Web Security Company's Website Hacked

A group of hackers has managed to break into the website of Web security firm Barracuda Networks and extract confidential information from its database.

California-based Barracuda Networks specializes in email, Web and messaging security solutions. It sells firewall, filtering, archiving, backup, load balancing and other appliances and services.

The attack against its website was performed by a group of Malaysian grey hat hackers called HMSec, who also published the extracted data online.

The attack method used was SQL injection, which exploits a common, but dangerous type of Web vulnerability giving attackers access to the underlying database.

The hackers published the database schema, as well as the email addresses and hashed passwords of the company's employees and partners.

The password hashes appear to have been generated with MD5, a crackable algorithm, however, a method known as "salting" was used to secure them.

The company acknowledged the compromise and said the attack was performed during a short period of firewall inactivity.

"The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8) after close of business Pacific time," Barracuda's executive vice president and chief marketing officer, Michael Perone, told the Tech Herald.

Mr. Perone also revealed that hackers used an automated tool to locate the SQL injection vulnerability in a PHP script that served customer case studies.

"As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees," Perone explained.

In the end the impact was not very serious, but having something like this happen to a company that sells Web security solutions is clearly detrimental to both its own image and that of its products.

Nevertheless, Barracuda is not the first security vendor to deal with a compromise. Just last month, reputed security firm RSA Security, revealed that hackers managed to steal information about its widely used two-factor authentication technology after infecting its systems with malware.