Sunday, March 27, 2011
MySql.com Hacked by Their Own Carelessness
What would you say about a firefighter who casually tossed a still lit match into a waste can full of wood shavings and gasoline? How about a heart surgeon who dined every meal on butter, eggs, and pork chops? You’d probably say they were were foolish, bordering on criminally stupid.
Between you and me, I don’t think the flamed firefighter or the suffering surgeon can even come close to the folks over at Sun and MySQL.com. According to Sophos’s Naked Security site, MySQL.com was hacked today. “OK”, you say, “hacking is a fact of life. It could happen to anyone.” That’s true, but the reason they were compromised was a SQL vulnerability on their site! If anyone in the world should have known better, it should have been them.
Had the story ended there, this would have been a humiliating, face palming moment for them, but it gets worse. The attackers published user names and passwords from MySQL and what do we find? The Director of Product Management has a WordPress password that is four digits long—maybe his ATM number? Other users have passwords such as, “qa”.
I’m sure we can expect yet another, dreary, predictable, corporate spin-doctor, PR release explaining how they “regret any inconvenience this unfortunate incident caused the community,” and how they are “working around the clock with authorities to track down the people who did this.” They will then assure us that they have taken all precautions to prevent it from happening again.
This is 2011. The first SQL injection attacks in the wild were in November 2005. Simply typing the phrase into Google yields nearly four million hits. This is not some zero day attack. Any halfway competent DBA or web designer knows, or should know, about SQL injection. The fact that this occurred is inexcusable.
Here are my suggestions for dealing with the problem:
1. Hire some knowledgeable people and scrub every, single, line of code on every page of every site under their administration, as well as run whatever protocols necessary to secure the place.
2. Get in touch with the people at LastPass and put some decent password control in place.
3. Fire whoever should have found this vulnerability.
4. Fire the supervisor of #3, above.
5. Let every user on their systems know that the next time a weak password is found, they will be terminated on the spot. No explanations. No second chances.
6. Issue a statement explaining exactly what happened and why it will not happened again.
I understand I sound draconian, but after the first few dozen times seeing major sites compromised, I get a little irritable. Did I miss any steps they should take? Am I over reacting? Sound off and let me know!
- Clouds, Crayons, and SaaS
- MySql.com Hacked by Their Own Carelessness
- Telemarketers, Read This Before Calling Me
- Twitter! Facebook! Quora! Danger!
- “Do Social Media” Without the Snake Oil
- Pepsi’s Chrysler Moment
- SFDC Job Postings and the Purple Squirrel
- CloudForce NYC 2011 Part 2
- CloudForce NYC 2011 Part 1
- ▼ March (9)
- ► 2010 (48)