It seems like every week there's some new story about data theft in the news (Yahoo, LinkedIn, Target, now Weebly). How are these attacks being done? Is it primarily SQL injection? Social engineering to get the database credentials? How can we protect our own databases from such attacks?
The longer answer is that most software is crap but you don't notice as a consumer. That combined with the lack of incentive to fix things unless they're visibly broken means that crappy software will exist till it's either publicized or someone on the engineering team cares enough (and has enough clout) to fix it.
Someone uses the same password on github as they did for photoshop and suddenly a breach in one place leads to source access.
And private source code is typically full of credentials or makes it very easy to find poorly secured admin functions, if it doesn't contain copies of data itself.
Data hygiene, good security around credential re-use and 2fa, not putting in backdoors all lead to leaks.
Or more mundane unsecured direct object references which catches out even large companies sometimes.
One of the best ways to protect your users is actually to store less of their data in the first place. Do you really need to store all that personally-identifiable information to operate your service? Can some of it be anonymized or de-identified instead? For example, do your really need to store the home address and mobile phone number of your users? My personal pet peeve is when sites would ask for my date of birth as a recovery question.
SQL injection is probably the primary attack. You might also have unsecured endpoints that give too much information (eg. /[email protected]). If you have endpoints that can be leveraged to achieve remote code execution, you then have someone on the system who can pivot to a database. An employee's machine could be compromised. An employee could leak them.
There are probably one hundred paths to database dumps. This is why principles like defense in depth, least privs, whitelisting, are all important to apply system wide. If your team doesn't know how to do it, hire a company to do security audits or study like crazy.
If I have a simple side project, and can't afford to hire someone else to secure it, but still want to follow best practices, where can I learn them? Books? Courses? Anything anyone here recommends?
I think in most cases it isn't publicly disclosed what the true root cause was. Most cases probably fall into 2 categories:
1) Companies are to embarrassed to admit they made a mistake, and furthermore there is no legal or security benefit to publicly declaring "We have an open SQL injection on xyz url."
2) Companies don't even know how or when they got hacked. Senior devs may have reached a point of thinking "There are so many moving parts here and I have so many bugs to fix that it's not even worth time trying to try to make them all secure against a targeted hacker." When they do get hacked, it may be the first time they realize that they haven't been logging everything that might allow them to actually trace the origin. If the attack happened far in the past, necessary information required to investigate may have been lost long ago.
I think this is misleading. I'm assuming your referring to the election related leaks, which as far as I've seen are significantly different than private sector database leaks.
I can't say for big companies but for smaller companies it is generally software like WordPress for blog or some Forum software that you installed and then they find an exploit and exploit every site that has it. There is very little you could do even if you are updating frequently.
If you really need to install third party software i feel it's best to put them on their own instance and separate database than to share any resources with your main site.
An additional avenue I've seen frequently exploited that hasn't been mentioned yet is password reuse. It is cyclic, however with all of these database thefts, attackers are gaining access to large numbers of credentials which can be leveraged to gain privileged access to other companies and systems.
It depends, but with really complex web applications that are very modular... often times different people working on said modules don't fully understand how all of the other modules interact with the ones they are modifying. Sometimes a simple change to one can open a gaping security hole in another.
[+] [-] koolba|9 years ago|reply
The longer answer is that most software is crap but you don't notice as a consumer. That combined with the lack of incentive to fix things unless they're visibly broken means that crappy software will exist till it's either publicized or someone on the engineering team cares enough (and has enough clout) to fix it.
[+] [-] throwawayReply|9 years ago|reply
Someone uses the same password on github as they did for photoshop and suddenly a breach in one place leads to source access.
And private source code is typically full of credentials or makes it very easy to find poorly secured admin functions, if it doesn't contain copies of data itself.
Data hygiene, good security around credential re-use and 2fa, not putting in backdoors all lead to leaks.
Or more mundane unsecured direct object references which catches out even large companies sometimes.
[+] [-] infodroid|9 years ago|reply
[+] [-] r00fus|9 years ago|reply
[+] [-] TACIXAT|9 years ago|reply
There are probably one hundred paths to database dumps. This is why principles like defense in depth, least privs, whitelisting, are all important to apply system wide. If your team doesn't know how to do it, hire a company to do security audits or study like crazy.
[+] [-] imh|9 years ago|reply
[+] [-] cheiVia0|9 years ago|reply
[+] [-] dewyatt|9 years ago|reply
Here's a video of Phineas Fisher hacking a police union a while back:
https://tune.pk/video/6528544/hack
How he took down Hacking Team:
http://pastebin.com/raw/0SNSvyjJ
General guide:
http://0x27.me/HackBack/0x00.txt
[+] [-] robertelder|9 years ago|reply
1) Companies are to embarrassed to admit they made a mistake, and furthermore there is no legal or security benefit to publicly declaring "We have an open SQL injection on xyz url."
2) Companies don't even know how or when they got hacked. Senior devs may have reached a point of thinking "There are so many moving parts here and I have so many bugs to fix that it's not even worth time trying to try to make them all secure against a targeted hacker." When they do get hacked, it may be the first time they realize that they haven't been logging everything that might allow them to actually trace the origin. If the attack happened far in the past, necessary information required to investigate may have been lost long ago.
[+] [-] HFTGuru|9 years ago|reply
[+] [-] ramimac|9 years ago|reply
[+] [-] supersan|9 years ago|reply
If you really need to install third party software i feel it's best to put them on their own instance and separate database than to share any resources with your main site.
[+] [-] SixSigma|9 years ago|reply
[+] [-] ramimac|9 years ago|reply
[+] [-] benguild|9 years ago|reply
[+] [-] arekkas|9 years ago|reply
[+] [-] seanwasere|9 years ago|reply
[deleted]
[+] [-] DeAndre222|9 years ago|reply
[deleted]