Slashdot Mirror
Kaspersky Customer Database Exposed
secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."
Who cares if some forums are hacked?
For that matter, even if they get a customer's account data, the damage is limited if good credit-monitoring is in place.
I'd be more worried about the update servers being hacked and millions of us downloading bogus updates.
I've worked in secure environments (several different nuke plants, and several different casinos), where things were truly off the net.
That said, with something like customer data for Kaspersky, it's impractical to have this data isolated in that manner. For starters, people buy and sell this product over the internet. Right there, you have to have an interface into your database from a remotely accessed client. Also I'd imagine Kaspersky has offices in many different countries and while I'm sure VPNs and such help, the computers trading the valuable data are still on the internets. The more I think about it, the more I think that what you propose would be impossible for most companies to implement.
I'm all for more security though, most places don't error on the side of caution. Nuke plants tend to (and actually security it generally even 'tougher' at casinos)...
Really?
Since switching several companies from other products to Kaspersky...
No viruses have crept through the systems - none.
We had one brief period of downtime on one customer related to a bad configuration of the admin server (my fault, still I guess it could have been clearer).
Performance is overall quite good, even on older machines. On newer machines, people don't even notice that it's running.
I admit though, I'm irritated about the issue of the original post, which has NOTHING to do with the product itself. Sounds to me like their entire web dev team needs a serious overhaul, or at least a few more night classes at the local community college ;)
-- I really need to bleed off some of this
So, the standard way of programatically querying databases, which is easier than building and escaping your own queries, and which makes you completely immune to SQL injection, is generally unavailable in a very popular combination of website technologies?
WTF?
Repton.
They say that only an experienced wizard can do the tengu shuffle.
The right way to fix SQL injection is to use parametrized queries.
Huh?
Prepared statements are not exclusive to Java.
If you can't prevent sql injection, do you think you'll be able to properly design a communication layer that prevents it as well? Not validating inputs is not validating inputs.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Actually it could be fairly trivial to move most customer information off the internet facing computers.
Lets say I fill in a complete registration form (name, address, phone, etc). Shortly after registration most of this personal information could be moved via a one-way process to a non-web facing database. The only thing that needs to remain on the web facing database would be login credentials and maybe product purchase history. As long as email addresses are not used for usernames the information would be pretty useless to hackers.
The data stored on the "internal" database could still be accessed internally via the internet over VPN or other secure means.
The point being that it should be fairly easy to make the personal information of your customers completely inaccessible by someone hacking your public websites.
Linux is awfull crap on desktop IF you need to be productive,
Having used all three extensively, I can say with confidence that I was at my most productive on KDE 3, on Kubuntu Hardy.
Let me define "extensively". In college, I mostly used Linux on the desktop, and OS X (Tiger) on a Powerbook. I didn't mind OS X much, but I wasn't trying to do much with it, either -- taking notes in vim is about as productive in either case, as is writing a paper in OpenOffice.
For my most recent job, I started out using Windows exclusively, as it was HD-DVD. It wasn't fun to use Windows, but there really wasn't a choice -- it took a delicate balance to get Microsoft's HDiSim to work (Windows XP, not 2K or Vista; Media Player 10, not 9 or 11...) and my few experiments with Wine and virtual machines didn't go anywhere. So I used Eclipse, with Visual Studio .NET to debug, Firefox for web browsing, etc.
After that was web development, in Ruby on Rails. I immediately booted over to the Linux partition I was keeping on that machine, and ran that exclusively until that laptop died.
When it did, the only real choice was to borrow an OS X machine (an iMac), running Leopard, and get to work. And that was a love-hate relationship. So many things done right, but so many simple things, day after day, that infuriated me -- the biggest being lack of keyboard shortcuts/navigation, and lack of sloppy focus. Less than two weeks until I got a new Dell with Ubuntu on it.
The difference was profound -- I hadn't seen it as clearly illustrated before. Just simple things like having a keystroke to pack windows around, not to mention a package manager that doesn't suck.
So, your mileage may vary, but I am definitely at my most productive on Linux -- unfortunately, it can still access Slashdot, so there is that...
as a professional web dev, i get spooked if i have to use Linux as my workstation, most of the software i need is not there.
Are you a .NET developer, or are you referring to some amazing new tools I hadn't heard of?
Firefox runs on Linux. Firebug runs on Firefox. Ruby also runs on Linux, and Rails runs pretty much anywhere Ruby will. My favorite text editors (Kate and Vim) run on Linux.
The only irritation is that everyone and their dog seems to have latched onto these TextMate URLs in error messages. These are very cool, but I haven't gotten them working with things other than TextMate yet.
Don't thank God, thank a doctor!