Share

Top 5 Stories

News

Barracuda Networks website hit by SQL injection attack

12 April 2011

Barracuda Networks has become the latest IT security vendor to be hit by an SQL injection attack, but the company has moved swiftly to mitigate the fallout from the attack, as well as confirming that all active passwords for applications remain secure.

According to Michael Perone, Barracuda's executive vice president, the attack occurred when the company's web application firewall was accidentally set in passive monitoring mode during a weekend maintenance period on the site.

"The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords", he said in a blog posting late yesterday.

"So, the bad news is that we made a mistake. The Barracuda web application firewall in front of the Barracuda Networks website was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night after close of business Pacific time", he added.

Perone went on to say that, at around 5pm Pacific time on Saturday, an automated script began crawling Barracuda's website in search of unvalidated parameters.

"After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market", said Perone.

"As with many ancillary scripts common to web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees", he added.

Interestingly, Perone says that the attack used a single IP address to conduct reconnaissance and was joined then by another IP address about three hours later.

The Barracuda EVP notes that the incident brought home some key reminders for his team, including that you cannot leave a web site exposed nowadays for even a day - or less - and that code vulnerabilities can happen in places far away from the data you are trying to protect.

In addition, he said that IT professionals cannot be complacent about coding practices, operations or even the lack of private data on your site - even when you have web application firewall technology installed.

Reaction to news of the SQL injection attack has been favourable on a number of security forums and newswires, with many people applauding Perone's openness about the site hack.

The Dark Reading newswire notes that Barracuda is the latest in a string of security firms to get hit this year, following HBGary, RSA, and Comodo. Chris Wysopal, Veracode's CTO is adament that hackers are clearly targeting security companies.

"They are able to leverage the information they get for further attacks on their customers. It is not known at this time whether that is the intent of these attackers", he told the newswire.

This article is featured in:
Application Security  •  Data Loss  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×