Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaspersky Customer Database Exposed

Posted by timothy on from the which-is-not-a-new-mtv-show dept.

secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."

5 of 175 comments (clear)

  1. What about the update servers? by Anonymous Coward · · Score: 5, Interesting

    Who cares if some forums are hacked?

    For that matter, even if they get a customer's account data, the damage is limited if good credit-monitoring is in place.

    I'd be more worried about the update servers being hacked and millions of us downloading bogus updates.

  2. Re:Awesome by JeanBaptiste · · Score: 3, Interesting

    I've worked in secure environments (several different nuke plants, and several different casinos), where things were truly off the net.

    That said, with something like customer data for Kaspersky, it's impractical to have this data isolated in that manner. For starters, people buy and sell this product over the internet. Right there, you have to have an interface into your database from a remotely accessed client. Also I'd imagine Kaspersky has offices in many different countries and while I'm sure VPNs and such help, the computers trading the valuable data are still on the internets. The more I think about it, the more I think that what you propose would be impossible for most companies to implement.

    I'm all for more security though, most places don't error on the side of caution. Nuke plants tend to (and actually security it generally even 'tougher' at casinos)...

  3. Re:Awesome by VoxMagis · · Score: 5, Interesting

    Really?

    Since switching several companies from other products to Kaspersky...

    No viruses have crept through the systems - none.

    We had one brief period of downtime on one customer related to a bad configuration of the admin server (my fault, still I guess it could have been clearer).

    Performance is overall quite good, even on older machines. On newer machines, people don't even notice that it's running.

    I admit though, I'm irritated about the issue of the original post, which has NOTHING to do with the product itself. Sounds to me like their entire web dev team needs a serious overhaul, or at least a few more night classes at the local community college ;)

    --
    -- I really need to bleed off some of this /. karma.
  4. Re:oh well... by Repton · · Score: 4, Interesting

    So, the standard way of programatically querying databases, which is easier than building and escaping your own queries, and which makes you completely immune to SQL injection, is generally unavailable in a very popular combination of website technologies?

    WTF?

    --
    Repton.
    They say that only an experienced wizard can do the tengu shuffle.
  5. Re:Awesome by Bill,+Shooter+of+Bul · · Score: 4, Interesting

    If you can't prevent sql injection, do you think you'll be able to properly design a communication layer that prevents it as well? Not validating inputs is not validating inputs.

    --
    Well.. maybe. Or Maybe not. But Definitely not sort of.