Nokia Developer Forum Breached, Defaced With Homer Simpson Picture
Mirroring a spate of hacks over the last several months, attackers managed to infiltrate a Nokia developer forum database and expose a slew of personal information, including names, birthdates, e-mail and IM addresses and usernames for AIM, ICQ, MSN, Skype and Yahoo accounts.
The hackers then left a calling card by defacing the Nokia developer Web site with a redirect that led visitors to a picture of Homer Simpson hitting his head and uttering his classic “Doh!." The attack was accentuated with a written message that read, “LOL. Worlds number 1 mobile company but not spending a dime for server security! FFS patch you security holes otherwise you will just another antisec victim. No Dumping. No leaking!”
Nokia issued an advisory alerting users to a vulnerability in its developer forum database storing e-mail addresses and other personal information, which enabled hackers to execute a simple SQL injection attack and obtain the personal data of its developers.
“Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger,” Nokia said in its advisory, although failed to disclose exactly how much information had been compromised.
Nokia said that the table contained developers' e-mail addresses, as well as personal information such as birth dates, homepage URLs, for “fewer than 7 percent” of members “who chose to include them in their public profile,” Nokia said.
Meanwhile, the company said that the developer database did not contain passwords or credit card details. “We do not believe the security of forum members’ accounts is at risk,” Nokia said.
Nokia kept the site offline as a precautionary measure while it launched an investigation, but said that it wasn’t yet aware of any criminal activity surrounding the breach.
“But we are communicating with affected forum members, though we believe the only potential impact to them may be unsolicited e-mail,” Nokia said in its advisory. “Nokia apologizes for this incident.”
The recent Nokia attack parallels other high-profile attacks executed by loose-knit hacker collectives LulzSec and Anonymous against Sony Pictures, San Francisco Bay Area Rapid Transit and NATO , but it’s unclear if the perpetrators were affiliated with either of the global hacker collectives.
“There’s nothing to suggest that this was associated with that group,” said Michael Sutton, vice president of security research at cloud security firm Zscaler .
However, Sutton said that the attack underscores general lack of focus on basic database and server security best practices, that include SQL injection vulnerability monitoring and detection.
“With any of these types of breaches, it really boils down to properly validating input. That’s why we see 15 percent of organizations have SQL injection vulnerabilities,” Sutton said, adding that even with a recent groundswell of software developers in the industry, security often remains a low priority.
“We’ve always struggled with educating developers on security matters. Now all of a sudden, everyone’s a developer, and now that problem has grown exponentially," he said. “It illustrates the issue that it’s very easy to create a Web application today. It’s not easy to properly secure that application.”