Slashdot Mirror
Kaspersky Customer Database Exposed
secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."
Our IT department switched us from trend micro to Kaspersky a few months ago. I haven't done any research on the merits or drawbacks of either, but what I do know is this:
1) On our ancient desktop machines (Think 1.8ghz pentium 4's with 512 megs of ram) performance is a lot worse now than before we switched.
2) Since the switch we've had some pretty serious downtime due to a virus got in on some old unpatched windows 2000 machines and then proceeded to wreak havok.
3) SQL injection isn't that hard to prevent. Seriously.
Granted none of that is enough to conclusively say that Kaspersky is a terrible product, the virus may very well have happened with Trend Micro as well, but as an end user my first impressions are less than positive.
Who cares if some forums are hacked?
For that matter, even if they get a customer's account data, the damage is limited if good credit-monitoring is in place.
I'd be more worried about the update servers being hacked and millions of us downloading bogus updates.
Since I don't have mod points... Just so you know, you're absurdly offtopic, and you're both wrong.
Linux can't prevent a SQL injection attack. Not writing shitty software prevents SQL injection attacks, no matter what OS you're on.
Linux is ready for the desktop, and is likely still easier to install than Windows. But the desktop is even less relevant to a discussion about a server-side SQL injection attack.
Don't thank God, thank a doctor!
The trolls, do not feed them.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
I've been "borrowing" our company's corporate AV sw that doesn't require registration and has perpetual license for the past 10 years... Then 6 months ago I decided to go legal and spent $70 for 3 user license. I paid with my credit card, registered with my email address and now this! Never again :)
That's because the gaping backdoors are in Apple users, not in Apple software.
No. Escaping is error-prone as you will invariably fail to escape some special character you don't know about. The right way to fix SQL injection is to use parametrized queries.
I've never fucked a girl, but I hope to, someday. Somehow.
There, I fixed that for you.
Great timing eh?
Judging from the table names in the article, it looks like they are maintaining virtually all of their data in a single database hosted on a machine that is connected to the Internet and accessible by anyone. This is a grave mistake in my opinion, regardless of whether they are using 3rd party software or not.
python>>> q="'";s='q="%c";s=%c%s%c;print s%%(q,q,s,q)';print s%(q,q,s,q)
So, the standard way of programatically querying databases, which is easier than building and escaping your own queries, and which makes you completely immune to SQL injection, is generally unavailable in a very popular combination of website technologies?
WTF?
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Comment removed based on user account deletion
Kaspersky outsources almost all (if not all) their ecommerce. They would have little or no credit card info in their customer database.
Overall, according to the testing agencies, it's a pretty decent AV with very high detection rates - almost always in the top five or ten.
It's administration over a network is pretty complicated, using its Administration Kit. The basics aren't hard, but it's a very complicated product with a high degree of customization possible which makes administering it hard.
It does have a bad problem with false positives - it seems to want to tag any exe encapsulated in an archive as a "trojan". I had a bunch of utilities for unattended installs of Windows sitting around and it went wild tagging a lot of them as "trojans" - even though most are well known utilities used for installing or slipstreaming Windows, and if any of them had trojans, somebody would have caught that by now. This is a know issue with KAV and apparently they're not doing much to correct it, according to comments on their forums.
But ALL the virus engines these days are behind the curve of actual viruses in the wild - so it's no surprise that the occasional virus gets through. One got through on one of my client machines a week or two ago without being spotted by either KAV or Spyware Terminator. A very nasty one, too, that was almost a rootkit - took me some hours to fully get rid of it. Downloaded from a hostile Web site by one of the staff accidentally, I think, since the client has a hardware firewall in front of the network.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I can't count number of time I've recommended usage of mod_security in order to prevent these types of crap.
I can count, though, number of times people implemented it: 0.
The blog post you linked to validates my statement: if parametized queries are not used by a stored procedure, then the code calling that procedure is vulnerable to SQL injection. Duh!
So, the standard way of programatically querying databases, which is easier than building and escaping your own queries, and which makes you completely immune to SQL injection, is generally unavailable in a very popular combination of website technologies?
Repton, you missed the part about the mysqli extension. A lot of functionality in PHP have been moved out into extensions. Enabling them is as easy as modifying the .ini file.
I know that the poster above you was whining about it not being available on servers, but to be honest, I've never run into any (credible, reliable) hosting service that doesn't already have it enabled.
And hell - if it is something that is good to have, why pick a host that doesn't have it?
Love sees no species.
Guess what: one way of implementing parametrized queries is through automatic escaping!
It's a slow way of doing it though, since the database engine will need to reparse the statement from scratch each time. Far better to use a real parameterized query when the engine can cache a compiled form. (A performance boost and more security at the same time? Win-win! What's not to like?)
"Little does he know, but there is no 'I' in 'Idiot'!"
Linux is awfull crap on desktop IF you need to be productive,
Having used all three extensively, I can say with confidence that I was at my most productive on KDE 3, on Kubuntu Hardy.
Let me define "extensively". In college, I mostly used Linux on the desktop, and OS X (Tiger) on a Powerbook. I didn't mind OS X much, but I wasn't trying to do much with it, either -- taking notes in vim is about as productive in either case, as is writing a paper in OpenOffice.
For my most recent job, I started out using Windows exclusively, as it was HD-DVD. It wasn't fun to use Windows, but there really wasn't a choice -- it took a delicate balance to get Microsoft's HDiSim to work (Windows XP, not 2K or Vista; Media Player 10, not 9 or 11...) and my few experiments with Wine and virtual machines didn't go anywhere. So I used Eclipse, with Visual Studio .NET to debug, Firefox for web browsing, etc.
After that was web development, in Ruby on Rails. I immediately booted over to the Linux partition I was keeping on that machine, and ran that exclusively until that laptop died.
When it did, the only real choice was to borrow an OS X machine (an iMac), running Leopard, and get to work. And that was a love-hate relationship. So many things done right, but so many simple things, day after day, that infuriated me -- the biggest being lack of keyboard shortcuts/navigation, and lack of sloppy focus. Less than two weeks until I got a new Dell with Ubuntu on it.
The difference was profound -- I hadn't seen it as clearly illustrated before. Just simple things like having a keystroke to pack windows around, not to mention a package manager that doesn't suck.
So, your mileage may vary, but I am definitely at my most productive on Linux -- unfortunately, it can still access Slashdot, so there is that...
as a professional web dev, i get spooked if i have to use Linux as my workstation, most of the software i need is not there.
Are you a .NET developer, or are you referring to some amazing new tools I hadn't heard of?
Firefox runs on Linux. Firebug runs on Firefox. Ruby also runs on Linux, and Rails runs pretty much anywhere Ruby will. My favorite text editors (Kate and Vim) run on Linux.
The only irritation is that everyone and their dog seems to have latched onto these TextMate URLs in error messages. These are very cool, but I haven't gotten them working with things other than TextMate yet.
Don't thank God, thank a doctor!