Ask HN: How are all of these data dumps of user info happening?
It seems like every week there's some new story about data theft in the news (Yahoo, LinkedIn, Target, now Weebly). How are these attacks being done? Is it primarily SQL injection? Social engineering to get the database credentials? How can we protect our own databases from such attacks?
31 comments
[ 4.6 ms ] story [ 86.1 ms ] threadThe longer answer is that most software is crap but you don't notice as a consumer. That combined with the lack of incentive to fix things unless they're visibly broken means that crappy software will exist till it's either publicized or someone on the engineering team cares enough (and has enough clout) to fix it.
There are probably one hundred paths to database dumps. This is why principles like defense in depth, least privs, whitelisting, are all important to apply system wide. If your team doesn't know how to do it, hire a company to do security audits or study like crazy.
[0]: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...
Edit: I see now that this informs readers about several classes of vulnerabilities and doesn't speak to specific frameworks or libraries being used to avoid or block them. This is probably good info, even 3 years from now.
What it boils down to, never trust user input, never include user input in anything that resembles code before sanitization, validation, white listing, etc.
Here's a video of Phineas Fisher hacking a police union a while back:
https://tune.pk/video/6528544/hack
How he took down Hacking Team:
http://pastebin.com/raw/0SNSvyjJ
General guide:
http://0x27.me/HackBack/0x00.txt
1) Companies are to embarrassed to admit they made a mistake, and furthermore there is no legal or security benefit to publicly declaring "We have an open SQL injection on xyz url."
2) Companies don't even know how or when they got hacked. Senior devs may have reached a point of thinking "There are so many moving parts here and I have so many bugs to fix that it's not even worth time trying to try to make them all secure against a targeted hacker." When they do get hacked, it may be the first time they realize that they haven't been logging everything that might allow them to actually trace the origin. If the attack happened far in the past, necessary information required to investigate may have been lost long ago.
Someone uses the same password on github as they did for photoshop and suddenly a breach in one place leads to source access.
And private source code is typically full of credentials or makes it very easy to find poorly secured admin functions, if it doesn't contain copies of data itself.
Data hygiene, good security around credential re-use and 2fa, not putting in backdoors all lead to leaks.
Or more mundane unsecured direct object references which catches out even large companies sometimes.
If you really need to install third party software i feel it's best to put them on their own instance and separate database than to share any resources with your main site.