Comodo Brazil Hit With Sql-injected Attack

Comodo Brazil Hit With Sql-injected Attack

By:


A subsidiary of security certificate authority ComodoBR (www.comodobr.com) has suffered a security breach in the form of an SQL injection, allowing hackers to access its private database.

In a SQL injection attack, some database queries are inserted on the Website, often masquerading as a comment or in one of the fields on a form. When the information is submitted, if the Website doesnt process the text properly, it will allow the malicious queries to execute on the database and return the results to the attacker.

The hackers exploited a flaw in the website of Comodo Brazil, which allowed them to get hold of a database containing information about certificate authorities and details about their SSL Certificate customers.

According to Softpedia, the certificate authority data consist of their name, email, fax, phone number, order number, certificate request, private key file name and other things. The SSL certificate customers data includes also their names and addresses, their domain names, type of web servers they use which along with serial numbers and more.

A partial dump of the database was published by the hackers on pastebin.com over the weekend, and the released data also seems to contain a number of logins for Comodo employees accounts.

While the certificates themselves dont contain any information that an attacker can potentially abuse, the log-in credentials belonging to ComodoBR employees remain at risk. While the passwords were all hashed, they appear to be unsalted and using MD5 encryption, which has been proven easy to crack.

Melih Abdulhayoglu, CEO of Comodo, confirmed that there was a hack but it was on a resellers website, and that the original Comodo database was intact. In a statement he said So as a summary: its a fairly common SQL attack on a company in Brazil who sells some of our products. Nothing to report really.

The breach is reminiscent of the more serious attacks on Comodo resellers earlier this year, though its implications are not as damaging, since no certificates were mis-issued. The attack in March, which hit an unnamed Comodo reseller in Southern Europe, allowed the attackers to register fraudulent certificates for high-traffic websites including Google Mail, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.com, and Microsofts login.live.com.

Until browser makers issued security updates, the bogus certificates could have allowed hackers with the capability of waging man-in-the-middle attacks to present valid digital certificates vouching for the authenticity of the sites they were spoofing.

Comodo responded by revoking the signing privileges of all its resellers and implemented a two-factor authentication system for them to use.

Abdulhayoglu said all partners reselling Comodo certificates are required to comply with Payment Card Industry Data Security Standards. He didnt name any other security requirements registration authorities had to comply with.

Developers of the mozilla.dev.security.policy mailing group called the latest incident an egg-on-face moment for the certificate authority. However, Eddy Nigg, founder, COO and CTO of StartCom and StartSSL, wrote on the mailing list that attackers may be able to change content in the database itself, which could actually trigger a new certificate for a different site than the one that had actually been validated.

If a security company can be attacked with this simple SQL injection method, then general users have a very big reason to fear for their security. This incident highlights the need of better data security systems to prevent any possible data security breaches. Companies and organizations that hold sensitive data of their customers should implement robust information security initiatives, including hiring highly trained information security experts, to avoid cyber crimes and security breaches.

IT security professionals can increase their information security knowledge and skills by embarking on advanced and highly technical training programs. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency of technically proficient information security professionals.

Additionally, the all-new EC-Council CAST Summit series is also created to make advanced information security training opportunities available for information security professionals across the globe. It will be the excellent platform for any IT security professionals to acquire cutting edge skills by embarking on the CAST workshops, or further enhance their IT security knowledge by attending the one-day seminar.

The 3 days CAST Summit workshop covering current and important security topics such as penetration testing, application security, cryptography, network defense and mobile forensics training, and allows for participants to actually learn, and not just listen or be rushed through a short presentation like how its like in many other events or conference. All of these IT security trainings will only conducted by appointed EC-Council Master Trainers, some of whom are authors of the respective trainings.

About the Author:
EC-Council's was created to address the need for highly technical and advanced IT security trainings for information security professionals. CAST offer programs that cover important domains such as advanced penetration testing, digital mobile forensics training, and web application.



Article Originally Published On: http://www.articlesnatch.com


Tags: , ,

|

Loading...
Related....
Videos...

Recent Arts-and-Entertainment Articles

Comments

Still can't find what you are looking for? Search for it!

Loading

Site Navigation:

Copyright 2005-2011 ArticleSnatch, LLC - All Rights Reserved.
Privacy Policy | Terms of Service.