Print 25 comment(s) - last by teohhanhui.. on Feb 11 at 1:29 PM

SQL injection  (Source: HackersBlog)
Although there are a lot of high-profile hacker intrusions these days, it normally doesn't happen to security companies... but it recently did to Kaspersky

Security firm Kaspersky Security has been left embarrassed after a hacker informed them that a customer information database was left exposed for 11 days before the security firm was able to secure it.

"Honestly, this is not good for any company and especially not good for a company dealing with security," Kaspersky senior antivirus researcher Roel Schouwenberg said during a media phone conference.  "This should not have happened.  We are now doing everything within our power to do the forensics on the case, and to prevent this from happening again."

Although no customer information was reportedly accessed by the intruder, the millions of customers who have used Kaspersky may think twice before doing so again.  In total, 2,500 users' e-mail addresses and around 25,000 product activation codes were at risk over the 11-day period.

A posting on the web site includes screenshots of the hacker who used an SQL injection to access the company's database.  It looks like a part of Kaspersky's U.S. support site was breached using the SQL injection attack -- the site was created an unnamed third party and was not reviewed properly by the security company prior to being used on the site.

"Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.," the blog entry on indicates.

The U.S. support site officially went live on January 28 and was first marketed to the public on January 29, according to Kaspersky.  It doesn't look like the site was infiltrated by any other hackers since the site has been published.

Kaspersky has called upon Next Generation Security Software's David Litchfield, a security expert specializing in SQL injection attacks, to conduct an independent audit and security risk analysis of the company's web site.  Once finished, the report will be published on Kaspersky's web site for all visitors to see.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Dodged a bullet
By tastyratz on 2/10/2009 8:21:34 AM , Rating: 2
Easy to say when you don't have a virus... yet. I wouldn't recommend ditching the AV because even though most viruses are spread through stupid user trickery (here I sent you valentinescard.exe open the email!) there are still very realistic issues of trojans.
If a security firm who does this for a living can be compromised, then what your doing is simply Russian roulette. Sure you can dodge the obvious bullets, but you cant see them all coming.

Why don't you instead research a more unobtrusive lower footprint AV solution such as nod32?

fwiw I am certified mcdst, etc (whole bunch of letters after my name)
so I know when something seems fishy... but my training has also taught me to be properly protected.

RE: Dodged a bullet
By seilerbird on 2/10/2009 10:26:32 AM , Rating: 1
Oh please, I have never run anti-virus in the 30 years that I have been a geek and I have never gotten a virus. I don't run anti-malware or any of those other stupid programs. The cure is worse than the cold. If you have a clue and know what you are doing it is impossible to get infected. It is possible to get a virus or malware even though you are running anti-virus software. It is a false sense of security. Knowledge of safe computing rules is the only way to stay virus free.

RE: Dodged a bullet
By Dreifort on 2/10/2009 10:45:23 AM , Rating: 2
Is this Alan Seiler in Socorro, NM? IP address

RE: Dodged a bullet
By SilthDraeth on 2/10/2009 11:54:36 AM , Rating: 2
That about sums up all the statements people make about not needing AV solutions etc.

Good post. I would rate you up, but I believe a lot of people won't catch the meaning behind your post.

RE: Dodged a bullet
By serulin on 2/10/2009 1:21:44 PM , Rating: 1
True that man. Iv messed with computers since I was a kid (21 now). And viruses are something "computer users" can learn to deal with in time, experience and lots of mistakes. Although some may never learn, or even know whats wrong if they dont try to find that knowledge. I remember back then I used to get so many viruses, I would download anything, never scan them, check them, look for comment reviews or anything. And that is YOUR AVERAGE DAY COMPUTER USER in this present day and age. There are so many internet n00bs out there that just learned about how to torrent or download mp3s off sites and all this technical stuff and they complain about viruses. And this is not your MOM or DAD it can even be your friend who just plays mmorpgs but knows jack shit about anything else online. As technology veterans we know, what file to be suspicious about, what sites look like scams, and what programs seem to be malware. We know how to remove malware off our computers manually and with software. But the average computer user doesnt, And luckly, some learn, but others never do.

THIS "knowledge", people, is more valuable than any tool (AV software) that you can find. Take some time and learn people. Unfortunately, easier said than done. If you dont mess with computers often, know your way around torrent sites, your probably the average comp user and dont want to spend the time on this. But theres never, no time. Its just how you choose to spend your time.

RE: Dodged a bullet
By Etsp on 2/10/2009 12:15:39 PM , Rating: 2
I also put in my vote for Nod32... It uses the latest and greatest of programming languages.... ASSEMBLY! (No, this really is an advantage, it's hard as hell to work with, but it's EXTREMELY efficient once compiled.)

"We can't expect users to use common sense. That would eliminate the need for all sorts of legislation, committees, oversight and lawyers." -- Christopher Jennings

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki