This story has been updated with content that supersedes much of the original content. Updates are found at the bottom of the story
Hackers disclosed this morning that they have been able to compromise BarackObama.com through a SQL injection attack.
The English of the post is quite poor; however, the researcher makes a very valid point. Shouldn’t the most powerful, well-protected man in the world have a website that is at least reasonably secure? Storing credentials in plain text is even more embarrassing than being vulnerable to SQL injection. Sometimes passwords must be stored in a reversible manner, but you should make the attacker at least work at it a bit.
More concerning is the screenshot that shows the URL as donate.barackobama.com. What other unencrypted information about donors might be stored in this database? If passwords haven’t been encrypted, it doesn’t take much imagination to figure out that other sensitive data is unencrypted as well.
On the bright side, it does appear that the staffers who log in to this site have somewhat secure passwords. The lengths are not impressive, but most show the recommended mix of letters, numbers, and capitalization and are not based on obvious dictionary words.
I deliver a seminar entitled “Anatomy of an Attack: How Hackers Threaten Your Security,” in which I discuss how SQL injection attacks work and demonstrate an actual attack to show how simple it can be for even someone unskilled to perform this type of reconnaissance. Another point that is often difficult to explain is that there is no such thing as “safe surfing.”
As administrators, we are often our most dangerous users. Time and again, when asked, administrators will say their scariest surfer is an executive, the sales guy, or the mail clerk. The bigger danger is having administrative privilege and not realizing how pervasive the threat on the web is. When the NY Times, Google, and BarackObama.com are hosting malware, there are no safe websites despite the false confidence gained by not surfing porn.
What can you do to avoid becoming the next victim of this type of compromise? One piece of advice I give in “Anatomy of an Attack” is to approach inputs on your website from a whitelisting angle, rather than trying to blacklist every possible way you think someone could enter malicious input. There are many ways to encode SQL commands to bypass filtering, so it is best to only accept characters that should be valid input.
Sensitive data should always be encrypted regardless of where it resides. Many companies are beginning to encrypt laptop hard disks, but this is just the beginning. Desktops and servers are as likely as anything else to contain personally identifiable information and should be treated with the same caution as laptops. Sensitive data must be tracked and secure practices applied whether that data is in a database, on a backup tape, or being transported on a USB key or smart phone.
Our recent introduction of DLP into Sophos Anti-Virus helps administrators discover this data when it is being transferred, and can also help identify endpoints that may contain data that needs protection. The extent to which this data is spread throughout your organization may surprise you.
I invite anyone in the Atlanta or Chicago areas to join me for my next two “Anatomy of an Attack” seminars. The presentation is purely informational, and not focused on our products or a sales pitch. In addition to providing information on all the latest threats, who is behind them, and how to defend yourself, I demonstrate some live malware and how criminals are distributing it through the web, giving insight into how you can better defend your networks.
Update: The Tech Herald is reporting that they have spoken to the Democratic National Committee who deny Obama’s site was hacked. This is not surprising, and I believe is also incorrect. The usernames all match up with Obama staffers and campaign staff, which if the screenshot posted by Unu was mocked up would be a lot more work than most scammers would bother with.
Additionally my wife brought to my attention that several of the passwords are in fact based upon the names of the users and are of far poorer quality than I originally had posted. Just another reason to choose a good password… You never know when someone who stores it insecurely will leak it, and potentially make you look quite foolish.
Update 2: Upon doing further research it would appear the users viewed in the screenshot may in fact be related to Roosevelt University. The Tech Herald has updated their post above confirming that information. A source aware of the events has informed me that the barackobama.com site may have been used as a proxy in accessing the Roosevelt University MS Access database. No data collected nor used by barackobama.com or the DNC was compromised. By Googling for some of the names provided in the screenshot it is quite easy to confirm that they are associated with Roosevelt University.
The more interesting part is the statement from Blue State Digital that the database that was compromised is not hosted by them. They stated that they do not use Access databases, and do not host any content associated with barackobama.com. Whether this is an elaborate hoax, or a yet to be found hole that allowed someone to proxy from the Obama site is yet to be determined.