Antivirus firm confirms hackers breached site
SQL injection attack reveals Kaspersky Lab's customer database
Computerworld - Kaspersky Lab, a Moscow-based security company, admitted today that a database containing customer information had been exposed for almost 11 days and that it only learned of the breach when Romanian hackers told the firm about it last Saturday.
"This is not good for any company, especially for a company dealing with security," said Roel Schouwenberg, a Kaspersky senior antivirus researcher, in a telephone conference call today. "This should not have happened."
According to Schouwenberg, no customer data was accessed. "No real data has been accessed, and no data was revealed," he said.
The hackers, who are presumed to be Romanian, went public early Saturday in a blog post. There, they claimed that after launching a SQL injection attack on Kaspersky's U.S. support site, they were able to access a customer database that included e-mail addresses and software activation codes.
Schouwenberg confirmed that the database was hacked via a SQL injection attack, but he reiterated that only the database's table labels had been accessed by the hackers, not the data itself. "A more advanced hacker could have gotten access to the information," Schouwenberg acknowledged, "including activation codes for the product and e-mail addresses. But that didn't happen."
A pool of approximately 2,500 users' e-mail addresses and some 25,000 activation codes were at risk, he said.
Schouwenberg blamed a combination of vulnerable code crafted by an unnamed third-party vendor and poor code review by Kaspersky. "We could have done a bit more to protect ourselves," he said. He also acknowledged that both internal and external monitoring of the company's Web properties had not caught the error. "A piece of the [support] site did not receive the usual scrutiny," said Schouwenberg.
The revamped support site, part of the company's U.S. operations, had been relaunched Jan. 28, leaving the database open to attack from that time until 12:15 p.m. (EST) Saturday, when Kaspersky took the new site offline and swapped in the old version.
Kaspersky has hired Next Generation Security Software Ltd.'s David Litchfield, one of the world's experts on SQL injection attacks and database security, to do an independent audit of the company's systems. Schouwenberg said Kaspersky would make public the results of Litchfield's report, which is expected shortly.
"Something went wrong with our internal code-reviewing process," said Schouwenberg. "Obviously, we are not happy about that." Kaspersky is evaluating that process, he added, and the company "will be making it stricter than it was. We need to do a much better job to prevent this from happening again."
SQL injection attacks have become a major problem for Web sites, which at times have been compromised by such exploits in huge numbers. Last year, for example, more than half a million pages were hacked by a widespread campaign that compromised, among others, sites belonging to the United Nations.
Other high-profile sites that have been victimized by SQL injection attack include Microsoft's U.K.-based site.
Read more about Security in Computerworld's Security Topic Center.
- The State of Video Conferencing Security Video conferencing equipment, found in almost every boardroom around the world, may be opening up companies to serious security breaches. This paper explains...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- What are the desktop virtualization market trends and how can you successfully deploy your solution? You've probably heard about desktop virtualization -- and some of its benefits -- things like tighter security, streamlined management and lower costs. But...
- The Value of Symantec NetBackup Appliances In this video, Symantec's Shelley Schmokel, Principal Product Manager for NetBackup Appliances, talks about the NetBackup Integrated Appliances and how they deliver enterprise-class... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!