Kaspersky breach: No user info lifted, auditor confirms No customer information was accessed during last weekend's breach of a Kaspersky website, an independent auditor has concluded, confirming the results of an internal investigation conducted earlier by members of the anti-virus firm. The report, prepared by security expert David Litchfield, corroborated the findings of hackers …
"The attacker's claim to be able to access customer data is correct..."
"the attacker did attempt to gain access to customer data however, the attempts failed..."
So which is it? Those two statements are mutually exclusive. The attacker either was, or was not, able to access customer data. Failed attempts to gain access to customer data means the attacker could not access customer data, which means the first statement is incorrect. Are they purposely using doublespeak in order to prepare us for the seemingly-imminent 1984?
WTF???
SQL-injection vulnerabilities are [i]always[/i] the result of poorly-written code and have been known for [b]years[/b]. This is pure incompetence on Kaspersky's part. This represents a serious blow to their reputation, even though they do consistently rank among the top AV-providers. What were they doing, trying to cut costs by hiring collge students?
While not directly connected with the original article I wonder if there is a tenable link of sorts, namely the "registered and licenced software model".
I'd guess that K* like many others using "registered and licenced software model" has a database of authorised updates and a database of 'do not update these' ...
And I wondered if a traffic light system would be better especially for the named authorised and registered users. And for it to work along lines of:
Red light: do not update these users (either licence expired or on trial basis or ... )
Amber light: there is something dodgy about the licence and user. Flag this for attention of staff.
Green light: software updates allowed, ...
The new addition is of course an 'amber light' category with present working methods conforming to red light/green light only.
So, for example, in the case of a stolen computer in which a user has informed the software provided that user can say "My licenced use has been compromised because the hardware has been nicked. If my licence and registration leads to a computer attempting an upload please inform the police using crime reference ##### "
The above really is not limited to Kaspersky but it does allow me a rather tenuous use of the topic and 'licenced and registered' user model.
Discuss.
The only way I can parse that so that it makes some kind of semantic sense without being a contradiction is:
The attackers found out how to access the database, and were able to issue SQL commands to the database. However, they were not able to determine the (obfuscated?) table names or field names such that they were able to walk away with data. If this is true, it's apparently a case of security by obscurity working - which I find to be nigh inconceivable.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
