Lessons Learned From the Yahoo! Hack
 

Lessons Learned From the Yahoo! Hack

on

  • 1,069 views

In December 2012, Yahoo! Inc. suffered a high profile data breach at the hands of a lone hacker. Using SQL injection attacks, the hacker gained full access for the server of the affected domain. ...

In December 2012, Yahoo! Inc. suffered a high profile data breach at the hands of a lone hacker. Using SQL injection attacks, the hacker gained full access for the server of the affected domain. Alarmingly, the exploited vulnerability likely belonged to a third party application that was neither coded nor hosted by Yahoo!. Yahoo! was responsible for the third party application's security, yet it only had limited control of the code. This presentation will analyze the tools and methodology employed by the attacker to bypass security, explore the dangers of hosting third party code inherited from partners, vendors, or via acquisitions, and provide procedural and technical steps for securing third party code.

Statistics

Views

Total Views
1,069
Views on SlideShare
1,045
Embed Views
24

Actions

Likes
0
Downloads
46
Comments
0

2 Embeds 24

http://www.linkedin.com 22
https://twitter.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Lessons Learned From the Yahoo! Hack Lessons Learned From the Yahoo! Hack Presentation Transcript

  • Lessons Learned From the Yahoo! HackAmichai Shulman, CTO © 2013 Imperva, Inc. All rights reserved.
  • Agenda  Finding the vulnerable Yahoo! app + A true cyber detective story  Yahoo! hack technical analysis + SQL Injection + Error based SQL Injection  The greater lesson + 3rd party code security  Summary and Conclusions 2 © 2013 Imperva, Inc. All rights reserved.
  • Amichai Shulman – CTO Imperva  Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former security consultant to banks & financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2013 Imperva, Inc. All rights reserved.
  • Cyber Detective Story4 © 2013 Imperva, Inc. All rights reserved.
  • Breaking News – Yahoo! Has been Hacked5 © 2013 Imperva, Inc. All rights reserved.
  • Gathering Evidence Hacker released a redacted screenshot of the allegedly hacked Yahoo! app6 © 2013 Imperva, Inc. All rights reserved.
  • Forensics – Turning Evidence into Insights (1) Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name7 © 2013 Imperva, Inc. All rights reserved.
  • Forensics – Turning Evidence into Insights (2) Error message + The application is powered by ASP.NET – Most Yahoo! Applications are PHP based + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code8 © 2013 Imperva, Inc. All rights reserved.
  • Identifying the Vulnerable Yahoo! App (1) Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name.9 © 2013 Imperva, Inc. All rights reserved.
  • Identifying the Vulnerable Yahoo! App (1) Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name.10 © 2013 Imperva, Inc. All rights reserved.
  • Identifying the Vulnerable Yahoo! App (2) Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code11 © 2013 Imperva, Inc. All rights reserved.
  • Identifying the Vulnerable Yahoo! App (2) Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code12 © 2013 Imperva, Inc. All rights reserved.
  • Yahoo! Hack Technical Analysis Error Based SQL Injection13 © 2013 Imperva, Inc. All rights reserved.
  • Data Extraction Techniques by Hackers: 2005-2011 Other 17% SQL Injection 83% Total = 315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse 14 © 2013 Imperva, Inc. All rights reserved.
  • SQL Injection Means Business, Literally15 © 2013 Imperva, Inc. All rights reserved.
  • SQL Injection: Technical Impact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware16 © 2013 Imperva, Inc. All rights reserved.
  • Still A Very Relevant Attack On average, we have identified 53 SQLi attacks per hour and 1,093 attacks per day. © 2013 Imperva, Inc. All rights reserved.
  • SQL Injections By the Hour – Highly Automated18 © 2013 Imperva, Inc. All rights reserved.
  • Main Automated Attack Tools SQLmap Havij © 2013 Imperva, Inc. All rights reserved.
  • Yahoo! Hack – MSSQL Injection with ConversionErrors Attack vector: + and 1 = convert (int,(select top 1 table_name from x). The server tries to convert the additional data (in this case the table name) to integer Character strings cannot be converted into integer, thus an error is triggered If a system is not hardened, the error message is visible to the attacker, revealing the data 20 © 2013 Imperva, Inc. All rights reserved.
  • MSSQL Injection with Conversion Errors No need to be a hacker to exploit Even script kiddies can do it with automated exploit tools + Havij21 © 2013 Imperva, Inc. All rights reserved.
  • From SQL Injection to Command Execution In case of SQL injection in MSSQL DB, attacker can leverage it to run arbitrary commands using the “XP_CMDSHELL” system stored procedure Supported by exploit tools22 © 2013 Imperva, Inc. All rights reserved.
  • 3rd Party Code Security23 © 2013 Imperva, Inc. All rights reserved.
  • Vulnerable Application is a 3rd Party Application “The leading astrology portal in India… formed co- branded channel alliances with internationally recognized brands such as MSN, Yahoo! and Google”24 © 2013 Imperva, Inc. All rights reserved.
  • Vulnerable Application is Hosted by 3rd Party Routing of users from Yahoo! to Astroyogi.com with a DNS alias “in.horoscopes.lifestyle.yahoo.net”“yahoo.astroyogi.com”25 © 2013 Imperva, Inc. All rights reserved.
  • You Don’t Own the Code of All Your Applications Yahoo! is not alone 3rd party applications are embedded as code or by hosting by many organizations 28% of Veracode assessed applications are identified as created by a 3rd party26 © 2013 Imperva, Inc. All rights reserved.
  • You Don’t Even Own All the Code of YOUR Applications Even homegrown applications are mostly comprised of 3rd party code According to Veracode: + “Up to 70% of internally developed code originates outside of the development team”27 © 2013 Imperva, Inc. All rights reserved.
  • Third Party Code Related Breaches28 © 2013 Imperva, Inc. All rights reserved.
  • Becoming Part of OWASP Top 1029 © 2013 Imperva, Inc. All rights reserved.
  • Recommendations30 © 2013 Imperva, Inc. All rights reserved.
  • SQL Injection Mitigation Checklist31 © 2013 Imperva, Inc. All rights reserved.
  • Step 1: Use a WAF to Detect SQL Injection  Positives + Can block many attacks + Relatively easy  Negatives + Can become a crutch + Potential for false positives32 © 2013 Imperva, Inc. All rights reserved.
  • Step 2: Deploy Reputation Based Solution  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem33 © 2013 Imperva, Inc. All rights reserved.
  • Step 3: Stop Automated Attack Tools  Positives + Detects automated tool fingerprints to block attacks + Relatively easy  Negatives + Potential for false positives © 2013 Imperva, Inc. All rights reserved.
  • Step 4: WAF + Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, Gartner Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should- communicate-with-application-firewalls/35 © 2013 Imperva, Inc. All rights reserved.
  • 3 rdParty Code Mitigation Checklist36 © 2013 Imperva, Inc. All rights reserved.
  • Technical Level Recommendations Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities Pen test before deployment to identify these issues Deploy the application behind a WAF to + Virtually patch pen test findings + Mitigate new risks (unknown on the pen test time) + Mitigate issues the pen tester missed + Use cloud WAF for remotely hosted applications Virtually patch newly discovered CVEs + Requires a robust security update service37 © 2013 Imperva, Inc. All rights reserved.
  • Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link © 2013 Imperva, Inc. All rights reserved.
  • www.imperva.com- CONFIDENTIAL -