Kaspersky Customer Database Exposed 175
secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."
SQL injection? (Score:1)
I use plain CSV text files, you insensitive clods!
Re: (Score:1)
I'm pretty sure there are both ODBC and OLE drivers for 'text files', while I've never played with them (just done SQL, Oracle, DB2, and Access), I would imagine this sort of vulnerability could exist with a text file as well. Of course not if you're just directly reading them with file streams, but if you're using ODBC or OLE... and no, I can't imagine the scenario that would be the proper use for that.
Comment removed (Score:5, Funny)
Awesome (Score:5, Informative)
Our IT department switched us from trend micro to Kaspersky a few months ago. I haven't done any research on the merits or drawbacks of either, but what I do know is this:
1) On our ancient desktop machines (Think 1.8ghz pentium 4's with 512 megs of ram) performance is a lot worse now than before we switched.
2) Since the switch we've had some pretty serious downtime due to a virus got in on some old unpatched windows 2000 machines and then proceeded to wreak havok.
3) SQL injection isn't that hard to prevent. Seriously.
Granted none of that is enough to conclusively say that Kaspersky is a terrible product, the virus may very well have happened with Trend Micro as well, but as an end user my first impressions are less than positive.
Re:Awesome (Score:5, Informative)
4) What were these doing accessible on a net facing computer? You can't hack what's not there.
Re: (Score:3, Funny)
Fox news says you can hack a computer wirelessly. I believe a trusted news source way more than a nerd like you.
Re:Awesome (Score:5, Funny)
AC: Fox news says you can hack a computer wirelessly. I believe a trusted news source way more than a nerd like you.
Isn't 'Fair and Balanced' a router setting?
Re: (Score:2)
Who the heck moded that troll? Nice show of wit Nethead.
Re: (Score:2)
Yeah but only insane sysadmins would "do it live", oh wait.
Re: (Score:3, Interesting)
I've worked in secure environments (several different nuke plants, and several different casinos), where things were truly off the net.
That said, with something like customer data for Kaspersky, it's impractical to have this data isolated in that manner. For starters, people buy and sell this product over the internet. Right there, you have to have an interface into your database from a remotely accessed client. Also I'd imagine Kaspersky has offices in many different countries and while I'm sure VPNs an
Re:Awesome (Score:5, Funny)
I'm all for more security though, most places don't error on the side of caution. Nuke plants tend to (and actually security it generally even 'tougher' at casinos)...
Of course it is! With nukes plants your merely talking about human lives. With casinos; well, there your talking about money.
Re:Awesome (Score:5, Insightful)
Of course it is! With nukes plants your merely talking about human lives. With casinos; well, there your talking about money.
With nuke plants, the only real motive for breaking the security from outside is for infrastructure disruption and terrorism.
With casinos, the motive is the millions of dollars in cash moving around.
There are far more greedy people than there are violent mass murderers.
A man who gets bitten by a hundred stinging gnats a day will be more diligent about swatting insects than a man who sees a tsetse fly every five or six years. No matter that that one tsetse may be far more dangerous than the gnats could ever be.
Re: (Score:2)
It's official: Tsetse flies are the new obligatory metaphor.
Re: (Score:2, Insightful)
Have a web server communicate through a proprietary communications layer, possibly XML, to a dual homed intermediary server behind a firewall which in turn accesses the database server on a local network. No direct net access for the DB server and the intermediary dual homed server simply runs a minimal config and firewall to only accept inbound connections from the web server.
So it's impossible for an
Re:Awesome (Score:5, Interesting)
Re: (Score:2)
Our filrewall looks at incomming connections and evaluates the strings against SQL injection tactics. Helps reduce the risk anyway 8)
Re: (Score:3, Funny)
I'm hoping it wasn't you who wrote the filtering rules...
Re: (Score:2)
Dammnnn iPhone keyboarddd 8)
Re: (Score:2)
Checkpoint
Re: (Score:1, Interesting)
Actually it could be fairly trivial to move most customer information off the internet facing computers.
Lets say I fill in a complete registration form (name, address, phone, etc). Shortly after registration most of this personal information could be moved via a one-way process to a non-web facing database. The only thing that needs to remain on the web facing database would be login credentials and maybe product purchase history. As long as email addresses are not used for usernames the information would
Re:Awesome (Score:5, Funny)
I work in a secure environment (along the line of a massive casino)
A bank, I presume?
Re: (Score:2)
>> I work in a secure environment (along the line of a massive casino)
> A bank, I presume?
Fannie Mae?
Re: (Score:2)
This is like attacking someone for loading software on their pc because then it becomes vulnerable to attack. Without some data on the net, being on the net is pointless - you just need to secure your data correctly.
Re: (Score:2)
Who says they were outward-facing? (I assume by 'net' you meant 'Net' as in 'Internet.') Happens all the time: someone brings in a virus-laden laptop, connects to the network, vulnerable machines die.
Besides, despite what you think about #2, points 1 and 3 are still valid.
Re: (Score:2)
At least, not until you reach 3rd dan black hat.
Re: (Score:1)
On our ancient desktop machines (Think 1.8ghz pentium 4's with 512 megs of ram) performance is a lot worse now than before we switched.
Last time I checked Trend Micro won't install on machines with less than 1GB ram.
Re: (Score:1, Funny)
Trend Micro? Even Norton is better than Trend.
Re:Awesome (Score:5, Interesting)
Really?
Since switching several companies from other products to Kaspersky...
No viruses have crept through the systems - none.
We had one brief period of downtime on one customer related to a bad configuration of the admin server (my fault, still I guess it could have been clearer).
Performance is overall quite good, even on older machines. On newer machines, people don't even notice that it's running.
I admit though, I'm irritated about the issue of the original post, which has NOTHING to do with the product itself. Sounds to me like their entire web dev team needs a serious overhaul, or at least a few more night classes at the local community college ;)
Re: (Score:2)
3) SQL injection isn't that hard to prevent. Seriously.
Yep, just use Java and PreparedStatements
Re: (Score:2, Interesting)
Prepared statements are not exclusive to Java.
Re:Awesome (Score:5, Funny)
Prepared statements are not exclusive to Java.
Shhh... He's a Java programmer, don't tell him there are other languages out there, he's gonna screw them up.
Re: (Score:2)
Or more generally: use parametrized queries exclusively.
Re: (Score:2)
Kaspersky is always victimised by its own feature. Heavy heuristics. If they remove it, they would have no difference from so-called "Free" antiviruses. If they keep it, they get bad feedback for performance.
The unpatched Win2k? That is one thing only really overkill heavyweight stuff can save, e.g. the discontinued (for obvious reasons) eSafe desktop. When Win2k is unpatched, it is unsecure at kernel level, almost nothing can save it. We have Win2K boxes in TV business running some very expensive to upgrad
Re: (Score:2)
I thought twice before I removed it, Kaspersky I've heard of. But, it wasn't complaining at all about the infestation. Sorry, guys!
What about the update servers? (Score:5, Interesting)
Who cares if some forums are hacked?
For that matter, even if they get a customer's account data, the damage is limited if good credit-monitoring is in place.
I'd be more worried about the update servers being hacked and millions of us downloading bogus updates.
Re: (Score:1)
I bought my copy of Kaspersky from Best Buy. They don't have any of my personal data.
LK
Talk about bad timing (Score:1)
Re: (Score:1, Informative)
get a corporate license. There is no BS expiration.
That's the biggest scam they've got going.
Also, if company you work for has a PER USER license for McAfee or Norton, you can install it on as MANY machines YOU use as you like. Yup, no limit, no expiration, no diff if it's your home or work PC.
(a lot of people these days continue to work from home after hours and use their own PC with VPN and no antivirus or old AV software - big problem since people are more likely not to pay attention and go on sites that
fuck! that will teach me to pay for software! (Score:3, Funny)
I've been "borrowing" our company's corporate AV sw that doesn't require registration and has perpetual license for the past 10 years... Then 6 months ago I decided to go legal and spent $70 for 3 user license. I paid with my credit card, registered with my email address and now this! Never again :)
oh well... (Score:1)
Re:oh well... (Score:5, Informative)
Re: (Score:1, Informative)
Re: (Score:2, Informative)
Either that, or use the server's escaping function, which will be correct. There is no way to create parametrized SQL queries with the PHP / MySQL combo if you don't have the mysqli extension (which is unfortunately far from rare).
Re:oh well... (Score:5, Interesting)
So, the standard way of programatically querying databases, which is easier than building and escaping your own queries, and which makes you completely immune to SQL injection, is generally unavailable in a very popular combination of website technologies?
WTF?
Re: (Score:2)
So, the standard way of programatically querying databases, which is easier than building and escaping your own queries, and which makes you completely immune to SQL injection, is generally unavailable in a very popular combination of website technologies?
WTF?
Popular != good.
Re: (Score:2)
Popular !== good
What language is !== considered an inequality operator? C, C++, C#, Java, Python, PHP, Ruby (and the list goes on) all use != as the inequality operator.
Re: (Score:2)
What language is !== considered an inequality operator? C, C++, C#, Java, Python, PHP, Ruby (and the list goes on) all use != as the inequality operator.
Strict inequality operator [php.net] (I believe there are others too).
Re:oh well... (Score:5, Informative)
So, the standard way of programatically querying databases, which is easier than building and escaping your own queries, and which makes you completely immune to SQL injection, is generally unavailable in a very popular combination of website technologies?
Repton, you missed the part about the mysqli extension. A lot of functionality in PHP have been moved out into extensions. Enabling them is as easy as modifying the .ini file.
I know that the poster above you was whining about it not being available on servers, but to be honest, I've never run into any (credible, reliable) hosting service that doesn't already have it enabled.
And hell - if it is something that is good to have, why pick a host that doesn't have it?
Re: (Score:2)
So you're saying you can't call MySQL procedures [mysql.com] from PHP? Those would be parameterized and typed. You should still check any character input, but you should be pretty safe from SQL injection at that point.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I agree with parent; the problem is parameterized queries don't exist for every type of SQL statement you'd want to write, that's why folks get trapped into escaping user input. The only foolproof solution is to not accept user input. :-)
Re: (Score:2)
That's garbage. Parametrized queries have their place, sure. But if a quoting facility is letting "special" characters through, it has a bug and needs to be fixed. Guess what: one way of implementing parametrized queries is through automatic escaping!
Re: (Score:3, Informative)
Guess what: one way of implementing parametrized queries is through automatic escaping!
It's a slow way of doing it though, since the database engine will need to reparse the statement from scratch each time. Far better to use a real parameterized query when the engine can cache a compiled form. (A performance boost and more security at the same time? Win-win! What's not to like?)
Re: (Score:2)
You got to be kidding right? Just shows how lost you are!
mysql_escape_string(), and done :)
or the cheap way around: str_replace("'", '', $parameter), or just add \ on front of the ', and wrap all your parameters into '', ie. column='value'
Wrong (Score:2)
Or perhaps mysql_genuine_escape_string_really_no_kidding_this_time().
2) Just adding \ in front of ' doesn't help you if the attacker puts \ in the parameters.
Lastly, my suggestion is to avoid PHP if you can. Though you can quickly do half-baked stuff with PHP it's a real pain and more work to do things properly compared to better designed languages.
Re:oh well... (Score:4, Insightful)
Re: (Score:2)
You would use placeholders, that fixes the problem. Anyone who knows the first things about SQL should know that.
Just got back from buying their retail product. (Score:5, Funny)
Probably no credit card data compromised... (Score:2, Informative)
Kaspersky outsources almost all (if not all) their ecommerce. They would have little or no credit card info in their customer database.
Kaspersky does have its problems (Score:5, Informative)
Overall, according to the testing agencies, it's a pretty decent AV with very high detection rates - almost always in the top five or ten.
It's administration over a network is pretty complicated, using its Administration Kit. The basics aren't hard, but it's a very complicated product with a high degree of customization possible which makes administering it hard.
It does have a bad problem with false positives - it seems to want to tag any exe encapsulated in an archive as a "trojan". I had a bunch of utilities for unattended installs of Windows sitting around and it went wild tagging a lot of them as "trojans" - even though most are well known utilities used for installing or slipstreaming Windows, and if any of them had trojans, somebody would have caught that by now. This is a know issue with KAV and apparently they're not doing much to correct it, according to comments on their forums.
But ALL the virus engines these days are behind the curve of actual viruses in the wild - so it's no surprise that the occasional virus gets through. One got through on one of my client machines a week or two ago without being spotted by either KAV or Spyware Terminator. A very nasty one, too, that was almost a rootkit - took me some hours to fully get rid of it. Downloaded from a hostile Web site by one of the staff accidentally, I think, since the client has a hardware firewall in front of the network.
Re: (Score:2)
[...]
The two are related. It's easy to create a virus killer that has a very high detection rate, but it takes talent to do so without also increasing the number of false positives.
I used to like ESET Nod32, because it was fast and fairly accurate. But lately, it reports way to many false positives to be useful. Combined w
mod_security (Score:4, Informative)
I can't count number of time I've recommended usage of mod_security in order to prevent these types of crap.
I can count, though, number of times people implemented it: 0.
Re: (Score:2)
That, and using SQL placeholders. The best way to prevent insertion attack is use placeholders. Very simple. I am surprised people dont know how to use that feature, its in every SQL book.
For Gods sake escape those quotes (Score:1)
String escapeQuotes(String s){
if (s==null){ s=""; }
StringBuffer sb = new StringBuffer();
char ch[] = new char[1];
char con[] = new char[3];
con[0] = '%';
for(int i=0;i<s.length();i++){
char c = ch[0] = s.charAt(i);
if (c==0x27 || c==0x60 || c==22 || c=='%'){
int a = c/16;
int b = c-a*16;
con[1] = Character.forDigit(a,16);
con[2] = Character.forDig
Re: (Score:2)
Re: (Score:2)
TheyareIrishwhoneedsthoseanyway Imeanreallyifyoulettheminyour databasewillbefullofwhiskeyand protistantwhishkeyatthat
On this day... (Score:2)
What??? (Score:2)
And these are the same people claiming great security for my pc, because they know how to handle threats. If they can't even write good web code for their site, my guess is they don't for their products either.
Re: (Score:1)
Re: (Score:1, Funny)
Re: (Score:1, Funny)
If you want a virtually 100% secure OS, there is always OS X.
Re: (Score:2, Funny)
Re: (Score:1)
But the user backdoor is no pathway for an SQL injection.
Re: (Score:1, Insightful)
Rather, a pathway for semen ejection.
Whoosh? Maybe.
Re:Secure? Sure. (Score:5, Informative)
Since I don't have mod points... Just so you know, you're absurdly offtopic, and you're both wrong.
Linux can't prevent a SQL injection attack. Not writing shitty software prevents SQL injection attacks, no matter what OS you're on.
Linux is ready for the desktop, and is likely still easier to install than Windows. But the desktop is even less relevant to a discussion about a server-side SQL injection attack.
Re: (Score:3, Insightful)
Re: (Score:2)
Object-oriented programming is difficult to use and doesn't increase productivity.
arguable but I will agree that in C vs C++ I choose C
Re: (Score:2)
using namespace std;
eh? :P
Re: (Score:2, Funny)
I've never fucked a girl, but I hope to, someday. Somehow.
There, I fixed that for you.
Re: (Score:2)
and i've fucked several, but am lacking in Linux proficiency...
Re: (Score:2)
Re: (Score:2)
you're right, my Linux proficiency is anything but.
i am learning, though!
Re: (Score:1)
This is Slashdot, we can tell when you're lying!
And being /. we can fix your glaring spelling/grammar errors without seeming the least bit pedantic.
Re: (Score:1, Insightful)
Fucking fundie. Go stone some gay people.
Re: (Score:2)
OT: Sig reply (Score:2)
What carrier is that? (Assuming that is 100 Mbps, not a cap
Re: (Score:2)
I have also requested info from this guy about ISP. Hopefully he'll get to me! *stares at watch* Come on! It's been half an hour already!
Re: (Score:2)
http://liscofiber.com/ [liscofiber.com]
And that is per second, yes. There is no cap. There is vague mention of not being a bandwidth hog in the terms, and some unfortunate language (apparently watching five hours of video is not considered "normal use", so clearly these terms were written by people who've never seen YouTube).
However, I never got a single complaint for all the torrents I ran.
Unfortunately, I just moved across town, and the fiber hasn't come here yet, so I'm back to 1 mbit DSL until spring.
Re: (Score:2)
Re: (Score:2)
Linux is ready for the desktop, and is likely still easier to install than Windows. But the desktop is even less relevant to a discussion about a server-side SQL injection attack.
You got to be kidding right? Please say you are kidding!
Linux is awfull crap on desktop IF you need to be productive, for procrastination (but not gaming) it's OK, but as a professional web dev, i get spooked if i have to use Linux as my workstation, most of the software i need is not there.
That being said, Linux is absolutely awesome as a server, rock solid, decent performance, very good customizeability, if you know your stuff, you can get hell of a lot of web request processing juice out of a linux box,
Re: (Score:2)
Linux is awfull crap on desktop IF you need to be productive, for procrastination (but not gaming) it's OK, but as a professional web dev, i get spooked if i have to use Linux as my workstation, most of the software i need is not there.
I could say the exact thing about Windows; Also being a professional web dev. The tools are all there and in most cases, better in my opinion. It's all about the environment in which you like to work. I do know that without the Linux CLI, my work would be much slower.
Lets race to see who can check in a change and release it to three master servers the quickest.
Re: (Score:3, Interesting)
Linux is awfull crap on desktop IF you need to be productive,
Having used all three extensively, I can say with confidence that I was at my most productive on KDE 3, on Kubuntu Hardy.
Let me define "extensively". In college, I mostly used Linux on the desktop, and OS X (Tiger) on a Powerbook. I didn't mind OS X much, but I wasn't trying to do much with it, either -- taking notes in vim is about as productive in either case, as is writing a paper in OpenOffice.
For my most recent job, I started out using Windows exclusively, as it was HD-DVD. It wasn't fun to use Windows
Re: (Score:2)
You yourself are a well known troll, but I'll bite.
And yet, my karma is still excellent. How's yours?
Oh, I forgot, it must be the massive conspiracy of people who want to see SanityInAnarchy modded up, no matter what he says. I guess I'm more popular than I realized.
He is indeed off topic, but he's right.
What, that Linux isn't ready for "the desktop"? I guess I should tell my mother to buy a Mac, then...
Problem is, the post you replied to made no claim that Linux was insecure.
Nor was I making any claim that it was. I was responding to both of the ACs -- the first seemed to be claiming that by merely switching to "a secure OS", by which I was assuming Linux or BSD, the
Re: (Score:1)
Level 12 dwarf, thank you very much.
Re: (Score:2)
Also, shouldn't a company who's focus is security, make sure they don't have a problem with such things as, oh I don't know... SQL Injection?
At this this point I don't have enough information to blame them (I DNRTFA).
I struggle with 3rd party software myself. I work in security also but I can't design, write and maintain every single possible piece of software I use. Therefore I'm pretty much always vulnerable to potentially embarrassing bugs in 3rd party software. I can use my knowledge to limit damage as much as possible but there is no way I could ever have time to make everything I use as secure as the software I write.
Re:Great (Score:5, Insightful)
Judging from the table names in the article, it looks like they are maintaining virtually all of their data in a single database hosted on a machine that is connected to the Internet and accessible by anyone. This is a grave mistake in my opinion, regardless of whether they are using 3rd party software or not.
The shoemaker's kids go barefoot. (Score:1)
EOM
Re: (Score:2)
I bet one of the Kaspersky rivals will hire them as security consultant. That will be his "award" for threatening thousands of users privacy. After years of Windows usage, I can even guess the company.
Re: (Score:2)
That he published his finding and that he has not released customer data shows that he wants the problem to be fixed rather than for people to have their data stolen. Its better to have some curious hacker who is only interested in a little fun and challenge and who reports it find this than rather than some big time identity theft scam artist.