SlideShare a Scribd company logo

Lessons Learned From the Yahoo! Hack

Imperva
Imperva

The document summarizes lessons learned from the Yahoo! hack of 2013. It describes how security researchers identified the vulnerable third-party astrology application hosted on Yahoo's domain after the hacker released a screenshot. The application was found to be vulnerable to SQL injection attacks due to unvalidated user input. This highlights the risk of third-party code and the need to secure all external applications and libraries.

1 of 39
Downloaded 56 times
Lessons Learned From the Yahoo! Hack Amichai Shulman, CTO © 2013 Imperva, Inc. All rights reserved.
Agenda  Finding the vulnerable Yahoo! app + A true cyber detective story  Yahoo! hack technical analysis + SQL Injection + Error based SQL Injection  The greater lesson + 3rd party code security  Summary and Conclusions 2 © 2013 Imperva, Inc. All rights reserved.
Amichai Shulman – CTO Imperva  Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former security consultant to banks & financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2013 Imperva, Inc. All rights reserved.
Cyber Detective Story 4 © 2013 Imperva, Inc. All rights reserved.
Breaking News – Yahoo! Has been Hacked 5 © 2013 Imperva, Inc. All rights reserved.
Gathering Evidence  Hacker released a redacted screenshot of the allegedly hacked Yahoo! app 6 © 2013 Imperva, Inc. All rights reserved.
Forensics – Turning Evidence into Insights (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name 7 © 2013 Imperva, Inc. All rights reserved.
Forensics – Turning Evidence into Insights (2)  Error message + The application is powered by ASP.NET – Most Yahoo! Applications are PHP based + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 8 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 9 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 10 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 11 © 2013 Imperva, Inc. All rights reserved.
Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 12 © 2013 Imperva, Inc. All rights reserved.
Yahoo! Hack Technical Analysis Error Based SQL Injection 13 © 2013 Imperva, Inc. All rights reserved.
Data Extraction Techniques by Hackers: 2005-2011 Other 17% SQL Injection 83% Total = 315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse 14 © 2013 Imperva, Inc. All rights reserved.
SQL Injection Means Business, Literally 15 © 2013 Imperva, Inc. All rights reserved.
SQL Injection: Technical Impact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware 16 © 2013 Imperva, Inc. All rights reserved.
Still A Very Relevant Attack On average, we have identified 53 SQLi attacks per hour and 1,093 attacks per day. © 2013 Imperva, Inc. All rights reserved.
SQL Injections By the Hour – Highly Automated 18 © 2013 Imperva, Inc. All rights reserved.
Main Automated Attack Tools SQLmap Havij © 2013 Imperva, Inc. All rights reserved.
Yahoo! Hack – MSSQL Injection with Conversion Errors  Attack vector: + ' and 1 = convert (int,(select top 1 table_name from x).  The server tries to convert the additional data (in this case the table name) to integer  Character strings cannot be converted into integer, thus an error is triggered  If a system is not hardened, the error message is visible to the attacker, revealing the data 20 © 2013 Imperva, Inc. All rights reserved.
MSSQL Injection with Conversion Errors  No need to be a hacker to exploit  Even script kiddies can do it with automated exploit tools + Havij 21 © 2013 Imperva, Inc. All rights reserved.
From SQL Injection to Command Execution  In case of SQL injection in MSSQL DB, attacker can leverage it to run arbitrary commands using the “XP_CMDSHELL” system stored procedure  Supported by exploit tools 22 © 2013 Imperva, Inc. All rights reserved.
3rd Party Code Security 23 © 2013 Imperva, Inc. All rights reserved.
Vulnerable Application is a 3rd Party Application  “The leading astrology portal in India… formed co- branded channel alliances with internationally recognized brands such as MSN, Yahoo! and Google” 24 © 2013 Imperva, Inc. All rights reserved.
Vulnerable Application is Hosted by 3rd Party  Routing of users from Yahoo! to Astroyogi.com with a DNS alias  “in.horoscopes.lifestyle.yahoo.net”“yahoo.astroyogi.com” 25 © 2013 Imperva, Inc. All rights reserved.
You Don’t Own the Code of All Your Applications  Yahoo! is not alone  3rd party applications are embedded as code or by hosting by many organizations  28% of Veracode assessed applications are identified as created by a 3rd party 26 © 2013 Imperva, Inc. All rights reserved.
You Don’t Even Own All the Code of YOUR Applications  Even homegrown applications are mostly comprised of 3rd party code  According to Veracode: + “Up to 70% of internally developed code originates outside of the development team” 27 © 2013 Imperva, Inc. All rights reserved.
Third Party Code Related Breaches 28 © 2013 Imperva, Inc. All rights reserved.
Becoming Part of OWASP Top 10 29 © 2013 Imperva, Inc. All rights reserved.
Recommendations 30 © 2013 Imperva, Inc. All rights reserved.
SQL Injection Mitigation Checklist 31 © 2013 Imperva, Inc. All rights reserved.
Step 1: Use a WAF to Detect SQL Injection  Positives + Can block many attacks + Relatively easy  Negatives + Can become a crutch + Potential for false positives 32 © 2013 Imperva, Inc. All rights reserved.
Step 2: Deploy Reputation Based Solution  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem 33 © 2013 Imperva, Inc. All rights reserved.
Step 3: Stop Automated Attack Tools  Positives + Detects automated tool fingerprints to block attacks + Relatively easy  Negatives + Potential for false positives © 2013 Imperva, Inc. All rights reserved.
Step 4: WAF + Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, Gartner Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should- communicate-with-application-firewalls/ 35 © 2013 Imperva, Inc. All rights reserved.
3 rdParty Code Mitigation Checklist 36 © 2013 Imperva, Inc. All rights reserved.
Technical Level Recommendations  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities  Pen test before deployment to identify these issues  Deploy the application behind a WAF to + Virtually patch pen test findings + Mitigate new risks (unknown on the pen test time) + Mitigate issues the pen tester missed + Use cloud WAF for remotely hosted applications  Virtually patch newly discovered CVEs + Requires a robust security update service 37 © 2013 Imperva, Inc. All rights reserved.
Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link © 2013 Imperva, Inc. All rights reserved.
www.imperva.com - CONFIDENTIAL -

