Hacker Gang Targets Security Companies

---->>>>
A hacker gang, purportedly from Romania, is using SQL injection attacks against security software companies.

Last week it was Kaspersky who was attacked, although the company denied that any real compromise had occurred. The hackers only actually exposed table names from the database, not actual data.

Later reports on that attack stated that the same gang was responsible for attacks on a Portuguese reseller for Bitdefender.

Now F-Secure is saying they were attacked, although once again they with only some success. They had a weak spot in their database-facing web pages that gather malware statistics. The page didn't properly "sanitize database inputs." SQL injection involves using database input fields to add SQL commands. Click here for a humorous and illustrative example.

F-Secure says the hackers, the same bunch responsible for the previous attacks, were able to read, but not manipulate the data. It sounds like they employ a good collection of security practices to employ defense-in-depth: hackers got through to the database, but other defenses stopped them there. The user account they compromised only had access to the malware measurement data, which is public anyway, and they couldn't write to the database.