F-Secure latest security vendor hacked

By Robert Westervelt, News Editor 11 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

A Romanian hacker has detailed the latest SQL injection attack in a posting on the hackersblog.org forum. The anonymous hacker said he viewed some statistics regarding past virus activity after exploiting coding errors on the Helsinki, Finland-based antivirus vendor's website. The hacker said the website was vulnerable to both SQL injection and cross-site scripting attacks.

The hacker posted screenshots of the SQL Server information and database table names.

David Frazer, director of technology services for F-Secure's North American division confirmed the breach late Wednesday. Frazer said the database server breached was considered extremely low level and contained virus statistical information. Members of the F-Secure IT team have pulled the server down to investigate, he said.

"It was not even part of our critical infrastructure, nonetheless we're considerably embarrassed," he said. "As a security company it's still something that we should make sure is patched and up to date."

Frazer said the IT team is fairly certain that no other systems had been breached.

Kaspersky website hacked: Kaspersky website hacked, customer activation codes exposed:Customer email addresses and up to 25,000 activation codes were exposed on a server for 10 days, the antivirus vendor said.

It is the second time in recent days that an antivirus vendor was the target of an attack. A Romanian hacker detailed a similar successful SQL injection attack against a Kaspersky Lab support website on Saturday, exposing a server containing thousands of customer email addresses and up to 25,000 activation codes.

The attack took place Feb. 7, but the information was exposed 10 days prior to the attack. The Russian-based antivirus company responded by hiring high-profile database security expert David Litchfield to conduct an independent audit of its systems.

The hacker also claimed to have exploited a vulnerability in a partner website associated with BitDefender.

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Application and Web 2.0 Threats CISOs take measured steps to reduce social media risks Torrent phishing scheme trips up Twitter users Browser exploit kit probe highlights need for patching, vigilance Attackers continue barrage of SEO attacks Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Facebook attacks prompt investments in social networking security PDF attack code complicates security analysis, skirts detection Adobe warns of critical Flash Media Server vulnerability Firefox, Opera, Safari browsers top list of high risk software

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary