Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Kaspersky Hacked.
Posted by: rvdh
Date: February 10, 2009 10:34AM

Excellent stuff, I'm starting to like this site:

http://hackersblog.org/2009/02/07/usakasperskycom-hacked-full-database-acces-sql-injection/

It shows again how hard information security really is, and yeah Kaspersky said: It's no big deal. The usual response.

EDIT: added image.

No big deal eh?





Edited 2 time(s). Last edit at 02/10/2009 10:36AM by rvdh.

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: id
Date: February 10, 2009 10:56AM

yeah, funny shit. I wonder what percentage of commercial security sites have been owned.

-id

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: thrill
Date: February 10, 2009 08:48PM

Safe bet, 100%.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: thrill
Date: February 10, 2009 08:52PM

To expand on my post instead of editing... People don't want to pay for security or 'knowledge', they want to pay for warm bodies to be there and say 'yessum sir'.. Initially they may take it seriously, but as is apparent from my previous employer, paying me X dollars a year as opposed to paying someone X-y amount for a replacement made more sense. They won't get hacked *cough* so why do they need to pay that much for someone that can actually identify the threat while it's happening, or even less, looking at the logs to identify a possible initial break-in..

We no need no stinkin' security people, we got loggers and a firewall, we're good to go!

heee heee heee hee! My flight is about to take off, happy trails to you all!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: Kenny
Date: February 15, 2009 10:03AM

another antivirus website with SQL injection, shame them

------------------
Go Hard or Go Home

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: nullmind
Date: February 16, 2009 12:57PM

On answer to id, don't know the percent however, few days later of kaspersky, a product reseller of bitdefender (bitdefender.pt) was affected followed by F-Secure.

Those are important names on the security software market, if we count that the others are symantec, trendmicro, sophos, panda and maybe CA, we could say that the percent is about 30%

I think that the real problem is not the fact the someone is unable to build a secure site but what thirll said int his last post, still, people see web security as not a very important thing, people think that whatever they use to protect at network level will be enough to protect at software level

It kinda reminds me a post made by ronald long ago about WAFs, is not a simple matter of adding one, is a matter of fixing whatever is wrong in the underlying code that runs a web application

But, what can you do, still a lot of people thinks that web applications are just unimportant frontends to connect a client and a vendor when actually the webapp is in charge of running and using the resource that keep the bussines up :)

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: wireghoul
Date: February 16, 2009 04:00PM

The attacks appears to have been blind/manual SQLi attacks aimed at the antivirus vendors. I would think that the others not having been disclosed in the same manner is because they haven't been attacked, or they don't have low hanging SQLi on their website. I think we're all jaded enough to expect someone who invests enough time to be able to find a XSS vector against these sites.

As to 100% of commercial sites being hacked, I'm not so sure. Vulnerable sure, but might be sufficiently cushioned that automated exploits fail.

[www.justanotherhacker.com]

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: thrill
Date: February 17, 2009 10:54AM

Almost 2 years passed until someone realized TJX had been hacked.

If you take into consideration the different number of people responsible for a company's website, then think about the security engineer;s (if there is one) responsibility of keeping the entire enterprise safe and secure, then take into consideration how much most sys admins/network engineers know about security as a whole.. yeah.. I'm going to stick to my 100% guesstimate.. the fact we don't know about it doesn't mean it's not true.. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Kaspersky Hacked.
Date: February 17, 2009 09:20PM

People forget that these companies are anti-virus vendors whose specialty is anti-virus, same as ZoneAlarm would be for a firewall. They only think about the security they know. Try giving them a virus and I would bet they will pass that test, but when it comes to web app sec they know little to nothing about it.

>> Almost 2 years passed until someone realized TJX had been hacked.
Nonsense! They have the best IT team in the industry, no one could ever hack them.

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: Fugitif
Date: February 23, 2009 06:12AM

another critical xss bug was found yesterday on kaspersky.com



more about:

[nemesis.te-home.net]

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: rvdh
Date: February 23, 2009 07:39AM

lol

check this, a commenter on your site posted this as well:

http://virusprotection.se/specials.php

1064 - You have an error in your SQL syntax; check the manual that corresponds to
 your MySQL server version for the right syntax to use near '-0, 0' at line 1

select p.products_id, pd.products_name, p.products_price, p.products_tax_class_id,
 p.products_image, s.specials_new_products_price from products p, 
products_description pd, specials s where p.products_status = '1' and s.products_id
 = p.products_id and p.products_id = pd.products_id and pd.language_id = '5' and 
s.status = '1' order by s.specials_date_added DESC limit -0, 0



Edited 1 time(s). Last edit at 02/23/2009 07:39AM by rvdh.

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: Fugitif
Date: February 23, 2009 12:49PM

I have made some new update,another 2 kaspersky websites vulnerable to XSS and redirect.

[nemesis.te-home.net]

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: MAdhaTTer-240
Date: February 23, 2009 12:55PM

Thrill
Funny you mention that, I had an epiphany the other day.

