Windstream's Quarterly Newsletter
Injecting Clarity: Learn from Yahoo's SQL Injection Password Security Breach Side Top Windstream Business

by Rob Anderson, Windstream Senior Product Marketing Manager

It's happened again.

As the New York Times reported, "Yahoo confirmed that a file containing approximately 400,000 usernames and passwords to Yahoo and other companies was stolen." While unsettling, this news is not surprising. We've repeatedly noted the constant cat-and-mouse game going on between hackers and infosec professionals, who seek to keep information private.

Worse still is how the massive info grab was perpetrated. Essentially, a group of hackers targeted Yahoo's Contributor Network database and gained access to it using a SQL injection. To pull off a SQL injection, hackers literally insert SQL statements into a web form entry (like a user name or password text box) that are designed to command the database to dump its contents to the attacker. In this case, the contents of the database were tons and tons of user names and passwords. Sounds pretty complex right? Well, it really isn't. In fact, it's one of the most well known database exploits out there and proper field input filtering on Yahoo's part would have kept the massive breach from ever occurring.

The icing on the cake was the fact that all of these user names and passwords were stored as plaintext. Typically, a large site like Yahoo would store passwords in a randomized encrypted format, so that if hackers were able to break in, they wouldn't be able to decipher the information. Since they didn't do that, all of those passwords were published.

So the big question is, how do you protect yourself?

As an enterprise, the best way to protect your databases is to 1) encrypt password information, 2) create rules to filter input field contents on publicly-facing websites to reduce the impact of SQL injections, and 3) install and maintain security appliances to protect those zones, such as those you'll find in Windstream's suite of Managed Network Security products.

As an individual, it's important to remember that there are three ways your password gets out: The first and most obvious way is that someone guesses it, so don't use "password" or "123456" or other common iterations (these two were the most common in the Yahoo dump) to protect your stuff.

The second way, and probably the most common, is that someone phishes it from you. That means that you either provide your password to an individual pretending to be someone they're not. Or you are led to a website that looks legitimate and are asked to enter your password, only to learn that you're sending it right into the hands of hackers who want to use your information for their own purposes.

Finally, if you've taken great pains to protect yourself on points 1 and 2, you may be completely out of luck because a situation like Yahoo's might take place and your password is leaked anyway. So the third thing you can do is to have a unique password for every site that you access so that if this happens to you, the impact is mitigated. Don't feel like memorizing a unique password for each site you go to? I don't blame you, but there are great password management apps out there like Last Pass that can help you establish safe and secure unique passwords to each of the sites you need to access.

The lesson here is that without appropriate security measures you probably shouldn't be asking if your password will be stolen, but when. And the actions you take to assure the protection of your data–including password management–will dictate the personal impact of that event and possibly save you headaches (and money) in the long run.

To protect your company's network, contact Windstream for Managed Network Security solutions.