Antivirus firm confirms hackers breached site
SQL injection attack reveals Kaspersky Lab's customer database
Computerworld - Kaspersky Lab, a Moscow-based security company, admitted today that a database containing customer information had been exposed for almost 11 days and that it only learned of the breach when Romanian hackers told the firm about it last Saturday.
"This is not good for any company, especially for a company dealing with security," said Roel Schouwenberg, a Kaspersky senior antivirus researcher, in a telephone conference call today. "This should not have happened."
According to Schouwenberg, no customer data was accessed. "No real data has been accessed, and no data was revealed," he said.
The hackers, who are presumed to be Romanian, went public early Saturday in a blog post. There, they claimed that after launching a SQL injection attack on Kaspersky's U.S. support site, they were able to access a customer database that included e-mail addresses and software activation codes.
Schouwenberg confirmed that the database was hacked via a SQL injection attack, but he reiterated that only the database's table labels had been accessed by the hackers, not the data itself. "A more advanced hacker could have gotten access to the information," Schouwenberg acknowledged, "including activation codes for the product and e-mail addresses. But that didn't happen."
A pool of approximately 2,500 users' e-mail addresses and some 25,000 activation codes were at risk, he said.
Schouwenberg blamed a combination of vulnerable code crafted by an unnamed third-party vendor and poor code review by Kaspersky. "We could have done a bit more to protect ourselves," he said. He also acknowledged that both internal and external monitoring of the company's Web properties had not caught the error. "A piece of the [support] site did not receive the usual scrutiny," said Schouwenberg.
The revamped support site, part of the company's U.S. operations, had been relaunched Jan. 28, leaving the database open to attack from that time until 12:15 p.m. (EST) Saturday, when Kaspersky took the new site offline and swapped in the old version.
Kaspersky has hired Next Generation Security Software Ltd.'s David Litchfield, one of the world's experts on SQL injection attacks and database security, to do an independent audit of the company's systems. Schouwenberg said Kaspersky would make public the results of Litchfield's report, which is expected shortly.
"Something went wrong with our internal code-reviewing process," said Schouwenberg. "Obviously, we are not happy about that." Kaspersky is evaluating that process, he added, and the company "will be making it stricter than it was. We need to do a much better job to prevent this from happening again."
SQL injection attacks have become a major problem for Web sites, which at times have been compromised by such exploits in huge numbers. Last year, for example, more than half a million pages were hacked by a widespread campaign that compromised, among others, sites belonging to the United Nations.
Other high-profile sites that have been victimized by SQL injection attack include Microsoft's U.K.-based site.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!