F-Secure admitted on Thursday that it had been hit by the same Romanian group that previously hit Kaspersky Lab and Bitdefender's reseller-run Portugese website over recent days. All three of the attacks used SQL Injection techniques. F-secure said the impact of the attack against its systems was minimal, and only affected …
Not really relevant but I want to say it
I've used a variety of these software security suites and f-secure was the worst, by far, from failing to install correctly (firewall yes, AV no???) to regular crashes (restart the service manually) to failing to block ports properly to failing to reply to any question I asked regarding these security holes, or in fact *any inconvenient question whatsoever*.
It was their crapness that finally pushed me to linux+netfilter and away from these packages, so they did me that one favour.
Is there no defense?
I'm no security expert.......but cant you proxy against such attacks by now? SQL injections are old news. Its a tried and tested method that should have been defeated by now. WTF. Is it any specific versions of SQL? M$ SQL, MySQL. Why not use Oracle, or Dbase, something else? I'd ventrure to say most sites are cracked through thier GD databases. I remember years ago, when I was a bushy tailed consultant, I had firewall devices that could proxy every damned bit. Oh, I forgot, iptables is all you need, jackasses.... Astaro firewall, and yes even M$'s own ISS platforms can do this, application layer proteciton...... I guess they cant be bothered to stop picking apart the new bugs that get generated by the downloadable code kits to worry about protecting thier boarders, because why would anyone bother compromising an antivirus company..... Jerks.
Were "hit"? By "hackers"? WTF, register, do your homework better.
The guys on hackersblog.org simply raise awareness about SQL injection and XSS vulnerabilities. And they notify the poor bastards running crap webapps prior to publishing on that blog.
The F-Secure spin is interesting in a very lame way. They've been doing "attacks", ohnoez, the evil hackers are out to get us.
"Fortunately we utilize defense-in-depth strategies so the attack was only partly successful." What a load of bull. They run software susceptible to SQL injection, but their strategies are defense-in-depth.
The "attack" was "partially successful" because they only happened to have non-important tables exposed, unlike the other 2 AV vendors.
El Reg, if you want a story then report on F-Secure's lame spin loaded with marketing mambo-jambo. That post reeks of it: "has been doing attacks"; "they hit us"; "defense-in-depth strategies"; "the attackers" etc... Saying "the impact was minimal" is just evil. There was no impact; the guys never "impact" on the vulnerabilities they discover. They don't run update queries, or drop database or whatnot.
They get one thing right though: "the attack is something we must learn from and points at things we need to improve". This is exactly what the hackersblog.org folks do: point at vulnerabilities so they can fix them. If they wanted to "hit" them, they'd keep quiet and take advantage of their data in whatever evil way possible, not post on a public blog.
Quis custodiet ipsos custodes, eh?
Mine's the anorak with the Kennedy's Latin Pprimer in the back pocket...
I guess this Romanian kids are out to flex some SQL injection muscles. They've got quite a lot of time on their sleeves or may be it is a competition to see who gets in past the GW.
I guess Avast, Symantec, Anti-Vir, AVG, and the rest are not far from SQL crawling observations
I've always wondered....
....what the "F" was in "F-secure"....
F-secure still not secure
I have found some new bugs on f-secure,posted yesterday on nemesis.te-home.net portal