Slashdot Mirror
Kaspersky Customer Database Exposed
secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."
Here's the reference, for those who still haven't seen it:
http://xkcd.com/327/
I use plain CSV text files, you insensitive clods!
Our IT department switched us from trend micro to Kaspersky a few months ago. I haven't done any research on the merits or drawbacks of either, but what I do know is this:
1) On our ancient desktop machines (Think 1.8ghz pentium 4's with 512 megs of ram) performance is a lot worse now than before we switched.
2) Since the switch we've had some pretty serious downtime due to a virus got in on some old unpatched windows 2000 machines and then proceeded to wreak havok.
3) SQL injection isn't that hard to prevent. Seriously.
Granted none of that is enough to conclusively say that Kaspersky is a terrible product, the virus may very well have happened with Trend Micro as well, but as an end user my first impressions are less than positive.
Who cares if some forums are hacked?
For that matter, even if they get a customer's account data, the damage is limited if good credit-monitoring is in place.
I'd be more worried about the update servers being hacked and millions of us downloading bogus updates.
I just switched to Kaspersky last night, after my McAfee subscription expired. "Haxor et Machina?"
http://www.aaronrogier.net
Awesome, in a small amount of time 3 of the services I use have all had their information compromised.
Can't wait to have the rest of them owned.
Also, shouldn't a company who's focus is security, make sure they don't have a problem with such things as, oh I don't know... SQL Injection?
Who sed anything about Linux? I sed a *secure* OS. Oh and Im a level 120 yellow mold.
Since I don't have mod points... Just so you know, you're absurdly offtopic, and you're both wrong.
Linux can't prevent a SQL injection attack. Not writing shitty software prevents SQL injection attacks, no matter what OS you're on.
Linux is ready for the desktop, and is likely still easier to install than Windows. But the desktop is even less relevant to a discussion about a server-side SQL injection attack.
Don't thank God, thank a doctor!
The trolls, do not feed them.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
I've been "borrowing" our company's corporate AV sw that doesn't require registration and has perpetual license for the past 10 years... Then 6 months ago I decided to go legal and spent $70 for 3 user license. I paid with my credit card, registered with my email address and now this! Never again :)
"web sights"??? What the hell?
If you want a virtually 100% secure OS, there is always OS X.
It seems someone needs to add backslashes to their SQL statements...
I've never really bought into that idea. I mean, if a casual user reads a troll post and sees it go uncontested, their quote possibly going to believe it is true.
Avoid giving them fodder but if their shouting loudly enough, make sure there is some balance.
hahahahahahaha ..
a
hahahaha
oh man I haven't laughed so much all week, it could only be funnier if you actually believed that.
That's because the gaping backdoors are in Apple users, not in Apple software.
I've never fucked a girl, but I hope to, someday. Somehow.
There, I fixed that for you.
Great timing eh?
You yourself are a well known troll, but I'll bite.
He is indeed off topic, but he's right. That prompted you to mention that Linux wasn't at fault. Problem is, the post you replied to made no claim that Linux was insecure. At all. The insecurity lies in you, which is why make the absurd claim that Linux is ready for mainstream use.
"When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
Hey, it was insensitive. But I was still funny! :D
Funny, sure maybe it was 5 years ago.
"It is best to keep your mouth shut and appear a fool, than to open it and remove all doubt" -Mark Twain
I agree. Except that you quoted the wrong guy. Or rather, the wrong text. It's a paraphrase of the Bible. Proverbs 17:28.
If our elected representatives no longer represent us, do we still live in a Democracy?
so how does it make you feel to see your fellow linux goosesteppers modding completely relevant posts down because they're not pro-linux? it's like a little religious cult.
Thats brilliant, bookmarked.
and i've fucked several, but am lacking in Linux proficiency...
"If for any reason you're not satisfied with our service, I hate you."
Why to people even waste their own time with this type of shit? It's not even a good troll.
If you want news from today, you have to come back tomorrow.
I get 100 mbit fiber for $65/mo in a small town in Iowa.
:-)
What carrier is that? (Assuming that is 100 Mbps, not a cap
This issue is a bit more complicated than you think.
