Slashdot Mirror
Kaspersky Customer Database Exposed
secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."
Our IT department switched us from trend micro to Kaspersky a few months ago. I haven't done any research on the merits or drawbacks of either, but what I do know is this:
1) On our ancient desktop machines (Think 1.8ghz pentium 4's with 512 megs of ram) performance is a lot worse now than before we switched.
2) Since the switch we've had some pretty serious downtime due to a virus got in on some old unpatched windows 2000 machines and then proceeded to wreak havok.
3) SQL injection isn't that hard to prevent. Seriously.
Granted none of that is enough to conclusively say that Kaspersky is a terrible product, the virus may very well have happened with Trend Micro as well, but as an end user my first impressions are less than positive.
Since I don't have mod points... Just so you know, you're absurdly offtopic, and you're both wrong.
Linux can't prevent a SQL injection attack. Not writing shitty software prevents SQL injection attacks, no matter what OS you're on.
Linux is ready for the desktop, and is likely still easier to install than Windows. But the desktop is even less relevant to a discussion about a server-side SQL injection attack.
Don't thank God, thank a doctor!
No. Escaping is error-prone as you will invariably fail to escape some special character you don't know about. The right way to fix SQL injection is to use parametrized queries.