Should I Trust You?
I think that everyone has heard of the recent “hacking series” against major antivirus companies. After the recent SQL injections in Kaspersky, BitDefender (here and here) and F-Secure the regular user might wonder in which company should they still trust.
The anwser isn’t that simple. Based on the amount of data that could have been leached from the websites (mentioned above) F-Secure looks the trust worthiest. Why F-Secure? Because given their defense-in-depth methodology no sensitive data could have been retrieved, just ordinary data that you may see on other several public pages.
As from any other attack scenario, there is something to be learned. In this case F-Secure and their methodology gave us the lesson. You should never, and I repet never, grant access to important data to a user which interacts with a visitor (in this case, a mysql database user). You will lower the threat by creating different users for different tasks.
Also, I won’t go in complaining about the SQL injections, even if I should, because it’s nothing uncommon. When you have a team of developers which constantly add/remove components and which haven’t got a secure coding methodology (some might sanitize the data on request, others before the usage) SQL injection vulnerabilities (XSS vulnerabilities) will iminently pop up. I said I won’t complain about the vulnerability, but given the fact that they are in the security industry (and not some unknown players) you would expect more…
Another “debate” I’ve seen was based on Acunetix article which mentioned that Unu found the vulnerability in Kaspersky’s website via their scanner. Even if true, we all know that Acunetix Scanner isn’t always enough to catch all the vulnerabilities (as Unu declared also), and no such scanner can. People generally use Acunetix Scanner for a quick and dirty PRELIMINARY scan.
Enough said.
