Current Event: Kaspersky Hacked
Kaspersky, an Antivirus vendor and Internet Security Lab, recently fell victim to an internet hacker using an SQL-injection attack. The attack compromised data in all databases accessible to the web server. According to the hacker, “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.”
Discussion on the board where the hacker originally announced the successful attack has mostly been congratulatory, especially after the hacker announced that he would not expose any confidential information he had found (although he may have already done so with the password hashes).
On Slashdot, discussion includes the insightful comment, echoing the advice in the textbook, that blacklisting and escaping isn’t sufficient: “No. Escaping is error-prone as you will invariably fail to escape some special character you don’t know about. The right way to fix SQL injection is to use parametrized queries.”
Timely advice!