|
|
02-23-2009
Registered User
26,240,
27
Injecting the Common into Security
According to several news articles Friday, February 20th, and documented on hackersblog.org by the hacker named Unu, the Security and A/V "giant" Symantec had a bit of a website face lift as a result of a SQL-injection vulnerability within the website.
The website was defaced as can be seen in the following image:
The stories and associated blog references can be found at the following links:
http://www.itp.net
http://news.softpedia.com
http://www.hackersblog.org
Granted, based on the articles and information so far, the "ethical hacker" Unu used this method of notification to "help" alert Symantec to the problem. Outside of the ethical issues surrounding the hack, the bigger issue is that this type of vulnerability should be the first thing that a web programmer and a security "giant" identifies. In fact, SQL-injection is one of the OWASP (Open Web Application Security Project) Top 10. It will be interesting to see if Symantec experiences any backlash as a result of this incident.
This should truly be a wake up call to companies and security providers that they cannot be lax with regards to secure coding principles and practices. As security professionals, we should be held to the same level of observation and quality that we promote to others.We can all make mistakes and become "comfortable" in what we do, but incidents like this should remind us that security is not comfortable and the common can be even more detrimental than the rare.
More...
The website was defaced as can be seen in the following image:
The stories and associated blog references can be found at the following links:
http://www.itp.net
http://news.softpedia.com
http://www.hackersblog.org
Granted, based on the articles and information so far, the "ethical hacker" Unu used this method of notification to "help" alert Symantec to the problem. Outside of the ethical issues surrounding the hack, the bigger issue is that this type of vulnerability should be the first thing that a web programmer and a security "giant" identifies. In fact, SQL-injection is one of the OWASP (Open Web Application Security Project) Top 10. It will be interesting to see if Symantec experiences any backlash as a result of this incident.
This should truly be a wake up call to companies and security providers that they cannot be lax with regards to secure coding principles and practices. As security professionals, we should be held to the same level of observation and quality that we promote to others.We can all make mistakes and become "comfortable" in what we do, but incidents like this should remind us that security is not comfortable and the common can be even more detrimental than the rare.
More...