Thursday morning, the 12th of July 2012, the world woke
up to yet another news of a high profile cyber-attack. This time, the victim being
one of the internet giants - YAHOO.
The attack was carried out by a Hacker Group named D33D on
one of Yahoo’s sub-domain (yahoo voice), unencrypted usernames and passwords of over 400,000 users were
released online.
The Hacker group claimed responsibility for the attack
and said it hope Yahoo and the others would see this as a wake-up call rather
than a threat.
What seemed to surprise many was the method of attack
used against Yahoo.
An SQL INJECTION; a technique often used to attack
databases through a website, and for exploiting security vulnerability in websites
software.
SQL to me is old-school, an old method of hacking,
something almost every IT person knows about. It’s even a joke among hackers
and geeks due to its utter simplicity, and the preventive method has been
published severally by different individuals and companies in the past.
Attacks like SQL injections, were used to take down at least 18 Sony sites and networks earlier this year.
XSS (cross-site scripting) is so well-known and widely-exploited, a vulnerability that elementary school kids use XSS exploits to log in to their accounts at school because it's simpler than trying to
remember a good password.
Nevertheless…SQL injections and flaws that allow XSS exploits are just two of 10 incredibly common security flaws that continue to appear in eight out of 10 new commercial and corporate applications, according to security software vendor Veracode, which publishes an application-security benchmark report twice per year .
Obviously, heavily exploited flaws like SQL, XSS are still present in majority of new web apps.
With all this attacks happening here and there, it can be
concluded that most of the big organisations are not paying the right amount of
attention to security.
The only rules that seems to be accurate about corporate security
is that no one has a good handle on either digital or physical security.
Most companies are so clueless about holes in their airtight defences that they'll brag about their anti-spam or intrusion protection while strangers wander in from the sidewalk to use the CISO's private rest room while the CFO drags an oversized bank bag filled with "laundry" toward the nearest exit on the way to a "vacation" in the Cayman Islands.
Companies that do pay some attention to security, on the other hand, end up so obsessive about the smallest risk that the whole company behaves as if they manufactured guilty consciences or just heard James Bond was spotted outside.
Most failed because of stupidly obvious flaws that could be exploited including poor implementation of protections that would prevent XSS or SQL injection attack.
The unencrypted user names and passwords were pulled from a database that stored them in plain text and without the added security of a hashing technique -- an otherwise common practice for any company that handles sensitive user information.
The list of emails released stretches just beyond just the Yahoo.com domain and includes login information for more than 106,000 Gmail accounts and 55,000 Hotmail accounts, among others.
Aside from exposing Yahoo's flawed security apparatus, the hackers exposed an all too common fact: too many users have dumb, simple passwords. The most common was "123456," followed by "password." "welcome," "ninja," and "superman," were also among the commonly used password according to an analysis by CNET.
If there's one thing to learn from the Yahoo security breach, it's that we need to be more creative with our passwords.
We need to start using strong passwords.
Simple tips for creating stronger passwords:
Most companies are so clueless about holes in their airtight defences that they'll brag about their anti-spam or intrusion protection while strangers wander in from the sidewalk to use the CISO's private rest room while the CFO drags an oversized bank bag filled with "laundry" toward the nearest exit on the way to a "vacation" in the Cayman Islands.
Companies that do pay some attention to security, on the other hand, end up so obsessive about the smallest risk that the whole company behaves as if they manufactured guilty consciences or just heard James Bond was spotted outside.
Most failed because of stupidly obvious flaws that could be exploited including poor implementation of protections that would prevent XSS or SQL injection attack.
The unencrypted user names and passwords were pulled from a database that stored them in plain text and without the added security of a hashing technique -- an otherwise common practice for any company that handles sensitive user information.
The list of emails released stretches just beyond just the Yahoo.com domain and includes login information for more than 106,000 Gmail accounts and 55,000 Hotmail accounts, among others.
Aside from exposing Yahoo's flawed security apparatus, the hackers exposed an all too common fact: too many users have dumb, simple passwords. The most common was "123456," followed by "password." "welcome," "ninja," and "superman," were also among the commonly used password according to an analysis by CNET.
If there's one thing to learn from the Yahoo security breach, it's that we need to be more creative with our passwords.
We need to start using strong passwords.
Simple tips for creating stronger passwords:
- Use a combination of letters, numbers and special characters, lowercase and uppercase make it long; at least 8, preferably many more characters
- Use a passphrase instead of a word if that is easy to remember
- Avoid sequences such as 123456 or common dictionary words or common names
Why does it matter? This image from Thomas Baekdal shows how long it takes to hack passwords based on their composition:
This year will be remembered as a year of high profile
cyber-attacks. But there are two angles to this that will have long-reaching effects.
First, for users that continue to have one password for everything, it’s time to change them, and quickly.
First, for users that continue to have one password for everything, it’s time to change them, and quickly.
The second angle – primarily prompted by Yahoo – is the
responsibility of corporations to protect
their users. With security threats becoming increasingly more sophisticated, corporations need to be more proactive and predictive about security. Otherwise, they’re just reactive, end up cleaning up after the fact and probably lose their noble customers.
We've witnessed series of cyber-attacks and intrusions this year 2012,
'Sony' being one of the victims. LinkedIn, Last.fm , Eharmony and Formspring were also recently hacked, compromising millions more passwords.
their users. With security threats becoming increasingly more sophisticated, corporations need to be more proactive and predictive about security. Otherwise, they’re just reactive, end up cleaning up after the fact and probably lose their noble customers.
We've witnessed series of cyber-attacks and intrusions this year 2012,
'Sony' being one of the victims. LinkedIn, Last.fm , Eharmony and Formspring were also recently hacked, compromising millions more passwords.
NOW, WHO'S NEXT? Google? Apple? Facebook? or the big dawg
- Microsoft?
The answer to that question is rather elusive. We can only wait for now.
Time will Tell!
The answer to that question is rather elusive. We can only wait for now.
Time will Tell!
To confirm if your email is in the list of the hacked emails, click here or visit http://dazzlepod.com/yahoo/
0 comments → 2012 - THE YEAR OF THE BIG CYBER-ATTACKS. Yahoo Exposed, Who's Next?
Post a Comment