{"id":854,"date":"2009-02-08T17:00:48","date_gmt":"2009-02-09T01:00:48","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=854"},"modified":"2009-02-08T17:00:48","modified_gmt":"2009-02-09T01:00:48","slug":"current-event-kaspersky-hacked","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/08\/current-event-kaspersky-hacked\/","title":{"rendered":"Current Event: Kaspersky Hacked"},"content":{"rendered":"<p><a href=\"http:\/\/www.kaspersky.com\/\">Kaspersky<\/a>, an Antivirus vendor and Internet Security Lab, recently fell victim to an internet hacker using an <a href=\"http:\/\/en.wikipedia.org\/wiki\/SQL_injection\">SQL-injection<\/a> attack. The attack compromised data in all databases accessible to the web server. According to the hacker, &#8220;Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.&#8221;<\/p>\n<p>Discussion on <a href=\"http:\/\/hackersblog.org\/\">the board<\/a> where the hacker <a href=\"http:\/\/hackersblog.org\/2009\/02\/07\/usakasperskycom-hacked-full-database-acces-sql-injection\/\">originally announced<\/a> the successful attack has mostly been congratulatory, especially after the hacker <a href=\"http:\/\/hackersblog.org\/2009\/02\/08\/response-for-theregistercouk\/\">announced<\/a> that he would not expose any confidential information he had found (although he may have already done so with the password hashes).<\/p>\n<p>On <a href=\"http:\/\/it.slashdot.org\/article.pl?sid=09\/02\/08\/2218256\">Slashdot<\/a>, discussion includes the insightful comment, echoing the advice in the textbook, that blacklisting and escaping isn&#8217;t sufficient: &#8220;No. Escaping is error-prone as you will invariably fail to escape some special character you don&#8217;t know about. The right way to fix SQL injection is to use parametrized queries.&#8221;<\/p>\n<p>Timely advice!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky, an Antivirus vendor and Internet Security Lab, recently fell victim to an internet hacker using an SQL-injection attack. The attack compromised data in all databases accessible to the web server. According to the hacker, &#8220;Alter one of the parameters &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/08\/current-event-kaspersky-hacked\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":66,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,7],"tags":[],"class_list":["post-854","post","type-post","status-publish","format-standard","hentry","category-current-events","category-ethics"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/854","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/66"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=854"}],"version-history":[{"count":1,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/854\/revisions"}],"predecessor-version":[{"id":855,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/854\/revisions\/855"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=854"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=854"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}