Symantec hacked? Full disk and database access?

hack-o-rama by Al Corr

hack-o-rama by Al Corr

 

Back in February of this year, the Romanian hacker Unu found a SQL injection vulnerability in a Kaspersky tech support portal server based in the USA. That vulnerability when exploited allowed full access to all the database tables, exposing things such as usernames and activation codes.

 

Well, Unu strikes again and this time Symantec is the unlucky recipient of his attentions, and certainly at first glance it looks worse than the Kaspersky breach. In a new posting on Unu’s blog he details a blind SQL injection-based attack against a Symantec server, the server appears to be responsible for tech support through “Norton PC Expert from PC-Doctor Co Ltd” in Japan.

 

According to Unu, by exploiting the vulnerability he is able to access a lot of very sensitive information including personal details and product keys (from the symantecstore database table). More worryingly, the screenshots appear to indicate that the attackers is able to browse the entire contents of the server hard drives at will. Unu also notes that both user and employee passwords are available in clear text which, if true, represents a serious oversight, passwords should always be stored encrypted or with a salted hash. It should be noted though that there is no evidence of this particular data other than Unu’s own typed report, no screen shots of this data have been posted.

 

Although commentators have not always agreed on the accuracy of Unu’s claims, as in the recent claimed compromise of the Barack Obama Donations site; as ever, Unu insists that his activities are only done to warn and raise awareness without saving or otherwise stealing any proprietary information.

 

If you remember, in February, Kaspersky faced with a sql injection. Then they had the courage to admit vulnerability, why have my admiration. There was fair play, they quickly secured vulnerable parameter, and even if at first they were very angry at me, finally understood that I did not extract, I saved nothing, I have not abused in any way by the data found. My goal was, what is still, to warn. To call attention.

That being said, expect the curious reaction from Symantec.”

 

I have made sure Symantec UK and Japan are aware of this information and I am sure they are investigating as I type,  but it’s never a bad idea to restate a few best practices for securing web applications:

  • Keep them patched.
  • NEVER store sensitive data in clear text.
  • Get them regularly vulnerability scanned from the inside as well as the outside.
  • Use strong authentication (2 factor) if you are only serving a limited user population or if the data you are holding is particularly sensitive. Cookies can lead to session hijacking…
  • Bounds checking of input data helps to avoid buffer overflows and SQL injection type attacks.
  • Provide access to information on a Need to Know basis and always provide it with Least Privilege.
  • Don’t provide detailed error information to browsers, you don’t expect your customers to debug your application, so don’t give up that error message.

8 thoughts on “Symantec hacked? Full disk and database access?

  1. GEEK-TECH

    It is only obvious what norton and other mega million av internet companies fail to realize until recently is the sad fact too much of their budget is wasted on useless advertising and demo’s while sequel code and even Dos Based Code slipps by there software continuosly i find that their is only one solution to this and its called Default Deny nothing allowed unless you know it and so far only one Company provides it and proves it Comodo good luck getting past that i have been building pcs for 27 years so I know what is good and what is bad sucks for nortons customers though!

    Reply
  2. Pingback: Symantec’s website exploited | eComTechnology Wordpress

  3. Pramatr IAM

    Even security giants Symantec are not impervious to being hacked.
    It goes to show that being secure is not so clear-cut as consumers believe or as security vendors have you believe (if you buy their product). With an evolving IT market there will always be vulnerabilities waiting to be exploited. It’s a matter of who finds them first, the hacker or the security vendor.

    Reply
  4. Pingback: » Symantec vittima di SQL Injection, dati personali a rischio?

  5. Pingback: HackersBlog » Blog Archive » Very short news – Symantec hacked

  6. Zaphod

    They howl that you should run a virus shield on your computer. Yet totally forget to run one covering the (often r00t permissioned) interpreter on their own website. (cough) As a matter of fact, if php’s scope wasn’t root/global in this case, the hacker shouldn’t have been able to browse the whole server.

    Reply
  7. Pingback: Symantec hacked? Full disk and database access? - Donna's SecurityFlash

  8. Pingback: Tweets that mention Symantec hacked? Full disk and database access? » CounterMeasures -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>