Today Eircom released an announcementwhere they say that the details of up to 8,404 users of its Studyhub service are at risk following a breach of the Studyhub server. Users of the service have been notified and advised to change their password. The breach has also impacted another 2,500 users of the service, who were not Eircom customers, and StudyHub has taken the step to notify all of their 20,000 of the breach and recommend they too change their passwords. Eircom have contacted the Gardai and also notified the Data Protection Commissioner’s office about the breach.
According to an article in The Journal.ie the breach resulted from the attacker(s) exploiting an “It’s believed the breach took the form of an SQL attack, in which a bogus query is sent to the website to extract information” Most likely the result of an SQL Injection attack.
If this breach is the result of an SQL Injection attack then it is disappointing as this attack vector has been known about for many years and indeed has been the source of many other well publicised breaches.
If you are responsible for a website hosting applications you should look at resources such as the OWASP top ten list for ways to address these type of attacks. Other resources to look at include the SANS Top 25 Programming Errors and the SafeCODE initiative.
This is the second major breach experienced by Eircom customers in the past few months. The last breach was the loss of a number of unencrypted laptops affecting over 6,000 customers.
The SiliconRepublic.com published a piecetoday where Eircom say that the attacks they suffered earlier this month were due to a “‘moderate attack’ known as cache poisoning” against their DNS Servers. Eircom also state that they have not seen any “further attempts at cache poisoning since last week”.
DNS Cache Poisoning is where attackers attempt to change DNS entries in order to redirect users to sites other than they intended. So for example, a criminal could poison the cache on a server to send customers wishing to access their online bank to a fake site impersonating their online bank in order for the criminal to capture the users’ financial details. A good explanation of how DNS poisoning works can be found here and there is also a slide-show available here explaining DNS cache poisoning and some ways to protect against it.
While it is good news to hear that Eircom appear to have dealt with these attacks it is extremely worrying to think that the DNS servers of the country’s largest ISP were vulnerable to this attack. Justin Mason speculates on his blog that the attacks were due to the DNS cache poisoning vulnerability discovered by Dan Kaminsky last year. If this is the case then Eircom need to hang their head in shame and conduct an urgent review of their security processes and procedures in particular their vulnerability, patch and incident management processes.
After the patch for the Dan Kaminsky vulnerability was released last year I blogged that there were at least 16 ISPs that had not applied the patch. If Eircom was one of those I certainly hope the other fifteen have gotten their act together.
The Irish Times published a piece in their edition on Saturday the 18th of July regarding this incident. The article, titled “Who’s Behind the Eircom Sabotage?“, includes quotations from Justin Mason and myself.