Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Hacking Victim Bit9 Blames SQL Injection Flaw

From: InfoSec News <alerts () infosecnews org>
Date: Tue, 26 Feb 2013 01:52:29 -0600 (CST)
http://www.cio.com/article/729401/Hacking_Victim_Bit9_Blames_SQL_Injection_Flaw

By Jeremy Kirk
IDG News Service
February 25, 2013
Bit9 said a common Web application vulnerability was responsible for allowing hackers to ironically use the security vendor's systems as a launch pad for attacks on other organizations.
Based in Waltham, Massachusetts, the company sells a security platform that is designed in part to stop hackers from installing their own malicious software. In an embarrassing admission, Bit9 said earlier this month that it neglected to install its own software on a part of its network, which lead to the compromise.
In a more detailed explanation on its blog on Monday, Bit9 said attackers gained access by exploiting a SQL injection flaw in one of its Internet-facing Web servers. A SQL injection flaw can allow a hacker to enter commands into a web-based form and get the backend database to respond.
The compromise happened around July 2012, wrote Bit9's CTO Harry Sverdlove. Once inside Bit9, the hackers accessed a virtual machine used to digitally sign code for Bit9, a security measure that verifies the company's code is legitimate. 

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org
Previous By Date Next
Previous By Thread Next

Current thread: