Barracuda Networks website hit by SQL injection attack

According to Michael Perone, Barracuda's executive vice president, the attack occurred when the company's web application firewall was accidentally set in passive monitoring mode during a weekend maintenance period on the site.

"The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords", he said in a blog posting late yesterday.

"So, the bad news is that we made a mistake. The Barracuda web application firewall in front of the Barracuda Networks website was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night after close of business Pacific time", he added.

Perone went on to say that, at around 5pm Pacific time on Saturday, an automated script began crawling Barracuda's website in search of unvalidated parameters.

"After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market", said Perone.

"As with many ancillary scripts common to web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees", he added.

Interestingly, Perone says that the attack used a single IP address to conduct reconnaissance and was joined then by another IP address about three hours later.

The Barracuda EVP notes that the incident brought home some key reminders for his team, including that you cannot leave a web site exposed nowadays for even a day - or less - and that code vulnerabilities can happen in places far away from the data you are trying to protect.

In addition, he said that IT professionals cannot be complacent about coding practices, operations or even the lack of private data on your site - even when you have web application firewall technology installed.

Reaction to news of the SQL injection attack has been favourable on a number of security forums and newswires, with many people applauding Perone's openness about the site hack.

The Dark Reading newswire notes that Barracuda is the latest in a string of security firms to get hit this year, following HBGary, RSA, and Comodo. Chris Wysopal, Veracode's CTO is adament that hackers are clearly targeting security companies.

"They are able to leverage the information they get for further attacks on their customers. It is not known at this time whether that is the intent of these attackers", he told the newswire.

What’s hot on Infosecurity Magazine?