I like the analysis of the dump. While it made a number of nebulous assumptions, I thought it was pretty well reasoned. It makes sense that an external threat could care less about things like IP addresses of all the AM servers, floor plans of the offices (wtf?), and actual mysql DB dumps.
Sure, a dump done with SHOW DATABASES, SHOW TABLES, DESC foo, SELECT FROM foo if you only can do SQL injection, or maybe dump using mysqldump if you find some mysql credentials.
But logging into the DB-server via ssh as root and copying /var/lib/mysql/? That sounds like an unnecessary amount of work for an attacker (but is easy to do for an insider).
But logging into the DB-server via ssh as root and copying /var/lib/mysql/? That sounds like an unnecessary amount of work for an attacker (but is easy to do for an insider).
Not really, you only need a priviledge escalation exploit. Most companies aren't very dilligent in updating their servers and it's not that hard to enter via a known exploit.
Darnit! You beat me to the post! ;)
I like the analysis of the dump. While it made a number of nebulous assumptions, I thought it was pretty well reasoned. It makes sense that an external threat could care less about things like IP addresses of all the AM servers, floor plans of the offices (wtf?), and actual mysql DB dumps.
Will be interesting to see where this leads.
What's special about that? A DB dump is the first thing I'd do if I wanted to steal data.
Sure, a dump done with SHOW DATABASES, SHOW TABLES, DESC foo, SELECT FROM foo if you only can do SQL injection, or maybe dump using mysqldump if you find some mysql credentials.
But logging into the DB-server via ssh as root and copying /var/lib/mysql/? That sounds like an unnecessary amount of work for an attacker (but is easy to do for an insider).
Not really, you only need a priviledge escalation exploit. Most companies aren't very dilligent in updating their servers and it's not that hard to enter via a known exploit.