Recommended

Data breach
Data breachData breach
Data breach
Burhan Ahmed
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
Ramesh Upadhaya
 
Cyber Security-Foundation.ppt
Cyber Security-Foundation.pptCyber Security-Foundation.ppt
Cyber Security-Foundation.ppt
ErAdityaSingh1
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
Olivier Busolini
 
case study on cyber crime
case study on cyber crimecase study on cyber crime
case study on cyber crime
Paras Kansagara
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
EC-Council
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
Darshan Vithani
 
Cyber security
Cyber securityCyber security
Cyber security
manoj duli
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Cyber Security in Society
Cyber Security in SocietyCyber Security in Society
Cyber Security in Society
Rubal Sagwal
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for students
Kandarp Shah
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
Leandro Bennaton
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
Ramiro Cid
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
Siemplify
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Sayantan Sur
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
MiltonBiswas8
 
Cyber crime ppt new
Cyber crime ppt newCyber crime ppt new
Cyber crime ppt new
Onkar1431
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Cyber Agency
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Ransomware
RansomwareRansomware
Ransomware
Akshita Pillai
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
Imperva
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
Imperva
 

More Related Content

What's hot (20)

case study on cyber crime
case study on cyber crimecase study on cyber crime
case study on cyber crime
Paras Kansagara
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
EC-Council
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
Darshan Vithani
 
Cyber security
Cyber securityCyber security
Cyber security
manoj duli
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Cyber Security in Society
Cyber Security in SocietyCyber Security in Society
Cyber Security in Society
Rubal Sagwal
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for students
Kandarp Shah
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
Leandro Bennaton
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
Ramiro Cid
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
Siemplify
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Sayantan Sur
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
MiltonBiswas8
 
Cyber crime ppt new
Cyber crime ppt newCyber crime ppt new
Cyber crime ppt new
Onkar1431
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Cyber Agency
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Ransomware
RansomwareRansomware
Ransomware
Akshita Pillai
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
case study on cyber crime
case study on cyber crimecase study on cyber crime
case study on cyber crime
Paras Kansagara
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
EC-Council
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
Darshan Vithani
 
Cyber security
Cyber securityCyber security
Cyber security
manoj duli
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Cyber Security in Society
Cyber Security in SocietyCyber Security in Society
Cyber Security in Society
Rubal Sagwal
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for students
Kandarp Shah
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
Leandro Bennaton
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
Ramiro Cid
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
Siemplify
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Sayantan Sur
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
MiltonBiswas8
 
