Lessons Learned From the Yahoo! Hack

Lessons Learned From the Yahoo! Hack

Amichai Shulman, CTO

© 2013 Imperva, Inc. All rights reserved.

Agenda

 Finding the vulnerable Yahoo! app
+ A true cyber detective story
 Yahoo! hack technical analysis
+ SQL Injection
+ Error based SQL Injection
 The greater lesson
+ 3rd party code security
 Summary and Conclusions

2 © 2013 Imperva, Inc. All rights reserved.

Amichai Shulman – CTO Imperva

 Speaker at Industry Events
+ RSA, Sybase Techwave, Info Security UK, Black Hat
 Lecturer on Info Security
+ Technion - Israel Institute of Technology
 Former security consultant to banks & financial
services firms
 Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”


Cyber Detective Story


Breaking News – Yahoo! Has been Hacked


Gathering Evidence

 Hacker released a redacted screenshot of the allegedly
hacked Yahoo! app


Forensics – Turning Evidence into Insights (1)

 Host name from address bar:
+ Ends in “yle.yahoo.net”, (not “yahoo.com”)
+ It has a relatively long host name


Forensics – Turning Evidence into Insights (2)

 Error message
+ The application is powered by ASP.NET
– Most Yahoo! Applications are PHP based
+ Application source file resides on C:webcorp[blackened by
hacker]pYahooV2app_code

Identifying the Vulnerable Yahoo! App (1)

+ It has a relatively long host name.



+ It has a relatively long host name.



 Error message
+ The application is powered by ASP.NET (not PHP like most
Yahoo! Applications)

Yahoo! Hack Technical Analysis
Error Based SQL Injection


Data Extraction Techniques by Hackers: 2005-2011

Other
17%

SQL Injection
83%

Total = 315,424,147 records
(856 breaches)

Source: Privacy Rights Clearinghouse


SQL Injection Means Business, Literally


SQL Injection: Technical Impact

Retrieve sensitive data
from the organization
Steal the site’s
administrator password
Lead to the downloading
of malware

Still A Very Relevant Attack

On average, we have identified 53 SQLi
attacks per hour and 1,093 attacks per day.


SQL Injections By the Hour – Highly Automated


Main Automated Attack Tools

SQLmap
Havij

Yahoo! Hack – MSSQL Injection with Conversion
Errors

 Attack vector:
+ ' and 1 = convert (int,(select top 1 table_name from x).

 The server tries to convert the additional data (in this
case the table name) to integer
 Character strings cannot be converted into integer, thus
an error is triggered
 If a system is not hardened, the error message is visible
to the attacker, revealing the data


MSSQL Injection with Conversion Errors

 No need to be a hacker to exploit
 Even script kiddies can do it with automated exploit tools
+ Havij


From SQL Injection to Command Execution

 In case of SQL injection in MSSQL DB, attacker can
leverage it to run arbitrary commands using the
“XP_CMDSHELL” system stored procedure
 Supported by exploit tools


3rd Party Code Security


Vulnerable Application is a 3rd Party Application

 “The leading astrology portal in India… formed co-
branded channel alliances with internationally recognized
brands such as MSN, Yahoo! and Google”


Vulnerable Application is Hosted by 3rd Party

 Routing of users from Yahoo! to Astroyogi.com with a DNS
alias
 “in.horoscopes.lifestyle.yahoo.net”“yahoo.astroyogi.com”


You Don’t Own the Code of All Your Applications

 Yahoo! is not alone
 3rd party applications are embedded as code or by
hosting by many organizations
 28% of Veracode assessed applications are identified as
created by a 3rd party


You Don’t Even Own All the Code of YOUR
Applications

 Even homegrown applications are mostly comprised of
3rd party code
 According to Veracode:
+ “Up to 70% of internally developed code originates outside of
the development team”


Third Party Code Related Breaches


Becoming Part of OWASP Top 10


Recommendations


SQL Injection
Mitigation Checklist


Step 1: Use a WAF to Detect SQL Injection

 Positives
+ Can block many attacks
+ Relatively easy

 Negatives
+ Can become a crutch
+ Potential for false positives


Step 2: Deploy Reputation Based Solution

 Positives
+ Blocks up to 40% of attack
traffic
+ Easy

 Negatives
+ Does not deal with the
underlying problem


Step 3: Stop Automated Attack Tools

 Positives
+ Detects automated tool
fingerprints to block attacks
+ Relatively easy

 Negatives
+ Potential for false positives


Step 4: WAF + Vulnerability Scanner

“Security No-Brainer #9:
Application Vulnerability Scanners
Should Communicate with
Application Firewalls”
—Neil MacDonald, Gartner

Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-
communicate-with-application-firewalls/


3 rdParty Code
Mitigation Checklist


Technical Level Recommendations

 Assume third-party code – coming from partners,
vendors, or mergers and acquisitions – contains
serious vulnerabilities
 Pen test before deployment to identify these issues
 Deploy the application behind a WAF to
+ Virtually patch pen test findings
+ Mitigate new risks (unknown on the pen test time)
+ Mitigate issues the pen tester missed
+ Use cloud WAF for remotely hosted applications
 Virtually patch newly discovered CVEs
+ Requires a robust security update service


Webinar Materials

Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…

Answers to
Post-Webinar
Attendee
Discussions
Questions

Webinar
Join Group
Recording Link


www.imperva.com

- CONFIDENTIAL -

Lessons Learned From the Yahoo! Hack

More Related Content

What's hot (20)

Similar to Lessons Learned From the Yahoo! Hack (20)

More from Imperva (20)

Recently uploaded (20)

Lessons Learned From the Yahoo! Hack