Symantec's website has been given the once-over by the same Romanian hacking group that exposed security problems with websites run by Kaspersky Lab, F-Secure and Bitdefender earlier this month. The hacker, Uno, claims that the document download centre section on Symantec's European site is vulnerable to a blind SQL Injection …
These guys make a living from scaring people
...so it's only fair that they get picked on, too. Who cares if it's boring? The constant, ridiculous security alerts from people who want to peddle their crap are boring, too.
They just don't care
I often wonder about these kind of error messages which suggest there are SQL vulnerabilities. I've just got a keyboard where ' and ; are close to enter: leads to all kinds of accidental amusement, many of them very suggestive of injection vulnerability.
Companies don't seem interested when you report the errors. For example there's one on a major US stock exchange's website in the pages which display current prices. I thought it was quite important that you can't inject into stock quotes delivered through the web on a major exchange, and not being of an evil bent I didn't want to try an exploit to see if it was more benign than the worst possible case, but my guess was that if I got an error saying there was an unterminated string constant in the SQL parser after I typed a symbol suffixed with an accidental ', it might have at least been worth the smart guys having a look at it.
Nobody ever got back to me: I tried contacting them in loads of ways. I'm hoping that there's something cunning going on, like in symantec's case (according to them). But overestimating the financial services sector is endemic these days.
There's none as blind as those who cannot/will not see.
"Like the third and fourth sequels of horror movie franchises, the security website hack show is coming back with fewer and fewer returns. "
Of course, that could very well be just lulling the sector into a false sense of security, with an imminent collapse of systems which have been duly "warned" of vulnerabilities now the next logical process[ing]. And one must be prepared for wholesale credit transfers from compromised systems accounts should the flaws not have been fixed/patched/should the security algorithms not have been revised/reprogrammed.
Hacked security companies - privacy angle
I should have commented on the earlier hacks, because it seems there wasn't much to see here, but keep in mind:
"All databases leak."
Even those that are operated by security companies.. There is much evidence of this.
why is everyone so bitchy over this guy. sql injections go around every day. i find hundreds of these every day. even on big websites.
even on google
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- I KNOW how to SAVE Microsoft. Give Windows 8 away for FREE – analyst
- Geek's Guide to Britain How the UK's national memory lives in a ROBOT in Kew