Cyber crime ppt new
Cyber crime ppt newCyber crime ppt new
Cyber crime ppt new
Onkar1431
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Cyber Agency
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Ransomware
RansomwareRansomware
Ransomware
Akshita Pillai
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 

Similar to Lessons Learned From the Yahoo! Hack (20)

Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
Imperva
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
Imperva
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
Barry Shteiman
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd Kind
Imperva
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
Ed Bellis
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
Imperva
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
Nicholas Chia
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Imperva
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Imperva
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
Imperva
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa
TI Safe
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their Tracks
Imperva
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
Imperva
 
Check Point Threat emulation 2013
Check Point Threat emulation 2013Check Point Threat emulation 2013
Check Point Threat emulation 2013
Group of company MUK
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
Imperva
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
Imperva
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
Barry Shteiman
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd Kind
Imperva
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
Ed Bellis
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
Imperva
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
Nicholas Chia
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Imperva
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber UndergroundAutomated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
Imperva
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
Imperva
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa
TI Safe
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their Tracks
Imperva
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
Imperva
 
Check Point Threat emulation 2013
Check Point Threat emulation 2013Check Point Threat emulation 2013
Check Point Threat emulation 2013
Group of company MUK
 

More from Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
Imperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
Imperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
Imperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
Imperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
Imperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
Imperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
Imperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
Imperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
Imperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
Imperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
Imperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
Imperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
Imperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
Imperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
Imperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
Imperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
Imperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
Imperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
Imperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
Imperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
Imperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
Imperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
Imperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
Imperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
Imperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
Imperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
Imperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
Imperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
Imperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
Imperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 

Recently uploaded (20)

Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 

Lessons Learned From the Yahoo! Hack

  • 1. Lessons Learned From the Yahoo! Hack Amichai Shulman, CTO © 2013 Imperva, Inc. All rights reserved.
  • 2. Agenda  Finding the vulnerable Yahoo! app + A true cyber detective story  Yahoo! hack technical analysis + SQL Injection + Error based SQL Injection  The greater lesson + 3rd party code security  Summary and Conclusions 2 © 2013 Imperva, Inc. All rights reserved.
  • 3. Amichai Shulman – CTO Imperva  Speaker at Industry Events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on Info Security + Technion - Israel Institute of Technology  Former security consultant to banks & financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2013 Imperva, Inc. All rights reserved.
  • 4. Cyber Detective Story 4 © 2013 Imperva, Inc. All rights reserved.
  • 5. Breaking News – Yahoo! Has been Hacked 5 © 2013 Imperva, Inc. All rights reserved.
  • 6. Gathering Evidence  Hacker released a redacted screenshot of the allegedly hacked Yahoo! app 6 © 2013 Imperva, Inc. All rights reserved.
  • 7. Forensics – Turning Evidence into Insights (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name 7 © 2013 Imperva, Inc. All rights reserved.
  • 8. Forensics – Turning Evidence into Insights (2)  Error message + The application is powered by ASP.NET – Most Yahoo! Applications are PHP based + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 8 © 2013 Imperva, Inc. All rights reserved.
  • 9. Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 9 © 2013 Imperva, Inc. All rights reserved.
  • 10. Identifying the Vulnerable Yahoo! App (1)  Host name from address bar: + Ends in “yle.yahoo.net”, (not “yahoo.com”) + It has a relatively long host name. 10 © 2013 Imperva, Inc. All rights reserved.
  • 11. Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 11 © 2013 Imperva, Inc. All rights reserved.
  • 12. Identifying the Vulnerable Yahoo! App (2)  Error message + The application is powered by ASP.NET (not PHP like most Yahoo! Applications) + Application source file resides on C:webcorp[blackened by hacker]pYahooV2app_code 12 © 2013 Imperva, Inc. All rights reserved.
  • 13. Yahoo! Hack Technical Analysis Error Based SQL Injection 13 © 2013 Imperva, Inc. All rights reserved.
  • 14. Data Extraction Techniques by Hackers: 2005-2011 Other 17% SQL Injection 83% Total = 315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse 14 © 2013 Imperva, Inc. All rights reserved.
  • 15. SQL Injection Means Business, Literally 15 © 2013 Imperva, Inc. All rights reserved.
  • 16. SQL Injection: Technical Impact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware 16 © 2013 Imperva, Inc. All rights reserved.
  • 17. Still A Very Relevant Attack On average, we have identified 53 SQLi attacks per hour and 1,093 attacks per day. © 2013 Imperva, Inc. All rights reserved.
  • 18. SQL Injections By the Hour – Highly Automated 18 © 2013 Imperva, Inc. All rights reserved.
  • 19. Main Automated Attack Tools SQLmap Havij © 2013 Imperva, Inc. All rights reserved.
  • 20. Yahoo! Hack – MSSQL Injection with Conversion Errors  Attack vector: + ' and 1 = convert (int,(select top 1 table_name from x).  The server tries to convert the additional data (in this case the table name) to integer  Character strings cannot be converted into integer, thus an error is triggered  If a system is not hardened, the error message is visible to the attacker, revealing the data 20 © 2013 Imperva, Inc. All rights reserved.
  • 21. MSSQL Injection with Conversion Errors  No need to be a hacker to exploit  Even script kiddies can do it with automated exploit tools + Havij 21 © 2013 Imperva, Inc. All rights reserved.
  • 22. From SQL Injection to Command Execution  In case of SQL injection in MSSQL DB, attacker can leverage it to run arbitrary commands using the “XP_CMDSHELL” system stored procedure  Supported by exploit tools 22 © 2013 Imperva, Inc. All rights reserved.
  • 23. 3rd Party Code Security 23 © 2013 Imperva, Inc. All rights reserved.
  • 24. Vulnerable Application is a 3rd Party Application  “The leading astrology portal in India… formed co- branded channel alliances with internationally recognized brands such as MSN, Yahoo! and Google” 24 © 2013 Imperva, Inc. All rights reserved.
  • 25. Vulnerable Application is Hosted by 3rd Party  Routing of users from Yahoo! to Astroyogi.com with a DNS alias  “in.horoscopes.lifestyle.yahoo.net”“yahoo.astroyogi.com” 25 © 2013 Imperva, Inc. All rights reserved.
  • 26. You Don’t Own the Code of All Your Applications  Yahoo! is not alone  3rd party applications are embedded as code or by hosting by many organizations  28% of Veracode assessed applications are identified as created by a 3rd party 26 © 2013 Imperva, Inc. All rights reserved.
  • 27. You Don’t Even Own All the Code of YOUR Applications  Even homegrown applications are mostly comprised of 3rd party code  According to Veracode: + “Up to 70% of internally developed code originates outside of the development team” 27 © 2013 Imperva, Inc. All rights reserved.
  • 28. Third Party Code Related Breaches 28 © 2013 Imperva, Inc. All rights reserved.
  • 29. Becoming Part of OWASP Top 10 29 © 2013 Imperva, Inc. All rights reserved.
  • 30. Recommendations 30 © 2013 Imperva, Inc. All rights reserved.
  • 31. SQL Injection Mitigation Checklist 31 © 2013 Imperva, Inc. All rights reserved.
  • 32. Step 1: Use a WAF to Detect SQL Injection  Positives + Can block many attacks + Relatively easy  Negatives + Can become a crutch + Potential for false positives 32 © 2013 Imperva, Inc. All rights reserved.
  • 33. Step 2: Deploy Reputation Based Solution  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem 33 © 2013 Imperva, Inc. All rights reserved.
  • 34. Step 3: Stop Automated Attack Tools  Positives + Detects automated tool fingerprints to block attacks + Relatively easy  Negatives + Potential for false positives © 2013 Imperva, Inc. All rights reserved.
  • 35. Step 4: WAF + Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, Gartner Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should- communicate-with-application-firewalls/ 35 © 2013 Imperva, Inc. All rights reserved.
  • 36. 3 rdParty Code Mitigation Checklist 36 © 2013 Imperva, Inc. All rights reserved.
  • 37. Technical Level Recommendations  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities  Pen test before deployment to identify these issues  Deploy the application behind a WAF to + Virtually patch pen test findings + Mitigate new risks (unknown on the pen test time) + Mitigate issues the pen tester missed + Use cloud WAF for remotely hosted applications  Virtually patch newly discovered CVEs + Requires a robust security update service 37 © 2013 Imperva, Inc. All rights reserved.
  • 38. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link © 2013 Imperva, Inc. All rights reserved.