Moron can't even spell, let alone make a coherent statement. Hail? Hail is a form of precipitation, not a salutation. Moron. Spic, kike, coon, nigger, all in the same sentence with Jesus. Phhhht. There should be a minimum IQ test that needs to be passed before anyone can get on the internet. IQ should be AT LEAST double your shoe size. Or, four times the size of your penis, if you don't wear shoes.......
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I've never really bought into that idea. I mean, if a casual user reads a troll post and sees it go uncontested, their quote possibly going to believe it is true.
Reasons not to feed them:
1) It makes people waste mod points on the people replying. It is wasting, because replies to a troll are never ontopic and are *very* rarely anything interesting or helpful. Better to let the whole thread disappear with a few mods.
2) Some trolls troll anonymously, and then post with an account refuting their own post to gain mod points with a sane post. Twitter is notorious for this. Anyone replying to a troll should be modded offtopic or overrated (depending on if you want to effect their karma).
EOM
Comment removed based on user account deletion
But the user backdoor is no pathway for an SQL injection.
-- Put crudely, the world is an extremely large problem instance. (Russel/Norvig Artificial Intelligence)
Rather, a pathway for semen ejection.
Whoosh? Maybe.
Kaspersky outsources almost all (if not all) their ecommerce. They would have little or no credit card info in their customer database.
This is Slashdot, we can tell when your lying!
Make SELinux enforcing again!
Stop feeding the trolls. You're offtopic. So am I.
Level 12 dwarf, thank you very much.
Overall, according to the testing agencies, it's a pretty decent AV with very high detection rates - almost always in the top five or ten.
It's administration over a network is pretty complicated, using its Administration Kit. The basics aren't hard, but it's a very complicated product with a high degree of customization possible which makes administering it hard.
It does have a bad problem with false positives - it seems to want to tag any exe encapsulated in an archive as a "trojan". I had a bunch of utilities for unattended installs of Windows sitting around and it went wild tagging a lot of them as "trojans" - even though most are well known utilities used for installing or slipstreaming Windows, and if any of them had trojans, somebody would have caught that by now. This is a know issue with KAV and apparently they're not doing much to correct it, according to comments on their forums.
But ALL the virus engines these days are behind the curve of actual viruses in the wild - so it's no surprise that the occasional virus gets through. One got through on one of my client machines a week or two ago without being spotted by either KAV or Spyware Terminator. A very nasty one, too, that was almost a rootkit - took me some hours to fully get rid of it. Downloaded from a hostile Web site by one of the staff accidentally, I think, since the client has a hardware firewall in front of the network.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Hail. Verb
Infinitive
to hail
Third person singular
hails
Simple past
hailed
Past participle
hailed
Present participle
hailing
to hail (third-person singular simple present hails, present participle hailing, simple past and past participle hailed)
1. (transitive) To greet.
Hail Linzen
2. (transitive) To praise enthusiastically.
He was hailed as a hero.
3. (transitive) To call out to loudly in order to gain the attention of.
Hail a taxi
4. be a native of
She hails from Kalamazoo
And apparently there's no possible way that Mark Twain actually said that. As in he never read that passage and paraphrased it into the quote that was mentioned.
Fucking fundie. Go stone some gay people.
Gratuitous journal whore located here.
you're right, my Linux proficiency is anything but.
i am learning, though!
"If for any reason you're not satisfied with our service, I hate you."
This is Slashdot, we can tell when you're lying!
And being /. we can fix your glaring spelling/grammar errors without seeming the least bit pedantic.
Since when was it supposed to be legal to do this? This hacker should be thrown in the slammer. What the hell is this world coming to when you blame the vendor/sql/whatever-else when a "user" intentionally performs a malicious attack for whatever reason? This guy is a criminal and no better than any of the virus and malware writers out there. Do any of you have a clue as to how much these cyber-criminals actually cost the rest of us? Here's a partial answer: More than I want to pay.
Windows is easy to install
linux i have problems with
I can't count number of time I've recommended usage of mod_security in order to prevent these types of crap.
I can count, though, number of times people implemented it: 0.
Of course, the easiest solution to this is to not buy Kaspersky and just crack it ;) Or use linux...
DNA -- National Dyslexic Association
String escapeQuotes(String s){
if (s==null){ s=""; }
StringBuffer sb = new StringBuffer();
char ch[] = new char[1];
char con[] = new char[3];
con[0] = '%';
for(int i=0;i<s.length();i++){
char c = ch[0] = s.charAt(i);
if (c==0x27 || c==0x60 || c==22 || c=='%'){
int a = c/16;
int b = c-a*16;
con[1] = Character.forDigit(a,16);
con[2] = Character.forDigit(b,16);
sb.append(con);
} else {
sb.append(ch);
}
}
return sb.toString();
}
That wasn't difficult, was it now. Did i miss any characters?
Java Programming FEED
I'm so very glad I got our company to use Avast.
I know living in the ghetto must be tough and all, but it appears you have the capabilities to steal a computer, so one would guess you'd probably have the capabilities to steal a dictionary. You should try using one some time. Hell, here's a reference site for you: http://www.dictionary.com/
It even negates the need for you to buy one. Next time that you want to go out on a limb and make some half-hearted want-wit attempt at insulting someones IQ, maybe next time you will think twice.
Well, he got you to waste your time, and I guess mine, too. Mission accomplished.
Object-oriented programming is difficult to use and doesn't increase productivity.
arguable but I will agree that in C vs C++ I choose C
Right, because SQL injection has anything to do with the OS.
IT's probably a BOT!
Why?
The OS is a tool to get the job done.
Without knowing anything about you, I am willing to put money of the fact that this guy using windows has accomplished more than you have with your "h4x0r!1" OS.
It doesn't matter if this happend. Because the security you get by buying and installing kaspersky is that they add you on the russian mafias exceptions list. So you buy your freedom sort of. It's like a bar-owner buying off the local mafia. Protection money!
...bad presence. Having worked for them for a year this incident doesn't surprise me. The product is fantastic and developed almost exclusively in Russia. I almost pity the support folks as typically they would end up having a new version dropped into their laps without any notification or training. More often than not they would find out about a new release when they went to the website and found it being listed as available. However the U.S. office is scrambling to gain a business foothold and went from a small group doing fantastic work to a larger one that's run by managers that have little to no concept of the actual product or how it works. The conversion from "geeks in the know" to "were run by PHB's" is never easy and they've lost alot of great talent. I knew what the writing on the wall looked like when they dumped 10k of support emails because they lacked the support staff to handle them and were getting tired of the complaints. To summarize for Kaspersky, despite everything 1980's cinema taught you: US=Bad Russia=Good
No it's not easier than Windows. It's just as easy, IF you have a user-friendly distribution like Ubuntu.
I've had much better experiences installing Linux than with Windows. And I started out with dos 3.3. The most significant advantage is that these days usually all the drivers for your hardware are included in the kernel. Installing Windows is easy enough. Its the hours of tracking down drivers and applications after installing that is a pain in the backside.
Linux is ready for the desktop, and is likely still easier to install than Windows. But the desktop is even less relevant to a discussion about a server-side SQL injection attack.
You got to be kidding right? Please say you are kidding!
Linux is awfull crap on desktop IF you need to be productive, for procrastination (but not gaming) it's OK, but as a professional web dev, i get spooked if i have to use Linux as my workstation, most of the software i need is not there.
That being said, Linux is absolutely awesome as a server, rock solid, decent performance, very good customizeability, if you know your stuff, you can get hell of a lot of web request processing juice out of a linux box, even on old measly hardware.
Pulsed Media Seedboxes
Could this be Kapersky?
Everybody uses broad generalizations.
There is nothing wrong with C++, in fact, you can easily keep all you C-isms in C++. I like the OO approach, even though I dislike C++ stream I/O and templates. My C++ code looks almost like std C but organized in classes rather than a bunch of globals and a tangle of functions. Yeah, it's not textbook C++, but it's a far cry better than std C.
1) Maybe you meant mysql_real_escape_string()?
Or perhaps mysql_genuine_escape_string_really_no_kidding_this_time().
2) Just adding \ in front of ' doesn't help you if the attacker puts \ in the parameters.
Lastly, my suggestion is to avoid PHP if you can. Though you can quickly do half-baked stuff with PHP it's a real pain and more work to do things properly compared to better designed languages.
using namespace std;
eh? :P
Linux is awfull crap on desktop IF you need to be productive, for procrastination (but not gaming) it's OK, but as a professional web dev, i get spooked if i have to use Linux as my workstation, most of the software i need is not there.
