Slashdot Mirror
Kaspersky Customer Database Exposed
secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."
They shoulda used a secure OS.
Kaspersky? Not readin' TFA, sorry.
Yeah, check dis out, this is O.G.L.B,
Knoamsayin? Im on my little O.G.
-- Warren G --
And he just droppin this to let you B.G.'s know
Whas happen, y'all got to recognize
Cause this is -- y'know -- a Long Beach thang.
21st street, but check this out,
And handle that shit now?
Yeah.
Eat horseshit jewish niggers /godwin
Here's the reference, for those who still haven't seen it:
http://xkcd.com/327/
Linux just isn't ready for the desktop yet. It may be ready for the web servers that you nerds use to distribute your TRON fanzines and personal Dungeons and Dragons web-sights across the world wide web, but the average user isn't going to spend months learning how to use a CLI and then hours compiling packages so that they can get a workable graphic interface to check their mail with, especially not when they already have a Windows machine that does its job perfectly well and is backed by a major corporation, as opposed to Linux which is only supported by a few unemployed nerds living in their mother's basement somewhere. The last thing I want is a level 5 dwarf (haha) providing me my OS.
Doh!
I use plain CSV text files, you insensitive clods!
Our IT department switched us from trend micro to Kaspersky a few months ago. I haven't done any research on the merits or drawbacks of either, but what I do know is this:
1) On our ancient desktop machines (Think 1.8ghz pentium 4's with 512 megs of ram) performance is a lot worse now than before we switched.
2) Since the switch we've had some pretty serious downtime due to a virus got in on some old unpatched windows 2000 machines and then proceeded to wreak havok.
3) SQL injection isn't that hard to prevent. Seriously.
Granted none of that is enough to conclusively say that Kaspersky is a terrible product, the virus may very well have happened with Trend Micro as well, but as an end user my first impressions are less than positive.
Who cares if some forums are hacked?
For that matter, even if they get a customer's account data, the damage is limited if good credit-monitoring is in place.
I'd be more worried about the update servers being hacked and millions of us downloading bogus updates.
I just switched to Kaspersky last night, after my McAfee subscription expired. "Haxor et Machina?"
http://www.aaronrogier.net
Awesome, in a small amount of time 3 of the services I use have all had their information compromised.
Can't wait to have the rest of them owned.
Also, shouldn't a company who's focus is security, make sure they don't have a problem with such things as, oh I don't know... SQL Injection?
Romanians at their best...
I've been "borrowing" our company's corporate AV sw that doesn't require registration and has perpetual license for the past 10 years... Then 6 months ago I decided to go legal and spent $70 for 3 user license. I paid with my credit card, registered with my email address and now this! Never again :)
i shit out an obama.
It seems someone needs to add backslashes to their SQL statements...
Great timing eh?
Obligatory XKCD link incoming in 3... 2... 1...
http://xkcd.com/327/
I get 100 mbit fiber for $65/mo in a small town in Iowa.
:-)
What carrier is that? (Assuming that is 100 Mbps, not a cap
This issue is a bit more complicated than you think.
EOM
Comment removed based on user account deletion
Kaspersky outsources almost all (if not all) their ecommerce. They would have little or no credit card info in their customer database.
Overall, according to the testing agencies, it's a pretty decent AV with very high detection rates - almost always in the top five or ten.
It's administration over a network is pretty complicated, using its Administration Kit. The basics aren't hard, but it's a very complicated product with a high degree of customization possible which makes administering it hard.
It does have a bad problem with false positives - it seems to want to tag any exe encapsulated in an archive as a "trojan". I had a bunch of utilities for unattended installs of Windows sitting around and it went wild tagging a lot of them as "trojans" - even though most are well known utilities used for installing or slipstreaming Windows, and if any of them had trojans, somebody would have caught that by now. This is a know issue with KAV and apparently they're not doing much to correct it, according to comments on their forums.
