More on the Kapersky website hack

[40hz]

From Daniweb. More on the Kapersky website hack

Link to full article: http://www.daniweb.c...blogs/entry3947.html

DaniWeb Home > Blogs > Member Blogs > Inside Edge - IT News,...
Kaspersky confirms hack with fingers firmly in ears

•
•
Staff Writer
Inside Edge - IT News, Analysis and Opinion
Featured Entry
Feb 9th, 2009, 6:08 am

-----------------

Yesterday I reported how the security vendor Kaspersky had allegedly fallen victim to a SQL Injection attack, with the usa.kaspersky.com website hacked and plenty of data potentially exposed. I said that Kaspersky would no doubt make an official statement sooner rather than later, and it has. Unfortunately it is one that still leaves plenty of questions unanswered and reminds me of a man facing a firing squad with fingers in ears and yelling 'la la la' like that will stop the bullets.

Interesting discussion. Be sure to check out the write-up from The Register link ( http://www.theregist...ompromise_follow_up/ ) inside the article.

The Register  also has an interesting link within its own article:

SQL injections are like Jedi mind tricks. With the wave of a hand and a discreetly placed suggestion - in this case SQL database commands buried deep inside a long URL - hackers are able to turn weak-minded websites against themselves. Often, the compromise is fairly innocuous and comes in the form of a simple site defacement. Not so with the SQL injection that visited Kaspersky.

It allowed any Jedi knight who knew the secret passphrase to trick the website into dumping entire tables in its database.

"This was a typical UNION injection attack that enables SELECT statements to be poisoned with information from foreign tables," according to one Reg reader account that was confirmed by Tocsixu.

The reader, who was able to duplicate the attack Unu laid out here, continued:

 

[CWuestefeld]

I'm ambivalent.

On the one hand, a SQL injection attack is entirely unrelated to the sort of security that Kaspersky's tools deliver. I mean, protecting me from viruses and worms has nothing to do with the protecting me from my own badly-designed web site.

On the other hand, vulnerability to SQL injection is completely web development 101 -- it's the easiest sort of attack to prevent, there's really no excuse for falling victim to it (I say as I look nervously around me).

[40hz]

I'm ambivalent.

On the one hand, a SQL injection attack is entirely unrelated to the sort of security that Kaspersky's tools deliver. I mean, protecting me from viruses and worms has nothing to do with the protecting me from my own badly-designed web site.

On the other hand, vulnerability to SQL injection is completely web development 101 -- it's the easiest sort of attack to prevent, there's really no excuse for falling victim to it (I say as I look nervously around me).

-CWuestefeld (February 09, 2009, 12:55 PM)

Good points, to be sure.

Still, I don't so much care what goes down, as I do about how well a company handles the aftermath. Crisis response speaks volumes about a company's organization and culture. To stonewall a bit and then say "oh well" doesn't inspire confidence in what they might do if they discovered a major flaw in one of their products. Would they go public and warn people, or would they just do the "silent fix" with their update utility and hope nobody noticed?

This isn't some FOSS operation. This is Kapersky. Somehow I expected a little more.

[cranioscopical]

Somehow I expected a little more.

-40hz (February 09, 2009, 01:18 PM)

And got a little less... so, more or less what you expected 

[gorinw13]

from the article:

....................claims that the SQL Injection attack on usa.kaspersky.com has exposed activation codes............

the activation codes will circulate in the warez sites and how will kaspersky will deal with it? how will it notify lots of legitimate customers which are the real owners of the activation codes to contact Kaspersky to get the new unblocked activation codes / keys?.... They can tell this by a system tray notification but some of the legitimate customers still may not know what to do.....