Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaspersky Customer Database Exposed

Posted by timothy on from the which-is-not-a-new-mtv-show dept.

secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."

10 of 175 comments (clear)

  1. Awesome by Anonymous Coward · · Score: 5, Informative

    Our IT department switched us from trend micro to Kaspersky a few months ago. I haven't done any research on the merits or drawbacks of either, but what I do know is this:

    1) On our ancient desktop machines (Think 1.8ghz pentium 4's with 512 megs of ram) performance is a lot worse now than before we switched.

    2) Since the switch we've had some pretty serious downtime due to a virus got in on some old unpatched windows 2000 machines and then proceeded to wreak havok.

    3) SQL injection isn't that hard to prevent. Seriously.

    Granted none of that is enough to conclusively say that Kaspersky is a terrible product, the virus may very well have happened with Trend Micro as well, but as an end user my first impressions are less than positive.

    1. Re:Awesome by sqlrob · · Score: 5, Informative

      4) What were these doing accessible on a net facing computer? You can't hack what's not there.

    2. Re:Awesome by VoxMagis · · Score: 5, Interesting

      Really?

      Since switching several companies from other products to Kaspersky...

      No viruses have crept through the systems - none.

      We had one brief period of downtime on one customer related to a bad configuration of the admin server (my fault, still I guess it could have been clearer).

      Performance is overall quite good, even on older machines. On newer machines, people don't even notice that it's running.

      I admit though, I'm irritated about the issue of the original post, which has NOTHING to do with the product itself. Sounds to me like their entire web dev team needs a serious overhaul, or at least a few more night classes at the local community college ;)

      --
      -- I really need to bleed off some of this /. karma.
    3. Re:Awesome by Nethead · · Score: 5, Funny

      AC: Fox news says you can hack a computer wirelessly. I believe a trusted news source way more than a nerd like you.

      Isn't 'Fair and Balanced' a router setting?

      --
      -- I have a private email server in my basement.
    4. Re:Awesome by Anonymous Coward · · Score: 5, Insightful

      Of course it is! With nukes plants your merely talking about human lives. With casinos; well, there your talking about money.

      With nuke plants, the only real motive for breaking the security from outside is for infrastructure disruption and terrorism.

      With casinos, the motive is the millions of dollars in cash moving around.

      There are far more greedy people than there are violent mass murderers.

      A man who gets bitten by a hundred stinging gnats a day will be more diligent about swatting insects than a man who sees a tsetse fly every five or six years. No matter that that one tsetse may be far more dangerous than the gnats could ever be.

    5. Re:Awesome by Poltras · · Score: 5, Funny

      Prepared statements are not exclusive to Java.

      Shhh... He's a Java programmer, don't tell him there are other languages out there, he's gonna screw them up.

      --
      Of Code And Men
    6. Re:Awesome by Anonymous Coward · · Score: 5, Funny

      I work in a secure environment (along the line of a massive casino)

      A bank, I presume?

  2. What about the update servers? by Anonymous Coward · · Score: 5, Interesting

    Who cares if some forums are hacked?

    For that matter, even if they get a customer's account data, the damage is limited if good credit-monitoring is in place.

    I'd be more worried about the update servers being hacked and millions of us downloading bogus updates.

  3. Re:Secure? Sure. by SanityInAnarchy · · Score: 5, Informative

    Since I don't have mod points... Just so you know, you're absurdly offtopic, and you're both wrong.

    Linux can't prevent a SQL injection attack. Not writing shitty software prevents SQL injection attacks, no matter what OS you're on.

    Linux is ready for the desktop, and is likely still easier to install than Windows. But the desktop is even less relevant to a discussion about a server-side SQL injection attack.

    --
    Don't thank God, thank a doctor!
  4. Re:oh well... by this+great+guy · · Score: 5, Informative

    No. Escaping is error-prone as you will invariably fail to escape some special character you don't know about. The right way to fix SQL injection is to use parametrized queries.