Well again another giant hit with a simple SQL injection vulnerability. This time it seems that Yahoo Voices, formally known as "Associated Content" which Yahoo purchased and changed the name to Yahoo Voices. Before reading further, we strongly suggest that you CHANGE YOUR PASSWORD if you use this service!
We get a little complacent about changing our passwords periodically. While some large institutions employ a "change your password every "XX" days, a lot more just ignore this. They keep passwords forever because they just do not want to hear people screaming at them "I don't want this" or "I don't think it helps". It doesn't matter how loudly they scream, its a fundamental keystone to Cyber Security, changing your passwords periodically. In some instances people even reuse their usernames or email addresses across everything they touch on the Internet. Sounds dangerous? IT IS !! Let me explain why...
Say you use a password of "pa$$w0rd" on all of your accounts. Banking, GMAIL, YAHOO, credit cards, office, etc all using the same password. You never change this password because, you just don't want to exercise the grey matter between your ears to come up with a new password. One of these accounts, the parent company has been hacked and your email address or username with your password is now out in the public. Ok, so what? right ?
Well there are areas and software packages that can trace all of your footsteps and find out where you frequent, what sites, location, etc that you surf to or utilize on a regular basis. A simple search by a "bad guy" finds all of your sites you log into with the same username, email address and your password. NOW they have everything, your bank account, email access, etc. All because you allowed people to scream at you who are too lazy to secure their information by changing their password and NOT reusing passwords across the whole Internet. Or even reusing your email address or username on every site you log into. Now how do you feel when your boss or contacts gets a nasty email from you, your bank account has just transferred out all of your savings or all of your credit cards are cancelled because some malicious person decided that YOU didn't need them anymore.
This this does not happen ? Pull your head out of the sand!! It happens every day. This is just one form of Identity Theft. Masquerading as you to do whatever they want.
Ok, back to the SQL Injection vulnerability. How long has this vulnerability been around ? 10 years? More ? Yet the some of the most simple of Vulnerabilities are STILL doing damage out there. Why? We add on all sorts of gizmos, doodads and boxes to protect our network. In some instances all of these technologies CAUSE the problem by accidentally opening a hole. The more layers you put on, the more chance of an opening occurring. Or worse, multi-vendor solutions do not address everything you need and cause you to miss vulnerabilities or holes due to a false sense of security. Many people decide its a waste of time to continue to install Application Security measures OR even worse, hire in so called AppSec experts that are never as thorough as they should be.
Maybe 5 years ago, this software was checked by never periodically rechecked. I call it a slice in time vulnerability assessment. By todays standards, an application is secure, but tomorrow or in 3 months a new technique is discovered that CAN exploit a vulnerability that was once found secure.
One very important phrase to remember.... The bad guy never sleeps and is always replaced by more when they stop for a little bit. THEY NEVER STOP. So why does your security department stop ? Why do YOU stop changing passwords or stop reusing email addresses or reusing user names ? Why do YOU continue to make it easy for these sort of things to happen to you ?
Because we are all lazy and in some ways "set" in our ways or habits. We need to break this and focus on Security, not listen to the screamers. We need to be diligent and pro-active. Not re-active!
Stay safe, stop reusing email addresses as user names and using the same passwords!! Just remember to periodically change your password, maybe once a month!
