Bezpečnosť > bezpečnosť
Kompromitovaná stránka McAffee.com
Ako vidieť ani antivírové či bezpečnostné firmy sa moc nesnažia venovať vlastnej bezpečnosti. 20.3.2011 sway1990, člen skupiny InSecurity.Ro, hackol opatovne stránku ESET.ro (rumunský reseller ESETu)
Podľa oficiálnych informácií neunikli žiadne dôležité údaje a eset.ro urýchlene vykonal opravy.
(vyjadrenie ESETu: It was an SQL injection on the page where we keep our reseller map. The problem was fixed in the same day. There where no changes in the page or other damage to our image.) Povedzme že išlo o relatívne slabú chybu a operatívne riešenie (do 12 hodín)
Na druhej strane je McAfee. Skupina YGN Ethical Hackers našla a oznámila už 10.2.2011 do McAfee chyby na ich stránke mcafee.com. Išlo o Cross site script diery (XSS vulnerability), neskrývanie interných url a viditeľnosť zdrojových súborov.
McAfee vydalo vyjadrenie 12.2.2011 v nasledovnom znení:
"We are working to resolve the issue as quickly as possible."
Nuž a po overení 27.3.2011 - problém stále pretrváva. (Ako vidieť v nižšie vloženom emaili od YGN)
Problém oproti ESETu je podstatne väčší. ESET a ich lokálny resseleri nie sú prepojený z ničím (majú/mali by mať) lokálne servery na update a aj vlastnú databázu užívateľov.
Na druhej strane McAfee robí overovania aj pre zákazníkov a dáva im overenie bezpečnosti aj pre web (Verified by McAfee Secure) a ich databázy sú priamo prepojené s webstránkou.
Taktiež McAfee poskytuje firmám Security & Risk Management a analýzy. Takže by malo spĺňať isté normy.
Pokiaľ by ste daný problém chceli pozrieť podrobnejšie, pekne ho spracoval Pablo Ximenes z Security Research Teamu na Univerzite v Ceará (Brazília)
Popis problému na McAfee.com:
From: YGN Ethical Hacker Group Date: Mon, 28 Mar 2011 00:02:47 +0800 Vulnerabilities in *McAfee.com 1. VULNERABILITY DESCRIPTION -> Cross Site Scripting http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in') -> Information Disclosure > Internal Hostname: http://www.mcafee.com/js/omniture/omniture_profile.js ($ ruby host-extract.rb -a http://www.mcafee.com/js/omniture/omniture_profile.js) -> Information Disclosure > Source Code Disclosure: view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp view-source:http://download.mcafee.com/clinic/Includes/common.asp view-source:http://download.mcafee.com/updates/upgrade_patches.asp view-source:http://download.mcafee.com/updates/common/dat_common.asp view-source:http://download.mcafee.com/updates/updates.asp view-source:http://download.mcafee.com/updates/superDat.asp view-source:http://download.mcafee.com/eval/evaluate2.asp view-source:http://download.mcafee.com/common/ssi/conditionals.asp view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp view-source:http://download.mcafee.com/common/ssi/variables.asp view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp view-source:http://download.mcafee.com/common/ssi/errHandler.asp view-source:http://download.mcafee.com/common/ssi/common_subs.asp view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp view-source:http://download.mcafee.com/us/bannerAd.asp view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp 2. RECOMMENDATION - Fully utilize Mcafee FoundStone Experts - Use outbound monitoring of traffic to detect potential information leakage 3. VENDOR McAfee Inc http://www.mcafee.com 4. DISCLOSURE TIME-LINE 2011-02-10: reported vendor 2011-02-12: vendor replied "we are working to resolve the issue as quickly as possible" 2011-03-27: vulnerability found to be unfixed completely 2011-03-27: vulnerability disclosed 5. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak Former Disclosure, 2008: http://www.theregister.co.uk/2008/06/13/security_giants_xssed/ Former Disclosure, 2009: http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110... Former Disclosure, 2010: http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-deface... host-extract: http://code.google.com/p/host-extract/ Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/ xssed: http://www.xssed.com/search?key=mcafee.com Lessont Learn: http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-fro... #yehg [2011-03-27]
|