The Web page, xfiw.iss.net.au, or X-Force Internet Watch, was defaced with messages condemning political leaders who supported the war in Iraq.
The hack was confirmed by a spokeswoman for ISS, who pointed out that no customer data was stored on the targeted machine.
"There was some information on the web-page that was misrepresented [defaced]," she told ZDNet Australia by phone from the company's HQ in Atlanta in the U.S.
The company has downplayed the seriousness of the intrusion.
"It's [the defaced web-server] not connected to our [main] servers here in the U.S.," she said.
The site offered free downloads of the company's popular BlackICE security software for university students. When students installed the software, it would send data back to the company for analysis, helping them to gather real-time trending information.
Security consultant Nathan Macrides says ISS, a company he describes as being "up there with the best in the world", are no doubt feeling a little silly, despite the relatively low impact of the intrusion.
"I think it's embarrassing for any security company to have something like that happen to them... they pride themselves on being the world leaders in discovering vulnerabilities," he said.
Reports from Zone-H., a site that logs defacement activity, have suggested the site may have been breached through a bug in NTdll.dll, which was exploitable through the WebDAV remote authoring module in Microsoft's IIS 5.0 Web server.
A fix for that vulnerability has been available for over a month. If the company was hacked in this way then they have no one to blame but themselves, says Macrides.
"If it's not a zero-day [undisclosed vulnerability] then it's just slack administration," he told ZDNet Australia.
ISS's core products include RealSecure, a market leading intrusion detection system, and according to its website, "security provider for 49 of the Fortune 50".
X-Force, the company's research arm, have discovered critical vulnerabilities in ubiquitous server software such as Apache, the worlds most used web-server software, and Sendmail, the daemon that processes around 70 per cent of the world's e-mail.
It is a known fact today that the Internet Security is most vulnerable at the Login entry.
No SSL or other protocols will prevail if your Password is exposed.
The most secured and affordable methodology available today is the TFA (Two Factor Authentication) and OTP (One Time Password) generation.
These methods cost a bundle with today Token system. That is the reason only VIPs or very secured sites offer this level of security to their clients.
Change the Token system in a way that every organization can offer it to their customers, and you get a high level of security for everybody.
Mega AS Consulting Ltd (www.megaas.co.nz) has developed a new CAT (Cellular Authentication Token) that follows that thought. It is a new concept that enables new services such as eAuthentication. The CAT runs on a cellular, does not require SMS or any type of communication and can be installed (one time OTA) by any Service’s client. It does not cost the user anything.
With this in mind, Services can now offer the users the option to register to a secured OTP login, at their own time. The Service does not have to supply or manage the tokens. It is the users’ responsibility to join the secured service to secure his login.
The eAuthentication Service takes this approach even further. Since the user can choose to join the secured Login of the Service, the company providing the service does not have to buy the Authentication package anymore, they get the users authenticated at Mega AS Consulting CAT Authentication server by implementing a simple API.
This approach is new. It will change the whole industry and it is available now.