(Additional Link: http://blog.rstcenter.com/2009/02/11/f-securecom-sql-injection-cross-site-scripting/)

Hacker site claims third security-firm website breach


Elinor Mills


A Romanian hacker site said on Wednesday it was able to breach the website of Helsinki-based security firm F-Secure just as it had gained access to the sites of two other security companies earlier in the week.

F-Secure is "vulnerable to SQL Injection plus Cross Site Scripting," an entry on the HackersBlog site said. "Fortunately, F-Secure doesn't leak sensitive data, just some statistics regarding past virus activity."

An F-Secure spokesman said the company had taken the affected server down and that it was a low-level server that was not critical to the company and had no sensitive or customer data on it, just statistical data for marketing purposes.

"It is slightly embarrassing as a security company that we have had the breach," David Frazer, a spokesman in F-Secure's San Jose, California office, said in a phone interview. "We certainly, as a security company, want to ensure that all of our servers are patched to the levels that they should be."

HackersBlog publicised on its site that it had breached the US website of Moscow-based firm Kaspersky on Saturday and the Portugal site of BitDefender on Monday using the same attack techniques.

Kaspersky said on Monday that no sensitive or customer data had been exposed in the breach and that it would ask a database expert to audit its systems. BitDefender said the site that had been breached belonged to an unnamed partner and no customer data was stolen.

SQL-injection attacks, in which a small malicious script is inserted into a database that feeds information to the website, have become very popular exploit methods. Cross-site scripting vulnerabilities, which allow for injection of malicious code in web pages, are also common.

main page ATTRITION feedback