backtop


Print 20 comment(s) - last by W00dmann.. on Aug 29 at 3:48 PM


Uh oh, Nokia has been hacked...
The extent of the damage appears limited

Nokia Oyj. (HEL:NOK1V), currently in the midst of trying to push out Windows Phone 7 product, suffered an embarrassment when its developers website, developers.nokia.com, lost customers' personal information.

The extent of the damage appears limited, according to Nokia.  For most customers, only their email address was lost (so watch out for phishing
!).  For an estimated 7 percent of customers "either birth dates, homepage URL or usernames for AIM, ICQ, MSN, Skype or Yahoo" were also lost. More sensitive information, however, like passwords and usernames, was not in the affected database and remains safe.

Nokia writes:

You may have seen reports or received an email from us regarding a recent security breach on this developer.nokia.com/community discussion forum.

During our ongoing investigation of the incident we have discovered that a database table containing developer forum members' email addresses has been accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL Injection attack. Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger.

The database table records includes members’ email addresses and, for fewer than 7% who chose to include them in their public profile, either birth dates, homepage URL or usernames for AIM, ICQ, MSN, Skype or Yahoo. However, they do not contain sensitive information such as passwords or credit card details and so we do not believe the security of forum members’ accounts is at risk. Other Nokia accounts are not affected.

We are not aware of any misuse of the accessed data, but we are communicating with affected forum members, though we believe the only potential impact to them may be unsolicited email. Nokia apologizes for this incident.

Though the initial vulnerability was addressed immediately, we have now taken the developer community website offline as a precautionary measure, while we conduct further investigations and security assessments. We hope to get the site back online as soon as possible and will post developments here in the meantime.

If you have any questions on this, please contact Nokia.developer-discussions-support@nokia.com.

The Nokia Developer website team.

Nokia is hardly the first major online entity to be hacked by SQL injection, and is unlikely to be the last.  SQL injection (affectionately nicknamed a "Little Bobby Tables" attack by web-comicXKCD), relies on sending malformed queries to a publicly available SQL database hence "injecting" unauthorized commands.  To succeed the attacker must gain physical access to the database (the ability to query it) and the database engine must lack more advanced code to handle malformed queries.  

SQL injection attacks are very preventable -- either by denying public access and/or by properly coding your database.  However, recent years have seen countless SQL injection attacks.  In 2009 Kapersky and the Australian federal police were both hacked via SQL injection.  In 2010The Pirate Bay was hacked via SQL injection.  This year hackers employed the method to penetrate several databases [1][2][3] of Japanese electronics giant Sony Corp. (TYO:6758
).

Thus far Anonymous and other familiar "hacktivists" have not claimed responsibility for the attack.  It is unknown why the hacker(s) responsible targeted the Finnish phone maker.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Confusing
By BugblatterIII on 8/29/2011 12:39:38 PM , Rating: 3
quote:
To succeed the attacker must gain physical access to the database (the ability to query it) and the database engine must lack more advanced code to handle malformed queries.


Bit woolly there. It's generally done through a website, almost all of which need access to their database, be it direct or indirect.

If a developer queries the database in an insecure way that's when they're vulnerable to SQL injection.

Say for example the developer builds his query string like so:

string sql = "Select * from Customers where Name = '" + txtCustomerName.Text + "'";

Someone could type something like 'GO *Do bad things* GO' in that txtCustomerName textbox and the stuff between the 'GO' commands would get executed, with the same permission level as the website has.

Even worse is if the developer displays the results of the query blindly; very easy way to extract pretty much any data you like that way.

Using .Net the best way to avoid the vulnerability is firstly to not give the websites any table-level permissions at all (only allow it to execute the specific Stored Procedures it needs) and secondly ensure that you only ever use parameterised queries, i.e. never build up a SQL string and execute it. Ideally this would be enforced by having a Data Access Layer that only allows the execution of Stored Procedures and also only allows parameterised calls.

If you do that then you're protected; ADO.NET automatically protects against SQL injection for parameterised queries.

Of course there are dozens of other ways in, but they mostly require a little more skill and are generally less intensely embarrassing to be compromised by.

The more developers that know how to protect against these things the better. If someone has more information than I've given here I'll be interested to increase my knowledge.




RE: Confusing
By W00dmann on 8/29/2011 3:48:52 PM , Rating: 2
Thanks for this post BugblatterIII; as someone who is not in any way a software developer, it helped me better understand the underlying issue.

PS. - if you are Bugblatter the 3rd, is this to say your father's first name was also Bugblatter, in addition to your grandfather?


“We do believe we have a moral responsibility to keep porn off the iPhone.” -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki