"ALL UR BASE..." Kaspersky hacked

Archibald Nixon · Feb 10, 2009

Anti-virus provider Kaspersky Lab on Monday moved to reassure customers that none of their personal information was accessed during a 10-day security lapse that exposed a database used to run a support site for its US users.

The company also apologized for the blunder and said it was bringing in database security expert David Litchfield to conduct an independent audit of Kaspersky's website and to publicly share his findings.

Monday's mea culpa came as Unu, the same hacker to expose Kaspersky's faulty website, posted a new blog post claiming a Portuguese website for anti-virus provider Bitdefender was similarly at risk. Bitdefender representatives didn't immediately respond to emails requesting comment.

"This is not good for any company and especially a company dealing with security," Kaspersky's senior anti-virus researcher Roel Schouwenberg said during a conference call with reporters. "This should not have happened. We are now doing everything within our power to do the forensics and prevent this from ever happening again."

Asked if he thought Kasperkey's reputation as a security company might be damaged by the incident, Schouwenberg answered "yes."

The lapse began January 28, when administrators rolled out changes to the support portion of usa.kaspersky.com. A piece of externally developed code that was not properly reviewed was responsible for the SQL injection vulnerability, which allowed hackers to access parts of the protected database contents by embedding commands into Kaspersky URL.

The company reverted to the older site format on Saturday around noon New York time, several hours after hackers posted a blog entry warning that the the vulnerability exposed proprietary information concerning Kaspersky and its customers.

Schouwenberg confirmed that the database contained about 2,500 customer email addresses and about 25,000 codes for authenticating copies of its software. Although the data was susceptible to pilfering during the 10-day period that the site was vulnerable, logs showed no one had actually tried to gain access to the information, he said. Credit-card information was never stored on the site.

Schouwenberg also said the hackers who discovered the vulnerability gave Kaspersky employees just one hour's notice before publishing their findings on a blog. The Kaspersky official gave the account to refute claims the hackers went public only after their private email warnings were ignored. ®

http://www.theregister.co.uk/2009/02/10/kaspersky_promises_audit/

http://www.dailytech.com/Kaspersky+Customer+Database+Exposed+by+Hackers/article14214.htm

SaintLucifer · Feb 10, 2009

Archibald Nixon said:
http://www.theregister.co.uk/2009/02/10/kaspersky_promises_audit/

http://www.dailytech.com/Kaspersky+Customer+Database+Exposed+by+Hackers/article14214.htm

Hackers... helping Kaspersky? I call bullshit.

Archibald Nixon · Feb 11, 2009

You do know that many of these guys are hired by the very companies & organizations whose security flaws they expose, right?

Sort of a resume-by-demonstration.

Also: Lame pic.

SaintLucifer · Feb 11, 2009

Archibald Nixon said:
You do know that many of these guys are hired by the very companies & organizations whose security flaws they expose, right?

Sort of a resume-by-demonstration.

Also: Lame pic.

Yes, I most certainly do know this, more so than you do. Alas, the 'article' mentions nothing about such people. It said 'hackers', and Kaspersky apparently was not aware of these people. Further proof it is bullshit. Kaspersky would not hire someone to scream out to the world, 'here is an security flaw you can exploit, and here is how to do it' for every hacker to see.

You sir, are a moron.

Archibald Nixon · Feb 12, 2009

SaintLucifer said:
Kaspersky would not hire someone to scream out to the world, 'here is an security flaw you can exploit, and here is how to do it' for every hacker to see.

The hiring would be done after the fact, Fake LucidTurd.

SaintLucifer · Feb 13, 2009

Archibald Nixon said:
The hiring would be done after the fact, Fake LucidTurd.

No, it wouldn't, because Kaspersky would never hire someone who has no compunction about REVEALING said weaknesses to the public. Remember, the PUBLIC was alerted BEFORE Kaspersky was. That would endanger Kasperky's sales of their ONLY product.

Fuck, but you are all stupid.

Ancalagon · Feb 14, 2009

SaintLucifer said:
Remember, the PUBLIC was alerted BEFORE Kaspersky was.

Fuck, but you are all stupid.

ORLY?

From the original post:

Schouwenberg also said the hackers who discovered the vulnerability gave Kaspersky employees just one hour's notice before publishing their findings on a blog.

SaintLucifer · Feb 14, 2009

Ancalagon said:
ORLY?

From the original post:

The company reverted to the older site format on Saturday around noon New York time, several hours after hackers posted a blog entry warning that the the vulnerability exposed proprietary information concerning Kaspersky and its customers.

Moron.

Ancalagon · Feb 14, 2009

SaintLucifer said:
Moron.

You do realize there is a difference between learning of a problem and fixing it.

You claimed the company didn't learn of the flaw until after it had been posted. I showed where a company spokesman states the opposite.

And yet I am the moron? :wtf:

SaintLucifer · Feb 14, 2009

Ancalagon said:
You do realize there is a difference between learning of a problem and fixing it.

You claimed the company didn't learn of the flaw until after it had been posted. I showed where a company spokesman states the opposite.

And yet I am the moron? :wtf:

Ah, attempting to weasel your way out of major pwnage. Read it again, moron. They were informed AFTER the blog.

In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing "users, activation codes, lists of bugs, admins, shop, etc." Kaspersky has declined to comment, but two security experts who reviewed the evidence said the claims appeared convincing.

Not only had the flaw been exposed, you dipshit, but PROOF was posted before Kaspersky knew about it.

Dark Pickle · Feb 14, 2009

SaintLucifer said:
Moron.

Oh. Teh. Irony.

Ancalagon · Feb 14, 2009

read. the. fucking. article. you moron.

"This is not good for any company and especially a company dealing with security," Kaspersky's senior anti-virus researcher Roel Schouwenberg said during a conference call with reporters.

Okay, so about midway it is established that this guy Schouwenberg is their senior anti-virus researcher and the one chosen by the company to field calls from reporters.

Then last paragraph:

Schouwenberg also said the hackers who discovered the vulnerability gave Kaspersky employees just one hour's notice before publishing their findings on a blog.

Schouwenberg quite clearly states that the company was informed BEFORE the info was posted on the blog.

What part of that are you not able to grasp?

Bickendan · Feb 16, 2009

The part that doesn't concern his dick.

Archibald Nixon · Feb 22, 2009

It's all good: in Luci's world, time-travelling cyber-jews are a common occurrence.

"ALL UR BASE..." Kaspersky hacked

More options

Archibald Nixon

anti-life coach

SaintLucifer

beer, I want beer

Archibald Nixon

anti-life coach

SaintLucifer

beer, I want beer

Archibald Nixon

anti-life coach

SaintLucifer

beer, I want beer

Ancalagon

I'm not wearing any panties!!

SaintLucifer

beer, I want beer

Ancalagon

I'm not wearing any panties!!

SaintLucifer

beer, I want beer

Dark Pickle

Fucked Off

Ancalagon

I'm not wearing any panties!!

Bickendan

Shifty sumbitch

Archibald Nixon

anti-life coach