Download - Lessons Learned From the Yahoo! Hack
© 2013 Imperva, Inc. All rights reserved.
Finding the vulnerable Yahoo! app
+ A true cyber detective story
Yahoo! hack technical analysis
+ SQL Injection
+ Error based SQL Injection
The greater lesson
+ 3rd party code security
Summary and Conclusions
2
Agenda
© 2013 Imperva, Inc. All rights reserved.
Speaker at Industry Events
+ RSA, Sybase Techwave, Info Security UK, Black Hat
Lecturer on Info Security
+ Technion - Israel Institute of Technology
Former security consultant to banks & financial services firms
Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman – CTO Imperva
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2013 Imperva, Inc. All rights reserved.
Gathering Evidence
Hacker released a redacted screenshot of the allegedly hacked Yahoo! app
6
© 2013 Imperva, Inc. All rights reserved.
Forensics – Turning Evidence into Insights (1)
Host name from address bar:
+ Ends in “yle.yahoo.net”, (not “yahoo.com”)
+ It has a relatively long host name
7
© 2013 Imperva, Inc. All rights reserved.
Forensics – Turning Evidence into Insights (2)
Error message
+ The application is powered by ASP.NET– Most Yahoo! Applications are PHP based
+ Application source file resides on C:\webcorp\[blackened by hacker]p\YahooV2\app_code
8
© 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (1)
Host name from address bar:
+ Ends in “yle.yahoo.net”, (not “yahoo.com”)
+ It has a relatively long host name.
9
© 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (1)
Host name from address bar:
+ Ends in “yle.yahoo.net”, (not “yahoo.com”)
+ It has a relatively long host name.
10
© 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (2)
Error message
+ The application is powered by ASP.NET (not PHP like most Yahoo! Applications)
+ Application source file resides on C:\webcorp\[blackened by hacker]p\YahooV2\app_code
11
© 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (2)
Error message
+ The application is powered by ASP.NET (not PHP like most Yahoo! Applications)
+ Application source file resides on C:\webcorp\[blackened by hacker]p\YahooV2\app_code
12
© 2013 Imperva, Inc. All rights reserved.
Yahoo! Hack Technical AnalysisError Based SQL Injection
13
© 2013 Imperva, Inc. All rights reserved.14
Data Extraction Techniques by Hackers: 2005-2011
SQL Injection 83%
Other 17%
Total = 315,424,147 records
(856 breaches)
Source: Privacy Rights Clearinghouse
© 2013 Imperva, Inc. All rights reserved.16
SQL Injection: Technical Impact
Retrieve sensitive data from the organization
Steal the site’s administrator password
Lead to the downloading of malware
© 2013 Imperva, Inc. All rights reserved.
Still A Very Relevant Attack
On average, we have identified 53 SQLi
attacks per hour and 1,093 attacks per day.
© 2013 Imperva, Inc. All rights reserved.
Yahoo! Hack – MSSQL Injection with Conversion Errors
Attack vector:
+ ' and 1 = convert (int,(select top 1 table_name from x).
The server tries to convert the additional data (in this case the table name) to integer
Character strings cannot be converted into integer, thus an error is triggered
If a system is not hardened, the error message is visible to the attacker, revealing the data
20
© 2013 Imperva, Inc. All rights reserved.
MSSQL Injection with Conversion Errors
No need to be a hacker to exploit
Even script kiddies can do it with automated exploit tools
+ Havij
21
© 2013 Imperva, Inc. All rights reserved.
From SQL Injection to Command Execution
In case of SQL injection in MSSQL DB, attacker can leverage it to run arbitrary commands using the “XP_CMDSHELL” system stored procedure
Supported by exploit tools
22
© 2013 Imperva, Inc. All rights reserved.
“The leading astrology portal in India… formed co-branded channel alliances with internationally recognized brands such as MSN, Yahoo! and Google”
24
Vulnerable Application is a 3rd Party Application
© 2013 Imperva, Inc. All rights reserved.
Routing of users from Yahoo! to Astroyogi.com with a DNS alias
“in.horoscopes.lifestyle.yahoo.net”“yahoo.astroyogi.com”
25
Vulnerable Application is Hosted by 3rd Party
© 2013 Imperva, Inc. All rights reserved.
Yahoo! is not alone
3rd party applications are embedded as code or by hosting by many organizations
28% of Veracode assessed applications are identified as created by a 3rd party
26
You Don’t Own the Code of All Your Applications
© 2013 Imperva, Inc. All rights reserved.
You Don’t Even Own All the Code of YOUR Applications
Even homegrown applications are mostly comprised of 3rd party code
According to Veracode:
+ “Up to 70% of internally developed code originates outside of the development team”
27
© 2013 Imperva, Inc. All rights reserved.
Step 1: Use a WAF to Detect SQL Injection
32
Positives
+ Can block many attacks
+ Relatively easy
Negatives
+ Can become a crutch
+ Potential for false positives
© 2013 Imperva, Inc. All rights reserved.
Step 2: Deploy Reputation Based Solution
33
Positives
+ Blocks up to 40% of attack traffic
+ Easy
Negatives
+ Does not deal with the underlying problem
© 2013 Imperva, Inc. All rights reserved.
Step 3: Stop Automated Attack Tools
Positives
+ Detects automated tool fingerprints to block attacks
+ Relatively easy
Negatives
+ Potential for false positives
© 2013 Imperva, Inc. All rights reserved.
Step 4: WAF + Vulnerability Scanner
35
“Security No-Brainer #9:
Application Vulnerability Scanners
Should Communicate with
Application Firewalls”—Neil MacDonald, Gartner
Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-
communicate-with-application-firewalls/
© 2013 Imperva, Inc. All rights reserved.
Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities
Pen test before deployment to identify these issues
Deploy the application behind a WAF to
+ Virtually patch pen test findings
+ Mitigate new risks (unknown on the pen test time)
+ Mitigate issues the pen tester missed
+ Use cloud WAF for remotely hosted applications
Virtually patch newly discovered CVEs
+ Requires a robust security update service
37
Technical Level Recommendations
© 2013 Imperva, Inc. All rights reserved.
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link
Join Group
Join Imperva LinkedIn Group,Imperva Data Security Direct, for…
Webinar Materials