back to article Kaspersky hacker: Database exposed for days

Some 24 hours after a hacker claimed to hack a Kaspersky website and access a database containing proprietary customer information, the security provider issued a terse statement confirming it had experienced a security issue. "On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com …

COMMENTS

This topic is closed for new posts.
  1. William Bronze badge

    Ouch.

    This has to be a PR disaster.

  2. Anonymously Deflowered

    Wrong email address, perhaps?

    What if the reason he got no response was because he emailed info@kasperky.com ?

  3. Anonymous Coward
    Flame

    dotDefender Web Application Firewall

    This is a tool I'm using to prevent sql injection on our server ,cross site scripting and other attacks that can hurt no less then injection attacks. I downloaded dotdefender from www.applicure.com installed it for 30 day free trial. I actually saw the attacks happening in real time while using the monitoring mode. You can also use their protective mode and actually prevent attacks coming on your website.

    All those web application attacks will drop down immediately.

    Dani Alovitz

  4. Anonymous Coward
    Thumb Up

    wtf

    bitdefender was owned too today but this guy lol. i think i'm gonna unplug my pc to be safe from now

  5. David Kairns

    But Wait

    Hey, it's only an international professional security corporation, not a nuclear facility.

    What's the big problem.

    Hope they had fun in Puerto Rico.

  6. David Kairns

    Silencio

    Their silence whispers darkly:

    "We don't give a fuck about user security -- they're only stupid customer sheep afterall."

    "Our software is probably just as hole ridden as our numb corporate vacation taking skulls."

    Honest people come clean quick. They're not coming clean at all. Therefore....

    Yet another mini Enron in the making?

    (does it sound like I'm **really** tired of shit-nothing useless corporations littering the barren IT wasteland?)

  7. Anonymous Coward
    Thumb Down

    Re dotDefender

    Or alternatively, they could have hired someone who knows basic web development to make their website. There's no excuse to make a website with SQL injection or XSS flaws these days. It's just sloppy programming.

  8. Robin Layfield
    Thumb Up

    Jedi Mind tricks... indeed.

    That's the best damn description of SQL Injection attacks I've ever read!!

  9. Anonymous Coward
    Anonymous Coward

    Re Re dotDefender

    Check out modsecurity, it does the same but is free (and probably better)

  10. Roger Heathcote

    @ Anonymous Coward

    "There's no excuse to make a website with SQL injection or XSS flaws these days. It's just sloppy programming."

    That's like saying there's no excuse for writing a C program that segfaults these days. If the language itself permits these things and you have a large enough codebase some of them are bound to sneak through and all it takes is one slip up like this to create a regression and expose your whole DB. Keeping sensitive data in a SQL database connected to the internet is playing with fire. SQL is such a simple, powerful and productive paradigm everyone uses it, myself included, but just lashing it directly to the internet with a bit of PHP is like replacing the flight yolk of an F16 with a drinking straw.

    Of course it can be done 'properly'. Even in PHP you can be all test driven and diligently abstract all you database interactions into a nice API but think of the cost, time and knowledge factors involved and you will see how it often won't happen. If you're going to be hiring less than perfect coders the way to tackle these problems is to get them working in a framework where they AREN'T writing their own SQL query strings and they AREN'T responsible for sanitizing raw input by hand for every single input they have to deal with.

    Roger Heathcote

  11. The Fuzzy Wotnot
    Flame

    Hit happens!

    Some muppet on the help desk saw the emails and thought someone was playing games, oh well big K's loss. Nothing hits a company harder and in a more sensitive place, than a beating from the "bad publicity" stick!

  12. Scott

    @Fuzzy Wotnot

    You been hit with the good publicity stick? its hard and hurts more than the bad publicity stick, thats why todays papers are full of c*ap.

  13. Anonymous Coward
    Flame

    Oh dear

    Someones developers havent read sql web programming 101, what a surprise...

    I test for this kind of thing professionally and some VERY large very professional bluechip companies try to sell soft/hardware solutions to us with this problem all the time.

    Usually we find out they subcontracted the web side of the development to some indian subcontracting company, cant/won't/dont know how to/try to avoid making changes because they fired all their proper developers who could have advised them before getting egg on their face during accept into service testing.

    We should all know better, trouble is the market in its rush to offshore and cut costs doesn't employ decent coders who care, and then fails to back it up with adequate pre delivery testing by some proper pen testers. And no, that doesn't mean someone running nessus on their windows laptop with safe checks enabled, and no clue what all the boxes are for...

    Thus the beancounters in charge shall reap as they sow.

  14. BlueGreen

    I'll say it, it only seems right

    Well done, Unu, for not abusing it.

  15. Andrew Clerk

    It's not he same thing, bitdefender.pt is not owned by Bitdefender

    Well Kaspersky's hacked site was developed and maintained by them, but the bitdefender.pt is created and maintained by a reseller of BitDefender so it's not really the same thing. BitDefender websites use an internally developed CMS.

  16. Andrew Clerk
    Alert

    It's not he same thing about Bitdefender....

    Well Kaspersky's hacked site was developed and maintained by them, but the bitdefender.pt is created and maintained by a reseller of BitDefender so it's not really the same thing. BitDefender websites use an internally developed CMS.

This topic is closed for new posts.

Other stories you might like