A major online security breach is affecting millions of people… Sound familiar? Yet again, we are faced with another incident of a massive security breach on the Internet, this time at the hands of Russian hackers stealing usernames and passwords. As reported by most news outlets, a group of hackers associated with Russian organized crime, known as “CyberVor”, is now known to have collected over a billion (yes, that’s with a “b”) usernames and passwords from hundreds of thousands of websites. This is one of the most extensive and potentially damaging hacking incidents to have ever occurred. The good news is that as of now, actual fraudulent use of these stolen credentials has been limited to hijacking social media accounts to send out spam and other mass marketing content. While not as immediately damaging as the recent theft of credit card data from Target (to name just one example), this still represents a potential goldmine of data for the hackers and a deep and troublesome vulnerability found throughout the Internet.
How was this done?
While the sheer scale of the breach is massive, the technical aspects are not that remarkable. The hackers used a fairly old and well-known intrusion method called SQL Injection. Essentially, this involves exploiting a database access vulnerability through the use of standard web forms, such as login pages, search forms, registration forms, or any other type of page where you type something into fields and submit information to a server. The hackers are able to place scripts into the forms that, when submitted to poorly written code, ask the server to return all kinds of data, including usernames and passwords, from the database. While it is easy to protect against SQL Injection attacks these days by simply following coding best practices, there are still a huge number of older and/or unprotected websites out there that are still vulnerable. These are the sites currently being victimized.
How does this affect you?
There are two distinct victims here: those whose credentials have been stolen, and those who own and manage sites that may have been compromised. We’ll start with the latter. The only way to ensure your website is protected against SQL Injection is to confirm that the programming in place has accounted for the vulnerability. If you operate a site running a recent version of a content management system (CMS), you should be safe. SQL Injection has been around for a while, and any web software currently being deployed should have protections built in by default. In the Diagram hosting environment, the majority of sites are run on the Ektron CMS platform. Ektron has been secured against SQL Injection since version 7.5.2. If your site uses any version newer than this, any forms controlled via the CMS should be safe. However, if you have any custom code that accesses the database independently of Ektron, you may need to investigate to ensure you’re protected.
If you are more concerned with your login credentials being stolen, there is only one foolproof way to protect yourself: stay one-step ahead of the hackers. Change your username and passwords often, avoid using the same username and password combinations on multiple sites, and avoid patterns that can be easily identified. If it isn’t SQL Injection, hackers are continually looking for new ways to steal sensitive data, and they are quite skilled at what they do. If you simply use some common sense measures to continually update your most sensitive data, you will greatly mitigate any risks.
What else is Diagram doing to avoid this?
Every Diagram client running outdated versions of Ektron have long since been contacted and, in almost all cases, have upgraded their software. Any sites we build, with or without a CMS backend, is programmed using best practices and protections against SQL Injection and other malicious intrusions methods. However, there is no way for us to ensure that every line of code in your site is protected, especially if we did not program your site. Therefore, we maintain a robust firewall equipped with an Intrusion Detection System (IDS) to sniff out and block attacks such as SQL Injection, before they get to the servers.
Security is always a top concern for Diagram, and we continually strive to ensure that our clients' websites are built and hosted in the most secure and stable environment possible. We will provide future updates on this issue as necessary or as new information arises. If you have any questions in the meantime or want to know how to make sure your site is secure against attacks, please contact us, or feel free to leave a comment below.