Smug mode engaged
Anti-virus provider Kaspersky Lab on Monday moved to reassure customers that none of their personal information was accessed during a 10-day security lapse that exposed a database used to run a support site for its US users. The company also apologized for the blunder and said it was bringing in database security expert David …
I must say the lads at Kaspersky take the prize. On usa.kaspersky.com they are now reporting a heroic and successful defence against a hacker attack. Chuckles all around. But I guess they dont even take themselves seriously. Perhaps they should hire some good security experts .... nock on the door in Redmond ... there's sure to be someone there to help them. *G*
your code also means outsourcing your security.
Asking the lowest bidder to code up a new part of your web site may look good on this quarter's balance sheet. However next quarter, when you have to explain why all your users credit cards are owned by a gang in Nigeria, it may not look so good.
Pirate flag as that's who owns your web site now.
This is what Kaspersky users really needed to hear and that the independent audit is happening. Hope the audit goes beyond just SQL injection risks.
Probably a positive side to users from this hack - no doubt quite a few users will have deserted Kaspersky to other vendors, so that means that the Support desk should now be able reply quicker than 2 weeks to a user query!!!
I won't even try to pretend I'm a web guru, but I've done a bit of web programming, mostly as a hobby for myself and a friend. And for the life of me, I cannot possibly understand how an SQL injection is successful. Let me rephrase that -- I cannot possibly understand how the person programming the website can let it be successful. Who in their right mind would write code that allows an untrusted source to query whatever part of the database they want? Don't these people validate the input before running the database queries? That's one of the most basic security tasks. If you don't even bother to do that, you might as well put phpmyadmin on your site with no password. That also raises the question -- could they simply read the data via SELECT queries, or could they also write data with INSERT or UPDATE queries? The former is a bad security vulnerability; the latter results in a database you can no longer trust.
On a side note, it certainly is a bit unnerving that a security company, who (most likely for reasons of greed and power) is the single source of defense against the most prolific piece of malware ever developed, shows such lax security (self-admittedly the result of poor security practices -- not properly reviewing code before going live with it).
I don't know if it's true, and Kaspersky's track record on this issue does not exactly incite me to believe them, but one hour does seem a bit short.
I would think that a proper response time would be at least two working days.
On one hand, leaving such a hole open for more than two days does seem rather slack, but on the other, one hour is surely not enough to evaluate the risk, test its veracity and do something about it.
Last month when I was looking around for some new a/v software, the clueless muppets at our local office-supply store here were pushing Kaspersky as being the greatest thing since sliced bread ("Even our boss uses it, it's THAT good!"). They're usually full of shit though so I didn't buy the Kaspersky product. Glad I didn't.
Waiting for the other shoe to drop... backdoors etc...