Symantec secure website hacked by SQL injection!!!!

[Cavs1]

Source: http://hackersblog.org/2009/02/18/em...sql-injection/

Quote:

An unsecure parameter in the ddc section (Document Download Centre - The Norton Resource Centre for Resellers), being vulnerable to sql injection, permits access to their databases. The irony of the situation is that it’s done on https , on a login page , a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY. What can I say: nice advertising , an sql injection in the page that promotes those products.

my point for debate is this: if big guys like symantec or f secure and kaspersky cant secure their sites, then what chance deos any small business owner or online retailer have to secure their payment system and customer data?

also, is it actually possible to design a website to be completely resilient to attacks like this especially when it has probably been put together by many different people

p.s be easy on me, new poster

[dw426]

Two things: 1. The larger corporations often have the worst security due to either lack of funding going into it or just plain lack of oversight. 2. Corporations as big as Norton have a bigger bullseye painted on their back because of the bigger payday attackers can receive both financially and in "bragging rights". Smaller businesses dont have as much of a problem because of this.

To answer the last question, you can't foolproof a website or anything else, because there is always someone out there working on the next method of attack. The best you can hope for is temporary safety.

[ambient_88]

Quote:

Originally Posted by Cavs1

Source: http://hackersblog.org/2009/02/18/em...sql-injection/




my point for debate is this: if big guys like symantec or f secure and kaspersky cant secure their sites, then what chance deos any small business owner or online retailer have to secure their payment system and customer data?

also, is it actually possible to design a website to be completely resilient to attacks like this especially when it has probably been put together by many different people

p.s be easy on me, new poster

Keep in my mind that most security companies, especially the big ones, use a custom CMS (Content Management System) to manage their websites. These solutions are often coded by a third-party developers that specialize in custom applications. Also, because of their proprietary nature, the developers really are the only ones who can check for bugs/vulnerabilities because the source code is NOT publicly available.

[Arin]

Symantec's response on Unu's blog pours cold water on his claim.

"We would like to provide you with an update on the vulnerability reported yesterday, on hackersblog.org, for the emea.symantec.com website. Upon thorough investigation, we have determined that the Blind SQL Injection is, in fact, not effective. The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options.

Thanks again for notifying us of the issue. We will have the modified page up again soon with better exception handling."

[dw426]

Quote:

Originally Posted by AMRX

Symantec's response on Unu's blog pours cold water on his claim.

"We would like to provide you with an update on the vulnerability reported yesterday, on hackersblog.org, for the emea.symantec.com website. Upon thorough investigation, we have determined that the Blind SQL Injection is, in fact, not effective. The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options.

Thanks again for notifying us of the issue. We will have the modified page up again soon with better exception handling."

That's an expected response, any serious company is going to do PR damage control.

[tipo]

Quote:

Originally Posted by Cavs1

Source: http://hackersblog.org/2009/02/18/em...sql-injection/




my point for debate is this: if big guys like symantec or f secure and kaspersky cant secure their sites, then what chance deos any small business owner or online retailer have to secure their payment system and customer data?

also, is it actually possible to design a website to be completely resilient to attacks like this especially when it has probably been put together by many different people

p.s be easy on me, new poster

i`ve read that kaspersky`s site was hacked, bitdefender`s site too and now norton...if their sites sre being hacked i`m affraid to think what are we (simple users ) exposed to...

[steve1955]

It seems to me that no matter what the response from the company that has been attacked it will always be regarded as lies designed to limit damage even if the hackers have not done what they have claimed
We all know nothing is 100% foolproof and that incudes security on even the most secure sites,they are only secure until someone figures out how to circumvent the measures employed.
The problem is that these hackers make bold claims way beyond what they have actually been able to achieve because they are after some kind of fame(notoriety)within the circle the move

[ambient_88]

Quote:

Originally Posted by tipo

i`ve read that kaspersky`s site was hacked, bitdefender`s site too and now norton...if their sites sre being hacked i`m affraid to think what are we (simple users ) exposed to...

A lot of times, hackers are able to get past a company's defenses because of some vulnerability in their systems (websites/database are the usual culprit). Theoretically, a hacker could hack into a home user's system, but I take it the system would have to be vulnerable to some sort of attack (ie. unpatched, infested with malware, etc). In any case, hackers usually don't hack into a home user's computer since they really won't get anything; if they want to steal information, a trojan/backdoor could do that for them automatically (assuming it is installed).