Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Various victims of the HackersBlog have claimed that the vulnerability discoveries may be overstated. The Romanian white hat hackers led by a researcher known as ‘unu' posts its findings on its own hackersblog.org website. It exposed SQL injection flaws and other vulnerabilities in several sites belonging to Kaspersky, BitDefender, F-Secure and Symantec, and reported new vulnerabilities in the websites of UK newspaper The Daily Telegraph and BT this week. However Symantec and BT have claimed that the white hat group is overstating its achievements. BT said that HackersBlog had succeeded in only penetrating a testing database that contained no live data and said in a statement: “BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time. “When sites are under test, they do not contain live data and are often not included within our secure network until they become operational. Our operational systems have not been affected in any way by this attempt to break through our security.” Symantec conceded that the page in question was flawed by ‘inconsistent exception handling', it rejected the group's claim that the bug could lead to database access. Symantec said: “Upon thorough investigation, we have determined that the blind SQL injection is, in fact, not effective. The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options. We will have the modified page up again soon with better exception handling.” Meanwhile the Telegraph said the hack probed database tables behind one of its partner sites and had exposed a weakness in the way that particular site had been coded. Paul Cheesbrough, chief information officer for Telegraph Media Group, said: “The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting, but the Telegraph Media Group does take anything that potentially compromises the security of our site and the data that we hold extremely seriously. “We immediately took the impacted site down on Friday, and the two-year-old third party code is being re-written to eliminate the issues that hackersblog.org brought to our attention. “Now hackers are rarely embraced as being friends but in this instance it's important to thank the team at hackersblog.org for bringing these issues to our attention. We've listened, and we're working with the partner site to sort out the cause of the problem.” See original article on scmagazineus.com
The Romanian white hat hackers led by a researcher known as ‘unu' posts its findings on its own hackersblog.org website. It exposed SQL injection flaws and other vulnerabilities in several sites belonging to Kaspersky, BitDefender, F-Secure and Symantec, and reported new vulnerabilities in the websites of UK newspaper The Daily Telegraph and BT this week. However Symantec and BT have claimed that the white hat group is overstating its achievements. BT said that HackersBlog had succeeded in only penetrating a testing database that contained no live data and said in a statement: “BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time. “When sites are under test, they do not contain live data and are often not included within our secure network until they become operational. Our operational systems have not been affected in any way by this attempt to break through our security.” Symantec conceded that the page in question was flawed by ‘inconsistent exception handling', it rejected the group's claim that the bug could lead to database access. Symantec said: “Upon thorough investigation, we have determined that the blind SQL injection is, in fact, not effective. The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options. We will have the modified page up again soon with better exception handling.” Meanwhile the Telegraph said the hack probed database tables behind one of its partner sites and had exposed a weakness in the way that particular site had been coded. Paul Cheesbrough, chief information officer for Telegraph Media Group, said: “The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting, but the Telegraph Media Group does take anything that potentially compromises the security of our site and the data that we hold extremely seriously. “We immediately took the impacted site down on Friday, and the two-year-old third party code is being re-written to eliminate the issues that hackersblog.org brought to our attention. “Now hackers are rarely embraced as being friends but in this instance it's important to thank the team at hackersblog.org for bringing these issues to our attention. We've listened, and we're working with the partner site to sort out the cause of the problem.”
However Symantec and BT have claimed that the white hat group is overstating its achievements. BT said that HackersBlog had succeeded in only penetrating a testing database that contained no live data and said in a statement: “BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time.
“When sites are under test, they do not contain live data and are often not included within our secure network until they become operational. Our operational systems have not been affected in any way by this attempt to break through our security.”
Symantec conceded that the page in question was flawed by ‘inconsistent exception handling', it rejected the group's claim that the bug could lead to database access.
Symantec said: “Upon thorough investigation, we have determined that the blind SQL injection is, in fact, not effective. The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options. We will have the modified page up again soon with better exception handling.”
Meanwhile the Telegraph said the hack probed database tables behind one of its partner sites and had exposed a weakness in the way that particular site had been coded.
Paul Cheesbrough, chief information officer for Telegraph Media Group, said: “The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting, but the Telegraph Media Group does take anything that potentially compromises the security of our site and the data that we hold extremely seriously.
“We immediately took the impacted site down on Friday, and the two-year-old third party code is being re-written to eliminate the issues that hackersblog.org brought to our attention.
“Now hackers are rarely embraced as being friends but in this instance it's important to thank the team at hackersblog.org for bringing these issues to our attention. We've listened, and we're working with the partner site to sort out the cause of the problem.”
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.