Database Security Digest – December 2016
By tradition, we introduce you to the most massive incidents in the sphere of information security took place in December.

Some new information occurred about the infamous hack of Yahoo!Mail service, related to the second world’s most popular search engine. Now we are talking about 1 billion user accounts being stolen. Hacker (allegedly the nation state operative linked to the 2014 breach) has gained access to proprietary Yahoo code in order to forge cookies.

The hack against an unnamed bank of Russia has been reported. There is not much open information about the incident so far, we only know that intruders stole about $1.4 million by hacking the core banking system.

Video sharing website Dailymotion has suffered a data breach. 82,5 million user accounts are compromised, including user IDs, emails, and hashed passwords. The passwords are protected with the Bcrypt algorithm, which determined attackers can overpass.

PayAsUGym fitness firm has been hacked and compromised personal details of 300,000 customers. The firm claims that passwords were encrypted, but the firm used discredited MD5 algorithm with unsalted hashes. Another example of irresponsible attitude toward security matters.

The famous hacker/pentester Kaputskiy has breached website of the National Assembly of Ecuador and leaked some of the data. Earlier this month Kaputskiy with his friend Kasimierz L has hacked the official website of the Argentinian Ministry of Industry. Both attacks have been performed exploiting SQL injection vulnerability.

A major cyber-attack has been performed against German steel giant ThyssenKrupp targeted to steal technological know-how and research. The early detection of the attack has helped to prevent more serious consequences. The investigation is pending.

Database Security

Below are the vulnerabilities have been found in December.

Oracle

CVE-2016-9013

In versions of Django before 1.8.16, 1.9.11, and 1.10.3 a hardcoded password is used for a temporary database user created when running Oracle database tests. Exploiting makes easier for a remote attacker to get access to the database server by specifying a password in the database settings TEST dictionary.