Ouch.
This has to be a PR disaster.
Some 24 hours after a hacker claimed to hack a Kaspersky website and access a database containing proprietary customer information, the security provider issued a terse statement confirming it had experienced a security issue. "On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com …
This is a tool I'm using to prevent sql injection on our server ,cross site scripting and other attacks that can hurt no less then injection attacks. I downloaded dotdefender from www.applicure.com installed it for 30 day free trial. I actually saw the attacks happening in real time while using the monitoring mode. You can also use their protective mode and actually prevent attacks coming on your website.
All those web application attacks will drop down immediately.
Dani Alovitz
Their silence whispers darkly:
"We don't give a fuck about user security -- they're only stupid customer sheep afterall."
"Our software is probably just as hole ridden as our numb corporate vacation taking skulls."
Honest people come clean quick. They're not coming clean at all. Therefore....
Yet another mini Enron in the making?
(does it sound like I'm **really** tired of shit-nothing useless corporations littering the barren IT wasteland?)
"There's no excuse to make a website with SQL injection or XSS flaws these days. It's just sloppy programming."
That's like saying there's no excuse for writing a C program that segfaults these days. If the language itself permits these things and you have a large enough codebase some of them are bound to sneak through and all it takes is one slip up like this to create a regression and expose your whole DB. Keeping sensitive data in a SQL database connected to the internet is playing with fire. SQL is such a simple, powerful and productive paradigm everyone uses it, myself included, but just lashing it directly to the internet with a bit of PHP is like replacing the flight yolk of an F16 with a drinking straw.
Of course it can be done 'properly'. Even in PHP you can be all test driven and diligently abstract all you database interactions into a nice API but think of the cost, time and knowledge factors involved and you will see how it often won't happen. If you're going to be hiring less than perfect coders the way to tackle these problems is to get them working in a framework where they AREN'T writing their own SQL query strings and they AREN'T responsible for sanitizing raw input by hand for every single input they have to deal with.
Roger Heathcote
Someones developers havent read sql web programming 101, what a surprise...
I test for this kind of thing professionally and some VERY large very professional bluechip companies try to sell soft/hardware solutions to us with this problem all the time.
Usually we find out they subcontracted the web side of the development to some indian subcontracting company, cant/won't/dont know how to/try to avoid making changes because they fired all their proper developers who could have advised them before getting egg on their face during accept into service testing.
We should all know better, trouble is the market in its rush to offshore and cut costs doesn't employ decent coders who care, and then fails to back it up with adequate pre delivery testing by some proper pen testers. And no, that doesn't mean someone running nessus on their windows laptop with safe checks enabled, and no clue what all the boxes are for...
Thus the beancounters in charge shall reap as they sow.
Well Kaspersky's hacked site was developed and maintained by them, but the bitdefender.pt is created and maintained by a reseller of BitDefender so it's not really the same thing. BitDefender websites use an internally developed CMS.