E-commerce company Digital River exposed data belonging to almost 200,000 individuals after hackers executed a “highly unusual search command” against its secured servers, according to a news report. The breach came to light only after a 19-year-old New York man allegedly tried to sell the purloined data for as much as $500,000 …
SELECT * FROM titles WHERE relevancy='1'
"It was stolen in late January using a “highly unusual” search command."
SELECT * FROM customer_data
Nah, it couldn't have been that simple surely.
But of course
Bobby Tables strikes again.
Surely you jest
I'm sure it was more complex than that.
More like ...
?querydb="'SELECT * FROM customer_data'"
“highly unusual” search command
Surely if it was a "highly unusual" search command the system should have blocked it? Doesn't seem terribly difficult to say "only these sets of criteria/types of searches are valid" and block all others, or at least flag them up and not allow them until checked? Even just a warning would have been better than discovering the breach once someone tries to sell the data...
Stored queries only
If you need to run any reasonably secure system you should only allow pre-stored queries to be run, with the parameters fully checked.
On things like banking systems even the programmers aren't allowed to generate queries - they can only call stored procedures, written by a different group and *thoroughly* checked.
If you allow the user to generate a query you are handing them the keys and hoping they won't use them.
Or like % :D
A percentage sign in the right field, perhaps? I suppose blaming the problem on 'OMG haxx0rz!' rather than third-world rent-a-coders doing stuff on the cheap makes more sense from a damage limitation perspective.
My first thought on reading this was "SQL Injection" - in common with i day say 99.8% of my fellow Reg Readers. After than, then next thought (probably around the same figures) was "Why are they using code like this"?
Whilst not forgiving, I can certainly understand startups going with the lowest bidder, and just trying to get the thing working and call it a day. It's wrong, it's shocking, but it happens...
However, once you've found commercial success and therefore presumably NOT got an idiot running your IT in your IT centric company, you would think whoever the lucky encumbent is would take a moment to code review what happened before his time - and especially on public facing aspects of the code.
Not good at all...
You'd really think it's caused by the "lowest bidder", but it happens very often on expensive contracts too.
I remember one company was contracted to work on webservices would allow me, as a subcontractor, to repair a webservice known to be vulnerable to sql injeciton. I said "this MUST be fixed", since any web user could come along and read every record, or even delete the whole DB. Well it didn't get fixed. The irony was that the contracting company was asked to do a security audit, but they didn't follow through to fix anything.
Security just isn't a priority for most companies, who aim to please with cost saving measures rather than improving quality.
Sounds like BAU to me.
The purpose of a security audit is not to fix problems it's to put a tick in a box to say that an audit has been done.
The number of plans I've seen that go (in summary) : Implementation (months), pen test (weeks), Go live.
Asking "but what about fixing the pen test issues?" just causes confusion amongst most of the project who seem to think that an audit actually fixes what it's auditing.
I guess in other areas you sort your life out before the auditors come in to avoid being punished rather than wait for the auditors to come along and slap you with a huge fine for not paying your taxes etc....
Not surprised, had a very disappointing experience
I am not surprised of the flaw, I had a very disappointing experience with Digital River, their site looked (a few months ago, when I paid a purchase) a very lame implementation, there were an issue with payment processing and sorting it out was difficult, the interface to ask for help poor and looked implemented to keep complains away - not customers friendly at all.
And when a company does not care for customers, it doesn't care for their data it collects too.
More middle tier rubbish.
6 years ago, I remember discussing the db layer from a job I designed with some Hibernate freak.
His assertion was that he needed Ins/Del/Updt access to the entire database so his middle tier objects could show me what they could do.
I demanded that instead of me making my db access open to all, that I keep all my sproc access fixed, and instead he make all his class member variables public so I could write white box code against his front end.
He seemed outraged that his code should be open and mine closed and without a hint of irony, he left.
10 years last month after writing, my original website with this architecture still hasn't had a single successful hack and is still one of the fastest sites in the UK. Though, despite it running at < 5% per box, supporting hundreds of thousands of concurrent visitors, I still get technical architects telling me that it won't scale. It's been down for less than a day total in ten years, all planned, and the only time it stopped selling was when they'd sold out one Winterval.
Every year, the owners hire more and more people who can write c# but don't understand databases.
Roll on a return to balanced tier architectures.
Wait a second here...
"The data contained names, email addresses, websites, and unique user-identification numbers for 198,398 individuals. It was originally gathered by affiliated marketing companies using software offered by Digital Rivers subsidiary Direct Response Technologies and stored on password-protected servers."
So you're telling me, it was originally collated by one type of thief, just to be purloined by another type of thief.
"The breach came to light only after a 19-year-old New York man allegedly tried to sell the purloined data"
"The breach"?! What? No mention of the f%$king marketing companies that pinched it in the first place, or is obtaining money through less tasteful, albeit legal means make it alright?
M$ and Digital River
Digital river was used by M$ for its "theultimatesteal" promotion. Guess someone wanted more than cheap copies of office and W7?
No surprises here...
Having had dealing with Digital River in the past, this news doesn't surprise me even slightly.
Highly Unusual - That would be SQL injection then?