Breaching the Bastille: When Security Vendors Get Hacked

The recent rash of exposures about successful attacks against information security vendors may come as no surprise to a lot of people in the information security world who probably see or hear about it frequently, but it will surely come as “shocking” to most “ordinary” folks.

HBGary, RSA, Comodo and Barracuda Networks are the latest of high-profile security vendors to be breached. As a quick refresher, EMC’s RSA group disclosed that someone had broken into its networks and obtained information that could compromise its SecurID products.

Comodo, a security vendor that provides SSL certificates to providers of online shopping services announced that it had unknowingly issued bogus SSL certificates for a number of web sites, including sites owned by Microsoft, Google, Yahoo, Skype and Mozilla. Apparently, one of Comodo’s partners, GlobalTrust forgot the meaning of “global” and “trust” by not taking precautions against attacks and data destruction.

HBGary got itself into a knot with some questionable behavior after a data leak (the company was broken into, and tens of thousands of the company’s e-mail messages were posted online).

Most recently, Barracuda Networks, virtually a house-hold name in enterprise security got itself into an embarrassing situation when one of its servers was hacked and sensitive data concerning the company’s partners and the credentials of employees authorized to log in to the company’s content management system were exposed.

Here’s Barracuda’s explanation of what happened:

In case you haven’t heard, Barracuda Networks was the latest victim of a SQL injection attack on our corporate Web site that compromised lead and partner contact information.

…The attack started [on a] Saturday night and was launched at a time when the Barracuda Web Application Firewall that was supposed to protect the site had been taken offline for maintenance. After a couple of hours of probing, the hacker found an SQL injection flaw — a common Web programming error — on a script used to display write-ups of customer case studies. That one mistake got him into a database that the company used for its marketing program and sales lead development.

Could it be argued that the common thread in all these cases centers around arrogance and/or complacency? Arrogance because the vendors thought they were too good to spend time taking care of the small things – regular audits, least privilege, data segregation etc. Complacency because they spend most of their time and effort telling us how to be secure and probably believed it without doing the necessary work.

That mentality flows down to the rest of us when we hear the names of these industry giants. I mean RSA has a cryptographic algorithm named after them for crying out loud. And Barracuda? The company was doing web and email security before it became mainstream.

Apparently, these companies were as confident of their security as most of us were. But they got hacked and the painful part of it is that some of the causes of the hacks were mistakes you would expect “ordinary” companies or users to make. How often have we heard these vendors bombard us with “Defence-In_Depth”, “Keep your sensitive data separate”, “Do not expose your sensitive servers to the internet” etc.? Yet, a look at the root causes of the breaches surrounds those same issues – almost a case of “Do as I say, not as I do?

Lessons learned?

  1. Even a “Bastille” for data security can be breached with enough time and patience.
  2. It pays to have a solid set of policies, standards, guidelines and procedures that are constantly updated to reflect changing times. More important, make sure your employees know and understand what to do when an incident occurs. It is not just enough to say, “they should know what to do”. After all, it could easily be argued that no one told the Barracuda maintenance folks about the dangers of placing a firewall in passive monitoring mode through a maintenance window.

Barracuda sums up additional lessons very well in its frank admission of the screw-up:

  • You can’t leave a Web site exposed nowadays for even a day (or less).
  • Code vulnerabilities can happen in places far away from the data you’re trying to protect.
  • You can’t be complacent about coding practices, operations or even the lack of private data on your site – even when you have WAF (Web Application Firewall) technology deployed.

Happy computing and be careful out there folks.