Symantec secure website hacked by SQL injection!!!!

Discussion in 'other security issues & news' started by Cavs1, Feb 19, 2009.

Thread Status:
Not open for further replies.
  1. Cavs1

    Cavs1 Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    4
    Source: http://hackersblog.org/2009/02/18/emeasymanteccom-vulnerabil-la-blind-sql-injection/


    my point for debate is this: if big guys like symantec or f secure and kaspersky cant secure their sites, then what chance deos any small business owner or online retailer have to secure their payment system and customer data?

    also, is it actually possible to design a website to be completely resilient to attacks like this especially when it has probably been put together by many different people

    p.s be easy on me, new poster :D
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Two things: 1. The larger corporations often have the worst security due to either lack of funding going into it or just plain lack of oversight. 2. Corporations as big as Norton have a bigger bullseye painted on their back because of the bigger payday attackers can receive both financially and in "bragging rights". Smaller businesses dont have as much of a problem because of this.

    To answer the last question, you can't foolproof a website or anything else, because there is always someone out there working on the next method of attack. The best you can hope for is temporary safety.
     
  3. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    Keep in my mind that most security companies, especially the big ones, use a custom CMS (Content Management System) to manage their websites. These solutions are often coded by a third-party developers that specialize in custom applications. Also, because of their proprietary nature, the developers really are the only ones who can check for bugs/vulnerabilities because the source code is NOT publicly available.
     
    Last edited: Feb 20, 2009
  4. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    Symantec's response on Unu's blog pours cold water on his claim.

    "We would like to provide you with an update on the vulnerability reported yesterday, on hackersblog.org, for the emea.symantec.com website. Upon thorough investigation, we have determined that the Blind SQL Injection is, in fact, not effective. The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options.

    Thanks again for notifying us of the issue. We will have the modified page up again soon with better exception handling."
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    That's an expected response, any serious company is going to do PR damage control.
     
  6. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    440
    Location:
    romania
    i`ve read that kaspersky`s site was hacked, bitdefender`s site too and now norton...if their sites sre being hacked i`m affraid to think what are we (simple users ) exposed to... :thumbd:
     
  7. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    It seems to me that no matter what the response from the company that has been attacked it will always be regarded as lies designed to limit damage even if the hackers have not done what they have claimed
    We all know nothing is 100% foolproof and that incudes security on even the most secure sites,they are only secure until someone figures out how to circumvent the measures employed.
    The problem is that these hackers make bold claims way beyond what they have actually been able to achieve because they are after some kind of fame(notoriety)within the circle the move
     
  8. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    A lot of times, hackers are able to get past a company's defenses because of some vulnerability in their systems (websites/database are the usual culprit). Theoretically, a hacker could hack into a home user's system, but I take it the system would have to be vulnerable to some sort of attack (ie. unpatched, infested with malware, etc). In any case, hackers usually don't hack into a home user's computer since they really won't get anything; if they want to steal information, a trojan/backdoor could do that for them automatically (assuming it is installed).
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.