But ALL the virus engines these days are behind the curve of actual viruses in the wild - so it's no surprise that the occasional virus gets through. One got through on one of my client machines a week or two ago without being spotted by either KAV or Spyware Terminator. A very nasty one, too, that was almost a rootkit - took me some hours to fully get rid of it. Downloaded from a hostile Web site by one of the staff accidentally, I think, since the client has a hardware firewall in front of the network.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Since when was it supposed to be legal to do this? This hacker should be thrown in the slammer. What the hell is this world coming to when you blame the vendor/sql/whatever-else when a "user" intentionally performs a malicious attack for whatever reason? This guy is a criminal and no better than any of the virus and malware writers out there. Do any of you have a clue as to how much these cyber-criminals actually cost the rest of us? Here's a partial answer: More than I want to pay.
I can't count number of time I've recommended usage of mod_security in order to prevent these types of crap.
I can count, though, number of times people implemented it: 0.
String escapeQuotes(String s){
if (s==null){ s=""; }
StringBuffer sb = new StringBuffer();
char ch[] = new char[1];
char con[] = new char[3];
con[0] = '%';
for(int i=0;i<s.length();i++){
char c = ch[0] = s.charAt(i);
if (c==0x27 || c==0x60 || c==22 || c=='%'){
int a = c/16;
int b = c-a*16;
con[1] = Character.forDigit(a,16);
con[2] = Character.forDigit(b,16);
sb.append(con);
} else {
sb.append(ch);
}
}
return sb.toString();
}
That wasn't difficult, was it now. Did i miss any characters?
Java Programming FEED
I'm so very glad I got our company to use Avast.
I am always saddened when I see a screen shot from a "hacker" and it is windows :(
Huzzah! For the Bolshevism of Lenin and Trotsky! Smash capitalism with international socialist revolution!
It doesn't matter if this happend. Because the security you get by buying and installing kaspersky is that they add you on the russian mafias exceptions list. So you buy your freedom sort of. It's like a bar-owner buying off the local mafia. Protection money!
...bad presence. Having worked for them for a year this incident doesn't surprise me. The product is fantastic and developed almost exclusively in Russia. I almost pity the support folks as typically they would end up having a new version dropped into their laps without any notification or training. More often than not they would find out about a new release when they went to the website and found it being listed as available. However the U.S. office is scrambling to gain a business foothold and went from a small group doing fantastic work to a larger one that's run by managers that have little to no concept of the actual product or how it works. The conversion from "geeks in the know" to "were run by PHB's" is never easy and they've lost alot of great talent. I knew what the writing on the wall looked like when they dumped 10k of support emails because they lacked the support staff to handle them and were getting tired of the complaints. To summarize for Kaspersky, despite everything 1980's cinema taught you: US=Bad Russia=Good
Could this be Kapersky?
Everybody uses broad generalizations.
1) Maybe you meant mysql_real_escape_string()?
Or perhaps mysql_genuine_escape_string_really_no_kidding_this_time().
2) Just adding \ in front of ' doesn't help you if the attacker puts \ in the parameters.
Lastly, my suggestion is to avoid PHP if you can. Though you can quickly do half-baked stuff with PHP it's a real pain and more work to do things properly compared to better designed languages.
Little Johnny Tables strikes again.
I don't think they secured the sight, I just think they can't detect the intrusion anymore, because it is now hiding in a device driver that correlates to a process and they can't even see it!!! Networkers do not know programming, and programmers do not know Networking, and rarely do the two sides speak!!! The only way to really be sure is to look at the original programming ...you think they will admit they don't know how to do it??
Score one for OLD SCHOOL!!!!
http://hackersblog.org/2009/02/09/hackedbitdefender-portugal-exposes-sensitive-customer-data/
And these are the same people claiming great security for my pc, because they know how to handle threats. If they can't even write good web code for their site, my guess is they don't for their products either.