Barracuda hack shows importance of defence

The attack against Barracuda occurred on Saturday night when the company's web application firewall was offline for maintenance.

The incident provides takeaways for other organizations, namely highlighting the danger of alone relying on web application firewalls to protect sites, experts said.

If operational, Barracuda's firewall most likely would have stopped the attack, since one of its functions is to block SQL injection, said Jason Reed, principal consultant at SystemExperts.

But it occurred while the firewall was down, illustrating the value of conducting penetration tests during scheduled maintenance windows, when networks are most vulnerable, he said.

“Firewalls are good but can mask problems if you don't test your network without them in place,” Reed said. “If they had tested in the past during this maintenance window, they may have found this error.”

After hours of probing, hackers, apparently from Malaysia, found and exploited an SQL injection vulnerability on Barracuda's website to raid databases and hijack the names and contact information of partners, customers and Barracuda employees.

The incident follows successful infiltrations this year of security firms RSA, Comodo and HBGary.

“Those threats are out there and can occur in your environment, just like in theirs,” Reed said.

SQL injection attacks are a common entry, said Chris Wysopal, chief technology officer of application security firm Veracode.

“We test hundreds of web apps a month, and about 38 percent have SQL injection vulnerabilities in them,” he said. “It's pretty prevalent.”

And with automated scripts these vulnerabilities are easy to uncover and exploit, Wyspoal said.

Finding and fixing vulnerabilities in applications before they are released or updated is critical to the development process but is sometimes overlooked, he said.

Stephen Pao, vice president of product management at Barracuda Networks said that “just north of 20,000 records” were taken in the attack, though the number of companies impacted is lower because in many cases, multiple contacts from the same company were affected.

Most of the compromised records belong to Barracuda's reseller partners, he added.

“Security is all about layers,” Pao said. “We always tell customers to use vulnerability assessment tools and static code analyzers. It is something we regularly employ as processes within the company.”

But, he added, business today is all about speed, and oftentimes organizations demand that applications be developed and deployed quickly.

Web application firewall technology is attractive because it provides the ability to operate safely, even when vulnerabilities are present, he said. But the breach is a reminder that things can go wrong, so relying on one technology alone is not adequate.

“It is a reminder that the documentation and enforcement and auditing of processes is required, at multiple levels,” he said.

Experts said the breach also illustrates the necessity of following the tried-and-true principle of least privilege.

In a blog post detailing the attack, Barracuda said the vulnerability existed in a PHP script that serves up customer reference case studies by vertical market. This content, however, was in the same SQL database infrastructure used for marketing programs. Once the attackers were able to find the vulnerable script, they could access multiple databases.

“The system wasn't configured to only allow access by the application to the information it needed," System Experts' Reed said.

Barracuda's Pao acknowledged that the company “could have had some better database security privileges in place”.

If the hackers were only able to access case study content, the security firm wouldn't have cared, he added.

“If someone wanted to steal and post that content, we would have been thrilled,” Pao said.

This article originally appeared at scmagazineus.com