Innovating The Next Big Thing June 19, 2013 ph.gif
ph.gif
Sections

Analyst Insights
Enterprise Insights
Network & Information Security
Enterprise Mobility
Remembering 9/11
About

Next Innovator Group

TechnologyInnovator
• NextInnovator
EnterpriseInnovator
SecurityInnovator
DefenseInnovator
WirelessInnovator 
• HPinnovator
EnergyInnovator
TransportationInnovator
SMBinnovator (beta)

Contact

• NextInnovator(at)Live.com

Writers Wanted

Writers Wanted

Feedjit Live Web Stats


Next Innovators

Ghost City
Frontline Sentinel
• Innovation Insights
WebInno
Over the River
Enderle Group
Security Insights Blog 
McAfee Audio Parasitics
Rethinking Security
Ovum
iSuppli
Canalys
• eMarketer 
• CRM Help Desk SW 
Rethink Research
The Gadgeteer
Master the Moment

McAfee AudioParasitics


 
Barry's Books

 

Ads

 ph.gif ph.gif
Network & Information Security

Network & Information Security McAfee Blogs: Latest Yahoo Data Breach Restates Need for Basic Security
Jul 12, 2012 – Jim Walter

News broke today of a large data breach against Yahoo Voices, resulting in more than 400,000 username/password combinations being posted in clear text. The compromise involved a basic SQL-injection attack against an exposed Yahoo server (dbb1.ac.bf1.yahoo.com).  Similar to other recent events, the account data was reportedly stored in an unencrypted state.

We see this type of attack over and over. Most recently LinkedIn and eHarmony were in the news with similar issues. This Yahoo breach is just the latest in a series of similar attacks that occur in multiples every day.

The attack was launched by the D33DS Co., whose release included this:

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure.”
 

D33DS is probably correct in that latter sentence. But are their methods and motivation ethical or legal? That’s a different story. Regardless, Yahoo’s overlooking basic countermeasures against basic attacks (such as SQL injection) cannot be excused.

This is not the first time that Yahoo has been compromised in this way. During the last five years, Yahoo Local Neighbors, Yahoo Kids, Yahoo Classifieds, and others have been successfully targeted.
Ironically, there is a blog on SQL-injection prevention on Yahoo Voices. It was posted in 2009.

What else is interesting about the latest breach?

More than just @yahoo.com usernames and accounts were exposed. If there was ever a time to heed warnings about password reuse, especially across public and high-traffic social systems, this is it. Yahoo may have been the focus of this attack, but data in the dump could be used to target specific users from AOL, Microsoft, Google, Comcast, SBC Global, and others.

Here is a breakdown of associated domains that appear in the D33Ds release:

 

Yahoo! Breech top 20 domains

Yahoo breach Top 20 domains

I’ll leave you with several McAfee resources for understanding SQL injection:



» Send this article to a friend...
» Comments? Tell us what you think...
» More Network & Information Security articles...

AddThis Social Bookmark Button

Comments
blog comments powered by Disqus

Search EnterpriseInnovator

 ph.gif ph.gif
Support This Site



Newest Articles

• 6/17 McAfee Blogs: The Defense Department Lists Mobile Security as a Top Priority
• 6/17 McAfee Blogs: The Strategic Consumer
• 6/17 McAfee Blogs: Keeping Your Small Business Safe from Cyberattacks
• 6/17 McAfee Blogs: Exciting Times for SMBs at National Small Business Week!
• 6/17 McAfee Blogs: Why whitelisting is ready for Enterprise desktops
• 6/13 Gartner Says Cloud Office Systems Total 8 Percent of the Overall Office Market and Will Rise to 33 Percent by 2017
• 6/13 Gartner Says Worldwide External Controller-Based Disk Storage Market Grew 0.6 Percent in First Quarter of 2013
• 6/13 Faultline: Vodafone Kabel Deutschland talks confirmed, deal could be dusted in days
• 6/13 Faultline: Comcast sneaks in Homespot revolution as “Neighborhood Hotspots”
• 6/13 McAfee Blogs: Two Steps are Better Than One: Make a Hacker’s Job Harder with Two-step Verification
• 6/12 Gartner Announces Keynote Speakers for its Supply Chain Executive Conference 2013 in Australia
• 6/12 Gartner Says by 2019, 90 Percent of Organizations Will Have Personal Data on IT Systems They Don't Own or Control
• 6/12 iSuppli: Doing What It Does Best: Apple Reinvents Existing iPhones with iOS7 and Competitive Music Launch
• 6/12 McAfee Blogs: Moving up with McAfee Complete Endpoint Protection
• 6/12 McAfee Blogs: Can you answer these three smart business questions about authentication?
• 6/12 HP Security lab Blog: Top 10 things for security people to do at HP Discover 2013 - Las Vegas, NV
• 6/12 HP Security Lab Blog: HP introduces HAVEn to combat $4 billion cyber-theft in Big Data space
• 6/11 Gartner Says Worldwide Security Market to Grow 8.7 Percent in 2013
• 6/11 Gartner Says Less than 10 Percent of Enterprises Have a True Information Strategy
• 6/10 Ovum: Analyst view: Google to buy Waze
• 6/10 Ovum: Analyst view: Apple acknowledges the need for user interface refresh and is willing to do something pretty dramatic
• 6/10 Gartner Forecasts Indian Business Intelligence Software Revenue to Reach $113 Million In 2013
• 6/10 iSuppli: It’s a Tie: Bosch and STM Hold Joint Honors as No. 1 MEMS Suppliers for 2012
• 6/10 iSuppli: 1.3GW of PV Installations Eliminated by EU Anti-Dumping Duties in 2013; Double-Digit Global Growth Still Likely
• 6/10 Wireless Watch: Small Cell World Summit: industry poised to kickstart volume roll-outs
• 6/10 Wireless Watch: Cisco seeks leading role in wireless via small cells
• 6/10 McAfee Blogs: Syrian Crisis Reminds Us to Beware of ‘Charity’ Scams
• 6/9 Frontline Sentinel: Whistleblower (Edward Snowden) Behind the NSA Surveillance Speaks Out [Interview]
• 6/9 Slate: If the NSA Trusted Edward Snowden With Our Data, Why Should We Trust the NSA?
• 6/8 Gartner Says Business Analytics Will Be Central for Business Reinvention
• 6/8 Frontline Sentinel: Practical Tips to Improve Network Security with What You Already Have: Part 2 of 2
• 6/7 Gartner Says India Enterprise Software Market To Reach $3.92 Billion in 2013
• 6/7 iSuppli: Event Cinema Market Takes Off in Europe
• 6/7 McAfee Blogs: Koobface Count Correction
• 6/6 Ovum: Ovum announces winners of inaugural “BYOX Strategy” awards
• 6/6 Ovum: Analyst view: SFDC acquisition of ExactTarget is expensive, but offers significant product synergies
• 6/6 Gartner Says Worldwide Business Intelligence, CPM and Analytic Applications/Performance Management Software Market Grew Seven Percent in 2012
• 6/6 Faultline: Cloud browsers to gut the set top market – ActiveVideo leading the chase
• 6/6 Faultline: TiVo wins its biggest ever settlement - share price barely nods
• 6/6 Canalys: Canalys launches ‘Partner Program Analysis’ service - The latest addition to Canalys’ leading channels research offerings
• 6/6 McAfee Blogs: Forgo Pressure to ‘Share’ and Boost Your Privacy
• 6/6 McAfee Blogs: Summer Web Safety: A Cautionary Tale About The Internet
• 6/6 McAfee Blogs: Malicious Dating, Ad Services Plague Japanese Users
• 6/6 McAfee Blogs: Locking Down Desktops With McAfee’s Application Control
• 6/6 McAfee Blogs: Fraudulent Adult Dating Services Turn 10 Years Old, Still Evolving
• 6/6 HP Security Lab Blog: Combating professional security threats
• 6/5 Ovum: Ovum warns BYOD is here to stay and urges CIOs to respond with a clear strategy
• 6/5 What to Expect at Apple's WWDC
• 6/5 Gartner Says Organizations Must Treat Information as an Asset in its Own Right
• 6/5 Gartner Looks At The Impact of U.S. Visa Legislation on India Offshore Outsourcing in Upcoming Webinar

AddThis Feed Button

Barry's Books


Ads

 ph.gif
ph.gif Top ph.gif

© 2008 EnterpriseInnovator. All rights reserved.