Injecting Clarity: Learn from Yahoo!’s SQL Injection Password Security Breach

By

It’s happened again.

As the New York Times reported, “Yahoo confirmed Thursday that a file containing approximately 400,000 usernames and passwords to Yahoo and other companies was stolen Wednesday.” That’s bad enough. We’ve repeatedly written in this blog about the constant cat-and-mouse game going on between hackers and infosec professionals, who seek to keep information private.

What’s worse is how the massive info grab was perpetrated. Essentially, a group of hackers targeted Yahoo!’s Contributor Network database and gained access to it using a SQL injection. To pull off a SQL injection, hackers literally insert SQL statements into a web form entry (like a user name or password text box) that are designed to command the database to dump its contents to the attacker. In this case, the contents of the database were tons and tons of plaintext user names and passwords. Sounds pretty complex right?  Well it really isn’t. In fact, it is one of the most well-known database exploits out there and proper field input filtering on Yahoo!’s part would have kept the massive breach from ever occurring.

As if the whole breach wasn’t horrible already, the icing on the cake was the fact that all of these user names and passwords were stored as plaintext. Typically, a large site like Yahoo! would store passwords in a randomized encrypted format, so that if hackers were able to break in, they wouldn’t be able to decipher the information. Since they didn’t do that, all of those passwords were published.

So the big question is how do you protect yourself?

As an enterprise, the best way to protect your databases is to encrypt password information, create rules to filter input field contents on publicly-facing web sites to reduce the impact of SQL injections, and install and maintain security appliances to protect those zones, like those you’ll find in Windstream’s suite of Managed Network Security products.

As an individual, it is important to remember that there are three ways your password gets out:  The first and most obvious way is that someone guesses it, so don’t use “password” or “123456” or other common iterations (these two were the most common in the Yahoo! dump) to protect your stuff. The second way, and probably the most common is that someone phishes it from you. That means that you either provide your password to an individual pretending to be someone they’re not, or you are led to a website that looks legitimate and are asked to enter your password only to find out that you’re sending it right into the hands of hackers who want to take advantage of your privacy. Finally, if you’ve taken great pains to protect yourself on points 1 and 2, you may be completely out of luck because a situation like Yahoo!’s might take place and your password is leaked anyway, so the third thing you can do is to have a unique password for every site that you access so that if this happens to you, the impact is mitigated. Don’t feel like memorizing a unique password for each site you go to?  I don’t blame you, but there are great password management apps out there like Last Pass that can help you establish safe and secure unique passwords to each of the sites you need to access.

The lesson here is that you probably shouldn’t be asking if your password will be stolen, but when, and the actions you take to assure the protection of your data, including password management, will dictate the personal impact of that event and possibly save you a lot of heartache (and money) in the long run.