As long as Visa and Mastercard are notifying companies that they have been breached, we dont have anything to worry about ;) Seriously tho, think about it, TJX, Hanafords, they had NO IDEA!

Personally I blame sloppy crime rings like the RBN. Had they handled the credit card data better, say, merging that data with more PCI data from other companies... as apposed to a rash of credit cards being used in Miami that all trace back to TJX... Not that I am complaining, I profit from security breaches, legally of course.

Seriously tho, I think the problem is the "Commercial Security Companies" at least thew Fortune 500 ones.. Really tho, Visa and Mastercard should become MSSes! No false positives, they actually catch stuff...

Cryptic Mauler,
Still so naive huh.
The AV companies would still fail the test...
Security is like talent, it comes and goes with contracts.. ;)

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: thrill
Date: February 23, 2009 06:01PM

Quote

Security is like talent, it comes and goes with contracts.. ;)

Amen!

The bad thing IMO is that Visa and Master Card, while good at catching it, doesn't really care. They don't lose anything by it, it's TJX that had to fork out the fraudulent costs, and that's the only thing Visa and MC care about, getting paid..

If that ring, as you mentioned, had taken slightly better care, that 3 years could have become 10 years.. imagine the number of fraudulent charges a person could put through during Christmas time when everyone is using up their credit cards and the issuing bank raises the trigger for the number of transactions before the suspicious flag kicks in.. one might get away with buying id that mobile home he's been dreaming about... ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: MAdhaTTer-240
Date: February 24, 2009 11:44AM

;)

You can not have improvement with out change.
---------------------------------------------
-- A & R Technology Consulting - Providing solutions, not limitations -

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: id
Date: February 24, 2009 04:00PM

The CC companies do have something to lose, faith in their product, they take that % off every transaction, if the number of transactions go down they make less money, it's a huge deal to them.

-id

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: thrill
Date: February 24, 2009 05:59PM

Quote

The CC companies do have something to lose, faith in their product

In this age of convenience, I really doubt that people will stop using their CC's because they had the inconvenience of having to argue a charge on a bill.. Do you still write out checks to pay for your utilities? Utilities were the last to get on the proverbial boat, but the convenience factor for their customers forced them to join it.. will you stop your auto pay for your utilities because some lame ass retailer couldn't identify a breach as soon as it happened? Didn't think so..

I am however amazed that almost 10 years after Y2K security still has not taken a top priority role in most companies.. we've both been seeing in the past 10 years the same shit happening over and over.. and maybe it is due to companies like the big consultant firms, or firms like well done @steak that had just one focus.. milk the customer and don't teach them crap.. as Madhatter said, security comes and goes with a contract.. and even when people have security conscious individuals working for them, like in the case of Cryptic, they ignore their warnings.. or even in my case.. I'm just too expensive even though I'm doing not only the security work but also network/sysadmin/desktop support shit..

I say keep milking the fu.ckers, maybe eventually you will need an office out here and if I'm still in computers then I'll gladly be your boss.. ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: MAdhaTTer-240
Date: February 24, 2009 11:04PM

See I am not too expensive, I am worth much more then what I charge (not complaining). It is all about Return On Investment which is tricky to calculate for security. The risk, is the business, it's assets and it's clientèle. Knowing how much of those assets you were able to keep, due to security is the problem. When that can reliable be calculated we will be better off.

My problem was knocking the company off line... not my cost ;)

You can not have improvement with out change.
---------------------------------------------
-- A & R Technology Consulting - Providing solutions, not limitations -

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: id
Date: February 25, 2009 05:02PM

Quote

I really doubt that people will stop using their CC's because they had the inconvenience of having to argue a charge on a bill.

That's exactly what happened at TJX, and having dealt with CC companies security teams, I know it is one of their greatest concerns.

-id

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: thrill
Date: February 25, 2009 06:23PM

But what you're talking about is trying to build a house starting with the roof first.. that's never going to work unless the CC companies get serious about doing audits (with qualified people rather than accountants of course) at the larger retailers to ensure this type of thing doesn't happen.

But as it is, there are too many companies that just do the bare minimum to secure their information.. yes, they might hire CISSP's up the ying yang (nothing against those of you who hold that certification and actually know what you're doing), but that doesn't mean that the enterprise will be secure..

So the only thing the CC companies can do is be the watchdogs and attempt to recognize early patterns.. but I'm sure eventually the CC's will get tired of doing that work for the retailers, and then what? Charge more?

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Kaspersky Hacked.
Posted by: Fugitif
Date: March 03, 2009 08:36AM

http://www.kasperskylabs.ir/fa/f_q/f&q.asp?search="><script>alert('XSS')</script>

http://www.kasperskylabs.ir/fa/f_q/f&q.asp?search="><iframe src=http://sla.ckers.org></iframe>

redirect

http://www.kasperskylabs.ir/fa/f_q/f&q.asp?search="<META HTTP-EQUIV="refresh" content="0; URL=http://sla.ckers.org">


more bad security settings

[nemesis.te-home.net]

Options: ReplyQuote


Sorry, only registered users may post in this forum.