA's SecurID authentication products. Though RSA has never confirmed exactly what was stolen, reports this week have surfaced of a U.S. defense contractor using SecurID and getting hacked that bolster murmurs that the RSA attackers took the all-important SecurID seeds.

Lessons Learned: No hacking target is sacrosanct, not even one of the leading security companies in the world. The RSA breach shows how important employee training can be; some of the most secure networks and databases can be penetrated if bumbling insiders open the door wide enough for hackers. Security experts also believe this breach shows that the industry still has a long way to go to achieve effective real-time monitoring to prevent deep attacks like this from making their way to something as sensitive as what was pilfered from RSA.

3. Victim: Epsilon
Assets Stolen: E-mail databases from 2 percent of the firm's 2,500 corporate clients.

Marketing firm Epsilon has never confirmed exactly how many email addresses were stolen from its massive stores of consumer contacts, which were used to send messages on the behalf of behemoth customers, such as JPMorgan Chase, Kroger, and Tivo. But breach notifications trickling out from the firm's client companies show that this exposure surely impacts millions of customers, putting them at higher risk of phishing and spam attacks in the future.

Lessons Learned: Epsilon also has not confirmed the technical details of this attack, but a sophisticated spear-phishing campaign against the email marketing industry has been fingered by many as a likely source of the attack, re-emphasizing the importance of awareness among worker bees. Perhaps more important for enterprises, though, is the lesson that when you outsource, you still retain the risk and responsibility for protecting the data a contractor oversees. Every Epsilon client is still on the hook for disclosure and associated costs due to this breach caused by a partner.

Next: Game over?

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...