I could say the exact thing about Windows; Also being a professional web dev. The tools are all there and in most cases, better in my opinion. It's all about the environment in which you like to work. I do know that without the Linux CLI, my work would be much slower.
Lets race to see who can check in a change and release it to three master servers the quickest.
Bullish Machine Tzar
You yourself are a well known troll, but I'll bite.
And yet, my karma is still excellent. How's yours?
Oh, I forgot, it must be the massive conspiracy of people who want to see SanityInAnarchy modded up, no matter what he says. I guess I'm more popular than I realized.
He is indeed off topic, but he's right.
What, that Linux isn't ready for "the desktop"? I guess I should tell my mother to buy a Mac, then...
Problem is, the post you replied to made no claim that Linux was insecure.
Nor was I making any claim that it was. I was responding to both of the ACs -- the first seemed to be claiming that by merely switching to "a secure OS", by which I was assuming Linux or BSD, they would prevent a SQL injection attack.
So, if anything, I was arguing against Linux being magical security sauce.
why make the absurd claim that Linux is ready for mainstream use.
I don't believe I made that claim -- I said "the desktop". Most criteria people bring up for evaluating that are either pure troll (You have to use the commandline for everything! Ten years ago, maybe...) or something which is impossible for anything other than Windows to qualify for, no matter how well written (Will it run all the apps I have now and some I haven't thought of?)
But, I was avoiding opening that discussion, because it's so offtopic.
Don't thank God, thank a doctor!
Linux is awfull crap on desktop IF you need to be productive,
Having used all three extensively, I can say with confidence that I was at my most productive on KDE 3, on Kubuntu Hardy.
Let me define "extensively". In college, I mostly used Linux on the desktop, and OS X (Tiger) on a Powerbook. I didn't mind OS X much, but I wasn't trying to do much with it, either -- taking notes in vim is about as productive in either case, as is writing a paper in OpenOffice.
For my most recent job, I started out using Windows exclusively, as it was HD-DVD. It wasn't fun to use Windows, but there really wasn't a choice -- it took a delicate balance to get Microsoft's HDiSim to work (Windows XP, not 2K or Vista; Media Player 10, not 9 or 11...) and my few experiments with Wine and virtual machines didn't go anywhere. So I used Eclipse, with Visual Studio .NET to debug, Firefox for web browsing, etc.
After that was web development, in Ruby on Rails. I immediately booted over to the Linux partition I was keeping on that machine, and ran that exclusively until that laptop died.
When it did, the only real choice was to borrow an OS X machine (an iMac), running Leopard, and get to work. And that was a love-hate relationship. So many things done right, but so many simple things, day after day, that infuriated me -- the biggest being lack of keyboard shortcuts/navigation, and lack of sloppy focus. Less than two weeks until I got a new Dell with Ubuntu on it.
The difference was profound -- I hadn't seen it as clearly illustrated before. Just simple things like having a keystroke to pack windows around, not to mention a package manager that doesn't suck.
So, your mileage may vary, but I am definitely at my most productive on Linux -- unfortunately, it can still access Slashdot, so there is that...
as a professional web dev, i get spooked if i have to use Linux as my workstation, most of the software i need is not there.
Are you a .NET developer, or are you referring to some amazing new tools I hadn't heard of?
Firefox runs on Linux. Firebug runs on Firefox. Ruby also runs on Linux, and Rails runs pretty much anywhere Ruby will. My favorite text editors (Kate and Vim) run on Linux.
The only irritation is that everyone and their dog seems to have latched onto these TextMate URLs in error messages. These are very cool, but I haven't gotten them working with things other than TextMate yet.
Don't thank God, thank a doctor!
Little Johnny Tables strikes again.
I don't think they secured the sight, I just think they can't detect the intrusion anymore, because it is now hiding in a device driver that correlates to a process and they can't even see it!!! Networkers do not know programming, and programmers do not know Networking, and rarely do the two sides speak!!! The only way to really be sure is to look at the original programming ...you think they will admit they don't know how to do it??
Score one for OLD SCHOOL!!!!
http://hackersblog.org/2009/02/09/hackedbitdefender-portugal-exposes-sensitive-customer-data/
And these are the same people claiming great security for my pc, because they know how to handle threats. If they can't even write good web code for their site, my guess is they don't for their products either.