[ISN] Hacking Victim Bit9 Blames SQL Injection Flaw

http://www.cio.com/article/729401/Hacking_Victim_Bit9_Blames_SQL_Injection_Flaw By Jeremy Kirk IDG News Service February 25, 2013 Bit9 said a common Web application vulnerability was responsible for allowing hackers to ironically use the security vendor’s systems as a launch pad for attacks on other organizations. Based in Waltham, Massachusetts, the company sells a security platform that is designed in part to stop hackers from installing their own malicious software. In an embarrassing admission, Bit9 said earlier this month that it neglected to install its own software on a part of its network, which lead to the compromise. In a more detailed explanation on its blog on Monday, Bit9 said attackers gained access by exploiting a SQL injection flaw in one of its Internet-facing Web servers. A SQL injection flaw can allow a hacker to enter commands into a web-based form and get the backend database to respond. The compromise happened around July 2012, wrote Bit9’s CTO Harry Sverdlove. Once inside Bit9, the hackers accessed a virtual machine used to digitally sign code for Bit9, a security measure that verifies the company’s code is legitimate. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org