Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaspersky Customer Database Exposed

Posted by timothy on from the which-is-not-a-new-mtv-show dept.

secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."

7 of 175 comments (clear)

  1. Re:Secure? Sure. by Sir_Lewk · · Score: 3, Insightful

    The trolls, do not feed them.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  2. Re:Great by aymanh · · Score: 4, Insightful

    Judging from the table names in the article, it looks like they are maintaining virtually all of their data in a single database hosted on a machine that is connected to the Internet and accessible by anyone. This is a grave mistake in my opinion, regardless of whether they are using 3rd party software or not.

    --
    python>>> q="'";s='q="%c";s=%c%s%c;print s%%(q,q,s,q)';print s%(q,q,s,q)
  3. Re:Secure? Sure. by Anonymous Coward · · Score: 1, Insightful

    Rather, a pathway for semen ejection.

    Whoosh? Maybe.

  4. Re:Awesome by kiwirob · · Score: 2, Insightful

    I can't be too hard to isolate the physical database servers behind a reasonable secure firewall.

    Have a web server communicate through a proprietary communications layer, possibly XML, to a dual homed intermediary server behind a firewall which in turn accesses the database server on a local network. No direct net access for the DB server and the intermediary dual homed server simply runs a minimal config and firewall to only accept inbound connections from the web server.

    So it's impossible for any direct SQL statements to get to the Database Server without passing through your communications layer, which of course has sufficient integrity checking to ensure no field overruns or unintended access is permitted.

    Sure it adds to the complexity but this company earns millions in revenue and is in the "security" business so they should have their house in order.

  5. Re:Secure? Sure. by Anonymous Coward · · Score: 1, Insightful

    And apparently there's no possible way that Mark Twain actually said that. As in he never read that passage and paraphrased it into the quote that was mentioned.

    Fucking fundie. Go stone some gay people.

  6. Re:Awesome by Anonymous Coward · · Score: 5, Insightful

    Of course it is! With nukes plants your merely talking about human lives. With casinos; well, there your talking about money.

    With nuke plants, the only real motive for breaking the security from outside is for infrastructure disruption and terrorism.

    With casinos, the motive is the millions of dollars in cash moving around.

    There are far more greedy people than there are violent mass murderers.

    A man who gets bitten by a hundred stinging gnats a day will be more diligent about swatting insects than a man who sees a tsetse fly every five or six years. No matter that that one tsetse may be far more dangerous than the gnats could ever be.

  7. Re:oh well... by this+great+guy · · Score: 3, Insightful

    The blog post you linked to validates my statement: if parametized queries are not used by a stored procedure, then the code calling that procedure is vulnerable to SQL injection. Duh!