• On GameSpot: Share your Modern Warfare 2 experiences
advertisementGet Smart about Business Spending
February 11, 2009 1:55 PM PST

Hacker site claims breach of third security firm Web site in a week

by Elinor Mills
  • Font size
  • Print
  • 7 comments

A Romanian hacker site said on Wednesday it was able to breach the Web site of Helsinki-based security firm F-Secure just as it had gained access to the sites of two other security companies earlier in the week.

F-Secure is "vulnerable to SQL Injection plus Cross Site Scripting," an entry on the HackersBlog site said. "Fortunately, F-Secure doesn't leak sensitive data, just some statistics regarding past virus activity."

An F-Secure spokesman said the company had taken the affected server down and that it was a low-level server that was not critical to the company and had no sensitive or customer data on it, just statistical data for marketing purposes.

"It is slightly embarrassing as a security company that we have had the breach," David Frazer, a spokesman in F-Secure's San Jose, California office, said in a phone interview. "We certainly, as a security company, want to ensure that all of our servers are patched to the levels that they should be."

HackersBlog publicized on its site that it had breached the U.S. Web site of Moscow-based firm Kaspersky on Saturday and the Portugal site of BitDefender on Monday using the same attack techniques.

Kaspersky said on Monday that no sensitive or customer data had been exposed in the breach and that it would ask a database expert to audit its systems. BitDefender said the site that had been breached belonged to an unnamed partner and no customer data was stolen.

SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site, have become very popular exploit methods. Cross-site scripting vulnerabilities, which allow for injection of malicious code in Web pages, also are common.

Updated 3:25 p.m. PST with F-Secure comment.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Vulnerabilities & attacks

Tags:

F-Secure,

hackers,

breach,

SQL injection,

cross-site scripting

Share:
Digg
Del.icio.us
Reddit
advertisement
Click Here
Recent posts from Security
Pub fined $13k for Wi-Fi copyright infringement
Tips for safe online shopping
Big changes in Security Starter Kit 2010
Confidential 9/11 pager messages disclosed
Microsoft warns of IE exploit code in the wild
Chrome OS security: 'Sandboxing' and auto updates
E-tailers snagged in marketing 'scam' blame customers
McAfee warns about '12 Scams of Christmas'
Related
Another iPhone worm, but this one is serious
Browser security features compared
Hacker breaks into jailbroken iPhones, asks for $7
Expert says Adobe Flash policy is risky
Microsoft warns of IE exploit code in the wild
New Firefox 3.6 beta aims to cut crashes
Apple plugs holes for domain spoofing, other attacks
Malwarebytes accuses rival of software theft
Add a Comment (Log in or register) (7 Comments)
  • prev
  • 1
  • next
by gggg sssss February 11, 2009 5:41 PM PST
and I doubt f-Secure was running the dreaded MS SQL server, so how can that be?
Reply to this comment
by ajhoughton February 12, 2009 6:12 AM PST
SQL injection attacks aren't specific to SQL Server. They happen when people pass un-checked input through to the SQL side without escaping special characters.
by n3td3v February 12, 2009 4:19 AM PST
F-Insecure
Reply to this comment
by Noneyabeeswax February 12, 2009 9:52 AM PST
This really isn't funny, but it is.

I guess Microsoft isn't the only one with problems, heh.

I wonder what kind of effect this will have on their sales numbers?

I know I'd certainly think twice about buying security software from a vendor that can't even keep their website secure.

I wonder who's next, or if the other vendors started scrambling to double check everything?
Reply to this comment
by random truth February 12, 2009 2:35 PM PST
How does this relate to Microsoft?
by sn0rf February 12, 2009 11:53 AM PST
Apparently these guys don't know how to assess the security risks properly. Even if there's no sensitive data on their sites, such incidents can hurt their brands significantly. That's why it's weird that they don't have at least simple application firewall installed.
Reply to this comment
by DevSensible February 13, 2009 3:00 AM PST
Firewalls have little if nothing to do with SQL Injections. This was done against a public-facing website. The injection was done via the query string and the input was not escaped/cleansed.
(7 Comments)
  • prev
  • 1
  • next
advertisement

The browser battles go on and on

roundup From Firefox to IE and from Chrome to Opera and Safari, there's no sitting still for browser makers looking to keep their products fresh and competitive.

3G wireless still holds promise

The next generation of 4G wireless may get all the headlines, but advanced 3G technology will likely dominate services for the next few years.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement
Click Here

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET