Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy

Kaspersky Customer Database Exposed 175

secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."
This discussion has been archived. No new comments can be posted.

Kaspersky Customer Database Exposed

Comments Filter:
  • I use plain CSV text files, you insensitive clods!

    • I'm pretty sure there are both ODBC and OLE drivers for 'text files', while I've never played with them (just done SQL, Oracle, DB2, and Access), I would imagine this sort of vulnerability could exist with a text file as well. Of course not if you're just directly reading them with file streams, but if you're using ODBC or OLE... and no, I can't imagine the scenario that would be the proper use for that.

    • by account_deleted ( 4530225 ) on Sunday February 08, 2009 @08:47PM (#26778493)
      Comment removed based on user account deletion
  • Awesome (Score:5, Informative)

    by Anonymous Coward on Sunday February 08, 2009 @06:48PM (#26777635)

    Our IT department switched us from trend micro to Kaspersky a few months ago. I haven't done any research on the merits or drawbacks of either, but what I do know is this:

    1) On our ancient desktop machines (Think 1.8ghz pentium 4's with 512 megs of ram) performance is a lot worse now than before we switched.

    2) Since the switch we've had some pretty serious downtime due to a virus got in on some old unpatched windows 2000 machines and then proceeded to wreak havok.

    3) SQL injection isn't that hard to prevent. Seriously.

    Granted none of that is enough to conclusively say that Kaspersky is a terrible product, the virus may very well have happened with Trend Micro as well, but as an end user my first impressions are less than positive.

    • Re:Awesome (Score:5, Informative)

      by sqlrob ( 173498 ) on Sunday February 08, 2009 @06:55PM (#26777693)

      4) What were these doing accessible on a net facing computer? You can't hack what's not there.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Fox news says you can hack a computer wirelessly. I believe a trusted news source way more than a nerd like you.

      • Re: (Score:3, Interesting)

        I've worked in secure environments (several different nuke plants, and several different casinos), where things were truly off the net.

        That said, with something like customer data for Kaspersky, it's impractical to have this data isolated in that manner. For starters, people buy and sell this product over the internet. Right there, you have to have an interface into your database from a remotely accessed client. Also I'd imagine Kaspersky has offices in many different countries and while I'm sure VPNs an

        • Re:Awesome (Score:5, Funny)

          by kybred ( 795293 ) on Sunday February 08, 2009 @08:51PM (#26778517)

          I'm all for more security though, most places don't error on the side of caution. Nuke plants tend to (and actually security it generally even 'tougher' at casinos)...

          Of course it is! With nukes plants your merely talking about human lives. With casinos; well, there your talking about money.

          • Re:Awesome (Score:5, Insightful)

            by Anonymous Coward on Sunday February 08, 2009 @09:46PM (#26778887)

            Of course it is! With nukes plants your merely talking about human lives. With casinos; well, there your talking about money.

            With nuke plants, the only real motive for breaking the security from outside is for infrastructure disruption and terrorism.

            With casinos, the motive is the millions of dollars in cash moving around.

            There are far more greedy people than there are violent mass murderers.

            A man who gets bitten by a hundred stinging gnats a day will be more diligent about swatting insects than a man who sees a tsetse fly every five or six years. No matter that that one tsetse may be far more dangerous than the gnats could ever be.

        • Re: (Score:2, Insightful)

          by kiwirob ( 588600 )
          I can't be too hard to isolate the physical database servers behind a reasonable secure firewall.

          Have a web server communicate through a proprietary communications layer, possibly XML, to a dual homed intermediary server behind a firewall which in turn accesses the database server on a local network. No direct net access for the DB server and the intermediary dual homed server simply runs a minimal config and firewall to only accept inbound connections from the web server.

          So it's impossible for an
        • Re: (Score:1, Interesting)

          by Anonymous Coward

          Actually it could be fairly trivial to move most customer information off the internet facing computers.

          Lets say I fill in a complete registration form (name, address, phone, etc). Shortly after registration most of this personal information could be moved via a one-way process to a non-web facing database. The only thing that needs to remain on the web facing database would be login credentials and maybe product purchase history. As long as email addresses are not used for usernames the information would

      • Yeah, so you can't log in, you can't see your previous history, there are no accounts? How exactly would what you propose actually work?

        This is like attacking someone for loading software on their pc because then it becomes vulnerable to attack. Without some data on the net, being on the net is pointless - you just need to secure your data correctly.
      • by sootman ( 158191 )

        Who says they were outward-facing? (I assume by 'net' you meant 'Net' as in 'Internet.') Happens all the time: someone brings in a virus-laden laptop, connects to the network, vulnerable machines die.

        Besides, despite what you think about #2, points 1 and 3 are still valid.

      • At least, not until you reach 3rd dan black hat.

    • On our ancient desktop machines (Think 1.8ghz pentium 4's with 512 megs of ram) performance is a lot worse now than before we switched.

      Last time I checked Trend Micro won't install on machines with less than 1GB ram.

    • Re: (Score:1, Funny)

      by MrEricSir ( 398214 )

      Trend Micro? Even Norton is better than Trend.

    • Re:Awesome (Score:5, Interesting)

      by VoxMagis ( 1036530 ) on Sunday February 08, 2009 @07:44PM (#26778101)

      Really?

      Since switching several companies from other products to Kaspersky...

      No viruses have crept through the systems - none.

      We had one brief period of downtime on one customer related to a bad configuration of the admin server (my fault, still I guess it could have been clearer).

      Performance is overall quite good, even on older machines. On newer machines, people don't even notice that it's running.

      I admit though, I'm irritated about the issue of the original post, which has NOTHING to do with the product itself. Sounds to me like their entire web dev team needs a serious overhaul, or at least a few more night classes at the local community college ;)

    • by htnmmo ( 1454573 )

      3) SQL injection isn't that hard to prevent. Seriously.

      Yep, just use Java and PreparedStatements

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Prepared statements are not exclusive to Java.

      • 3) SQL injection isn't that hard to prevent. Seriously.

        Yep, just use Java and PreparedStatements

        Or more generally: use parametrized queries exclusively.

    • by Ilgaz ( 86384 )

      Kaspersky is always victimised by its own feature. Heavy heuristics. If they remove it, they would have no difference from so-called "Free" antiviruses. If they keep it, they get bad feedback for performance.

      The unpatched Win2k? That is one thing only really overkill heavyweight stuff can save, e.g. the discontinued (for obvious reasons) eSafe desktop. When Win2k is unpatched, it is unsecure at kernel level, almost nothing can save it. We have Win2K boxes in TV business running some very expensive to upgrad

    • I was repairing a customers computer that was infested with spyware and viruses (virii). I took off all the crap that was installed and cleaned it up. Obviously, it wasn't working. They had Kaspersky installed. Not any more.

      I thought twice before I removed it, Kaspersky I've heard of. But, it wasn't complaining at all about the infestation. Sorry, guys!
  • by Anonymous Coward on Sunday February 08, 2009 @06:49PM (#26777637)

    Who cares if some forums are hacked?

    For that matter, even if they get a customer's account data, the damage is limited if good credit-monitoring is in place.

    I'd be more worried about the update servers being hacked and millions of us downloading bogus updates.

  • I just switched to Kaspersky last night, after my McAfee subscription expired. "Haxor et Machina?"
    • Re: (Score:1, Informative)

      by Anonymous Coward

      get a corporate license. There is no BS expiration.
      That's the biggest scam they've got going.
      Also, if company you work for has a PER USER license for McAfee or Norton, you can install it on as MANY machines YOU use as you like. Yup, no limit, no expiration, no diff if it's your home or work PC.
      (a lot of people these days continue to work from home after hours and use their own PC with VPN and no antivirus or old AV software - big problem since people are more likely not to pay attention and go on sites that

  • by Anonymous Coward on Sunday February 08, 2009 @07:05PM (#26777775)

    I've been "borrowing" our company's corporate AV sw that doesn't require registration and has perpetual license for the past 10 years... Then 6 months ago I decided to go legal and spent $70 for 3 user license. I paid with my credit card, registered with my email address and now this! Never again :)

  • It seems someone needs to add backslashes to their SQL statements...
    • Re:oh well... (Score:5, Informative)

      by this great guy ( 922511 ) on Sunday February 08, 2009 @07:31PM (#26777999)
      No. Escaping is error-prone as you will invariably fail to escape some special character you don't know about. The right way to fix SQL injection is to use parametrized queries.
      • Re: (Score:1, Informative)

        by kbrasee ( 1379057 )
        Wait, why is this funny? It's +5 informative.
      • Re: (Score:2, Informative)

        by Tweenk ( 1274968 )

        Either that, or use the server's escaping function, which will be correct. There is no way to create parametrized SQL queries with the PHP / MySQL combo if you don't have the mysqli extension (which is unfortunately far from rare).

        • Re:oh well... (Score:5, Interesting)

          by Repton ( 60818 ) on Sunday February 08, 2009 @08:25PM (#26778351) Homepage

          So, the standard way of programatically querying databases, which is easier than building and escaping your own queries, and which makes you completely immune to SQL injection, is generally unavailable in a very popular combination of website technologies?

          WTF?

          • So, the standard way of programatically querying databases, which is easier than building and escaping your own queries, and which makes you completely immune to SQL injection, is generally unavailable in a very popular combination of website technologies?

            WTF?

            Popular != good.

          • Re:oh well... (Score:5, Informative)

            by KermodeBear ( 738243 ) on Monday February 09, 2009 @12:11AM (#26779871) Homepage

            So, the standard way of programatically querying databases, which is easier than building and escaping your own queries, and which makes you completely immune to SQL injection, is generally unavailable in a very popular combination of website technologies?

            Repton, you missed the part about the mysqli extension. A lot of functionality in PHP have been moved out into extensions. Enabling them is as easy as modifying the .ini file.

            I know that the poster above you was whining about it not being available on servers, but to be honest, I've never run into any (credible, reliable) hosting service that doesn't already have it enabled.

            And hell - if it is something that is good to have, why pick a host that doesn't have it?

        • So you're saying you can't call MySQL procedures [mysql.com] from PHP? Those would be parameterized and typed. You should still check any character input, but you should be pretty safe from SQL injection at that point.

        • sscanf
      • by octaene ( 171858 )

        I agree with parent; the problem is parameterized queries don't exist for every type of SQL statement you'd want to write, that's why folks get trapped into escaping user input. The only foolproof solution is to not accept user input. :-)

      • That's garbage. Parametrized queries have their place, sure. But if a quoting facility is letting "special" characters through, it has a bug and needs to be fixed. Guess what: one way of implementing parametrized queries is through automatic escaping!

        • Re: (Score:3, Informative)

          by dkf ( 304284 )

          Guess what: one way of implementing parametrized queries is through automatic escaping!

          It's a slow way of doing it though, since the database engine will need to reparse the statement from scratch each time. Far better to use a real parameterized query when the engine can cache a compiled form. (A performance boost and more security at the same time? Win-win! What's not to like?)

      • You got to be kidding right? Just shows how lost you are!

        mysql_escape_string(), and done :)

        or the cheap way around: str_replace("'", '', $parameter), or just add \ on front of the ', and wrap all your parameters into '', ie. column='value'

        • 1) Maybe you meant mysql_real_escape_string()?

          Or perhaps mysql_genuine_escape_string_really_no_kidding_this_time().

          2) Just adding \ in front of ' doesn't help you if the attacker puts \ in the parameters.

          Lastly, my suggestion is to avoid PHP if you can. Though you can quickly do half-baked stuff with PHP it's a real pain and more work to do things properly compared to better designed languages.
    • You would use placeholders, that fixes the problem. Anyone who knows the first things about SQL should know that.

  • by WiiVault ( 1039946 ) on Sunday February 08, 2009 @07:32PM (#26778007)
    Great timing eh?
  • by Anonymous Coward

    Kaspersky outsources almost all (if not all) their ecommerce. They would have little or no credit card info in their customer database.

  • by Master of Transhuman ( 597628 ) on Sunday February 08, 2009 @09:19PM (#26778697) Homepage

    Overall, according to the testing agencies, it's a pretty decent AV with very high detection rates - almost always in the top five or ten.

    It's administration over a network is pretty complicated, using its Administration Kit. The basics aren't hard, but it's a very complicated product with a high degree of customization possible which makes administering it hard.

    It does have a bad problem with false positives - it seems to want to tag any exe encapsulated in an archive as a "trojan". I had a bunch of utilities for unattended installs of Windows sitting around and it went wild tagging a lot of them as "trojans" - even though most are well known utilities used for installing or slipstreaming Windows, and if any of them had trojans, somebody would have caught that by now. This is a know issue with KAV and apparently they're not doing much to correct it, according to comments on their forums.

    But ALL the virus engines these days are behind the curve of actual viruses in the wild - so it's no surprise that the occasional virus gets through. One got through on one of my client machines a week or two ago without being spotted by either KAV or Spyware Terminator. A very nasty one, too, that was almost a rootkit - took me some hours to fully get rid of it. Downloaded from a hostile Web site by one of the staff accidentally, I think, since the client has a hardware firewall in front of the network.

    • by arth1 ( 260657 )

      Overall, according to the testing agencies, it's a pretty decent AV with very high detection rates - almost always in the top five or ten.

      [...]

      It does have a bad problem with false positives

      The two are related. It's easy to create a virus killer that has a very high detection rate, but it takes talent to do so without also increasing the number of false positives.

      I used to like ESET Nod32, because it was fast and fairly accurate. But lately, it reports way to many false positives to be useful. Combined w

  • mod_security (Score:4, Informative)

    by X.25 ( 255792 ) on Sunday February 08, 2009 @10:05PM (#26779055)

    I can't count number of time I've recommended usage of mod_security in order to prevent these types of crap.

    I can count, though, number of times people implemented it: 0.

    • That, and using SQL placeholders. The best way to prevent insertion attack is use placeholders. Very simple. I am surprised people dont know how to use that feature, its in every SQL book.

  • Just escape any quotes in the input and your DBs will be safe from injection. In Java:

    String escapeQuotes(String s){
    if (s==null){ s=""; }
    StringBuffer sb = new StringBuffer();
    char ch[] = new char[1];
    char con[] = new char[3];
    con[0] = '%';
    for(int i=0;i<s.length();i++){
    char c = ch[0] = s.charAt(i);
    if (c==0x27 || c==0x60 || c==22 || c=='%'){
    int a = c/16;
    int b = c-a*16;
    con[1] = Character.forDigit(a,16);
    con[2] = Character.forDig

  • I'm so very glad I got our company to use Avast.
  • And these are the same people claiming great security for my pc, because they know how to handle threats. If they can't even write good web code for their site, my guess is they don't for their products either.

FORTUNE'S FUN FACTS TO KNOW AND TELL: A giant panda bear is really a member of the racoon family.

Working...