Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw Hits VAserv; Head of LxLabs Found Hanged

Posted by timothy on from the jerks-with-computers-elaborately-shrug dept.

Keldrin_1 writes "The discovery of 24 security vulnerabilities may have contributed to the death of the chief of LxLabs. A flaw in the company's HyperVM software allowed data on 100,000 sites, all hosted by VAserv, to be destroyed. The HyperVM solution is popular with cheap web hosting services and the attacks are easy to reproduce, which could lead to further incidents."

15 of 413 comments (clear)

  1. VM Attacks by barfy · · Score: 2, Informative

    Had been posited for about 2-3 years now. It is actually amazing that this was such a brutal attack.

    The dangers of these attacks had always been stealth related, because it is nearly impossible for the machine to SEE the vm manager. Which makes these things even more dangerous than rootkits.

  2. Times of India article on owner by dleigh · · Score: 2, Informative

    http://timesofindia.indiatimes.com/Bangalore/Techie-hangs-himself-in-HSR-Layout-/articleshow/4633101.cms

  3. Depressed person with problems kills himself by hattig · · Score: 4, Informative

    Sounds like the guy needed some more help than he got to get to grips with his personal situation. Anyway ...

    The flaws include SQL injection vulnerabilities and flaws that create a way for hackers to gain file access to files hosted on a vulnerable system.

    There is no excuse for SQL Injection vulnerabilities these days. The problem is well known and publicised, the solutions are well documented. This is a problem that is solved by altering how you code, that results in neater code with less errors. If you can't use prepared/parameterised statements and insist on building SQL command strings out of user supplied data, then ... well, err, I can't say "you deserve to hang" in this case can I?

    1. Re:Depressed person with problems kills himself by Saija · · Score: 2, Informative

      There is no excuse for SQL Injection vulnerabilities these days.

      I just wish that be truth, right now i'm using some "connection db class" in c# made by someone else, wich expects the sql commands to be executed be concatenated strings, no SqlParameters or whatsoever, no, just single and dangerous sql commands concatenateds, and there's no way in hell i could change that class for something better

      --
      Slashdot ya no es que lo era! ;)
  4. Re:Well by tattood · · Score: 5, Informative

    TFA: "Ligesh [from LxLabs] was also still coming to terms with the suicides by hanging of his sister and mother five years ago."

    I suspect that this was the result of a lot of bad things going on in his life, and not just because of the software issues.

    --
    WTB [sig], PST!!!
  5. The guys pic by ultrapenguin · · Score: 3, Informative

    The guys pic

    http://i41.tinypic.com/zjdqgy.jpg

    RIP

  6. Re:Mixed feelings by asdf7890 · · Score: 5, Informative

    I have very mixed feelings on security firms releasing exploits to the public just to try and get results. In my (admittedly limited) experience, more bad has come from releasing exploits publicly than good.

    -JJS

    But once you've informed the supplier, and allowed enough time for a fix to be created, tested, rolled into a patch, QAed, released to clients and tested+installed by clients, what other alternative is there? Quietly forgetting about it and just hoping that you are the only people who know about the issue and no black-hats out there will find it is simply not an option.

  7. I'm a VAserv customer by barq · · Score: 4, Informative

    Request: Please no one post links to the VAserv status page. The last thing we need is to /. them right now. Customers have been emailed the URL and we are the only ones who really need to see it (plus it isn't very interesting).

    VAserv have emailed customers to say they will be taken over by BlueSquare (where they do most of their hosting anyway). Probably the best option given the scale of the attack.

    I've got one apparently deleted VPS and one still running. The whole situation is terribly frustrating. However I don't think the lack of information coming from VAserv is due to a lack of effort on their part.

  8. They comitted suicide... by kmike · · Score: 4, Informative

    five years ago, not a few months.

  9. Re:Suicide is better than the Bahamas by couchslug · · Score: 2, Informative

    "While suicide should never be celebrated, there's a certain honor in doing it as a result of professional failure."

    It can be the ultimate apology. While your post will be modded Troll, other societies see things differently. Seppuku, anyone?

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  10. TO ALL Re:Well by courteaudotbiz · · Score: 4, Informative

    Yes, I meant hanged. Sorry, english is not my first language.

  11. Re:There's yer problem... by horza · · Score: 5, Informative

    There is only so much due diligence you can do if their claims are not true.

    Phillip.

    --
    Property for sale in Nice, France
  12. Re:Well by jeffasselin · · Score: 3, Informative

    Genes that bring defects that don't affect an individual before its main reproductive period tend to survive more easily. So say a gene defect that kills you the day you are 40, especially for females, will propagate more easily than one that kills you at 10, because you've reproduced and passed those genes on by that time.

    There is still an advantage to surviving after the age of reproduction in a species with longer childhood cycles or one where the grandparents care for the offsprings of its offspring (aka its grandchildren). This advantage is lessened because of gene dilution and its (usually) lesser importance compared to straight reproduction, but still if humans mostly reproduce around 15-20y old (historically), around where they reach maturity, then surviving till at least 40 is an advantage because of more care for the offspring up till maturity. For grandchildren, the age can be up to 60 in the same context.

    Species with communal care for offspring also get advantaged by members who survive longer because they get more people to care for the offsprings, but then the dilution is even more significant.

    So I can see how a gene that brings higher suicide rates of mature subjects can survive for a while, even though it is detrimental.

    --
    If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
  13. Re:There's yer problem... by harryandthehenderson · · Score: 2, Informative

    It doesn't matter; the point of a disaster recovery backup (or plan) is not to protect your clients against accidentally deleting files, but to protect you (and them) from events that are completely outside of your control.

    Who says they didn't have a disaster recovery plan? The issue at hand for many of the sites that have no backups at all for their data is because they chose a plan that explicitly stated that it was unmanaged and that VAserv wasn't going to back up the data for you.

  14. Re:Well by emlyncorrin · · Score: 2, Informative

    How does a genetic predisposition for suicide propagate...?

    Genetically...?