Victims Argue Findings Of Romanian White Hat Hacker Group

The Romanian white hat hackers who have been exposing vulnerabilities in major Websites and databases during the past month aren't always "playing fair" in the penetration testing game, some "victims" say.

The white hat group, which is led by a researcher known only as "unu" and posts its findings on its own HackersBlog.org Website, has exposed SQL injection flaws and other vulnerabilities in several high-profile sites since February, including sites belonging to security vendors Kaspersky, BitDefender, F-Secure, and Symantec, as well as the International Herald Tribune newspaper.

During the past few days, HackersBlog has reported new vulnerabilities in the Websites of U.K. newspaper The Telegraph, as well as on a Website belonging to telecommunications giant BT. In both cases, and as in its previous vulnerability reports, HackersBlog said the group had demonstrated the ability to penetrate back-end databases containing sensitive data.

But two of the most recent "victims" of HackersBlog's attacks said the white hat group is overstating its achievements. In a statement released today, BT said that HackersBlog had succeeded in only penetrating a testing database that contained no live data.

"BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time," the statement said. "When sites are under test, they do not contain live data and are often not included within our secure network until they become operational...Our operational systems have not been affected in any way by this attempt to break through our security."

Symantec also protested HackersBlog's findings. In a response posted on HackersBlog, the security giant conceded that the page in question was flawed by "inconsistent exception handling," but it rejected unu's assertion that the bug could lead to database access.

"Upon thorough investigation, we have determined that the blind SQL injection is, in fact, not effective," Symantec said. "The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options. We will have the modified page up again soon with better exception handling." In subsequent public statements, Symantec renewed its assertion that no sensitive data had been compromised.

Other victims of the white hat attacks observed that HackersBlog had not penetrated their primary sites, but had gained access through ancillary sites or third-party connections. The Telegraph, for example, said the hack probed database tables behind one of its partner sites -- search.property.telegraph.co.uk -- and "exposed a weakness in the way that particular site had been coded."

"The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting," said Paul Cheesbrough, CIO of Telegraph Media, in a statement.

None of the victims disputed the fact that HackersBlog had found coding errors in their systems. However, unu's assertion that vulnerabilities can be broadly found by exploring the Internet's most popular Websites may be overstated, they suggest. In most of the "hacks," the Romanian group actually penetrated ancillary or partner sites, where public defenses are not as strong.

Security experts continue to recommend that users potentially affected by the vulnerabilities -- including The Telegraph's 700,000 subscribers -- take the time to change their passwords.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message