Thursday, July 12, 2012
Password breaches
You would THINK that people in charge of large companies would do the following:
1) Prevent SQL injection. This is an old and easy method used by hackers to bypass a login screen and log in as admin. This attack has been known for YEARS.
2) SALT their passwords. Salt is a way to encrypt passwords so that if two people have the same password, they look different when encrypted.
3) Encrypt their passwords. This is password 101. I mean, we've been doing this since UNIX has been out.
… or so I thought …
Gamigo was hacked four months ago when over eight million (8,000,000) user names, email addresses, and passwords were lost. This particular account breach has been dubbed the largest so far for 2012.
Twitter was hacked about a month ago. And apparently Twitter didn't salt their password. So all a newbie hacker had to do is sort the encrypted passwords and whichever ones showed up the most, work on those.
And then there's Yahoo (more specifically Yahoo Voices). The hackers bypassed security using SQL injection and the passwords weren't even encrypted. SERIOUSLY????
Hopefully the other website owners will take this as a wake up call.
So, some of you may be wondering what's SQL Injection and what is salt?
Let's start with salt. There are a handful of ways to encrypt data. So, lets say I have a database system and I store user logins and passwords for my website. Bob uses "sunny" as a password and for arguments sake, let's say it encrypts to a3Gh4281=+. Sue also uses the same password and it encrypts to the same value. That's an issue because now you can crack Bob's password and know that Sue's password is the same.
So, on to salting a password. Salt is a random set of bits creating a one-way input to the password encryption function. The other input is the password itself. This "salted" is saved to the database. On subsequent logins, the salt is retrieved and the password and salt goes through the encryption algorithm again. Then the "salted" password that was generated is compared to the "salted" password in the database. If they match, the user can log in. Since every user has a unique salt, Bob's and Sue's will look different in the database.
So, on to SQL injection. When you want to log into a website (i.e.: Yahoo Mail), you normally type your username and your password. The system uses that information and generates a database fetch command (select * from userTable where user = x). To avoid SQL injection, smart DBAs use stored procedures. In other words, the procedure is stored into the database and the program passes in the variables (username and password). DBAs that have had no experience with security might just have the command created on the fly and run on the database.
So, how can someone do a SQL injection? Instead of entering a username, the hacker will do the following:
username: whatever; select * from userTable where user='admin';//
What this does is returns the admin data from the database (everything after the double slash is ignored). So the "on the fly" command now looks like this:
select * from whatever; select * from userTable where user='admin'; // where user = x
And now the hacker has the record for the admin and logs in as the admin. From there, they can do whatever an admin can do. Again, this is one of the oldest ways to hack a website and most web admins should be aware of this and come up with a solution to protect their database from SQL injections. Most web admins, except the ones over at Yahoo…
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment