Sunday, March 27, 2011

MySql.com Hacked by Their Own Carelessness

mysqlpasswordpaste500

What would you say about a firefighter who casually tossed a still lit match into a waste can full of wood shavings and gasoline?  How about a heart surgeon who dined every meal on butter, eggs, and pork chops?  You’d probably say they were were foolish, bordering on criminally stupid. 

Between you and me, I don’t think the flamed firefighter or the suffering surgeon can even come close to the folks over at Sun and MySQL.com.  According to Sophos’s Naked Security site, MySQL.com was hacked today.  “OK”, you say, “hacking is a fact of life.  It could happen to anyone.”  That’s true, but the reason they were compromised was a SQL vulnerability on their site!  If anyone in the world should have known better, it should have been them.

Had the story ended there, this would have been a humiliating, face palming moment for them, but it gets worse.  The attackers published user names and passwords from MySQL and what do we find?  The Director of Product Management has a WordPress password that is four digits long—maybe his ATM number?  Other users have passwords such as, “qa”.

I’m sure we can expect yet another, dreary, predictable, corporate spin-doctor, PR release explaining how they “regret any inconvenience this unfortunate incident caused the community,” and how they are “working around the clock with authorities to track down the people who did this.”  They will then assure us that they have taken all precautions to prevent it from happening again.

Bull****.

This is 2011.  The first SQL injection attacks in the wild were in November 2005.  Simply typing the phrase into Google yields nearly four million hits.  This is not some zero day attack.  Any halfway competent DBA or web designer knows, or should know, about SQL injection.  The fact that this occurred is inexcusable.

Here are my suggestions for dealing with the problem:

1.  Hire some knowledgeable people and scrub every, single, line of code on every page of every site under their administration, as well as run whatever protocols necessary to secure the place.

2.  Get in touch with the people at LastPass and put some decent password control in place.

3.  Fire whoever should have found this vulnerability. 

4.  Fire the supervisor of #3, above.

5.  Let every user on their systems know that the next time a weak password is found, they will be terminated on the spot.  No explanations.  No second chances.

6.  Issue a statement explaining exactly what happened and why it will not happened again.

I understand I sound draconian, but after the first few dozen times seeing major sites compromised, I get a little irritable.  Did I miss any steps they should take?  Am I over reacting?  Sound off and let me know!

2 comments:

  1. A few additional steps to consider: who is setting up password policies, and how did they allow such easily compromised passwords? Are the security systems audited, ad by whom (and should he/she/they be given the #3 and #4 treatment you mention)? Who is monitoring the site and what was their responsibility?

    IS is a team sport nowadays.

    ReplyDelete
  2. Good points, Eva. In reality, #3 and #4 might be fairly low level drones. While they acted foolishly, some V or C level person either knew or should have known.

    Not sure why this episode upset me more than the last X number of hacks. I guess I've just reached my tipping point. After the first 20 houses in a neighborhood get robbed, it's sort of hard to work up much sympathy for the 21st, when the owners don't bother to lock the front door.

    ReplyDelete

Google+ Followers