Antivirus firm confirms hackers breached site
SQL injection attack reveals Kaspersky Lab's customer database
Computerworld - Kaspersky Lab, a Moscow-based security company, admitted today that a database containing customer information had been exposed for almost 11 days and that it only learned of the breach when Romanian hackers told the firm about it last Saturday.
"This is not good for any company, especially for a company dealing with security," said Roel Schouwenberg, a Kaspersky senior antivirus researcher, in a telephone conference call today. "This should not have happened."
According to Schouwenberg, no customer data was accessed. "No real data has been accessed, and no data was revealed," he said.
The hackers, who are presumed to be Romanian, went public early Saturday in a blog post. There, they claimed that after launching a SQL injection attack on Kaspersky's U.S. support site, they were able to access a customer database that included e-mail addresses and software activation codes.
Schouwenberg confirmed that the database was hacked via a SQL injection attack, but he reiterated that only the database's table labels had been accessed by the hackers, not the data itself. "A more advanced hacker could have gotten access to the information," Schouwenberg acknowledged, "including activation codes for the product and e-mail addresses. But that didn't happen."
A pool of approximately 2,500 users' e-mail addresses and some 25,000 activation codes were at risk, he said.
Schouwenberg blamed a combination of vulnerable code crafted by an unnamed third-party vendor and poor code review by Kaspersky. "We could have done a bit more to protect ourselves," he said. He also acknowledged that both internal and external monitoring of the company's Web properties had not caught the error. "A piece of the [support] site did not receive the usual scrutiny," said Schouwenberg.
The revamped support site, part of the company's U.S. operations, had been relaunched Jan. 28, leaving the database open to attack from that time until 12:15 p.m. (EST) Saturday, when Kaspersky took the new site offline and swapped in the old version.
Kaspersky has hired Next Generation Security Software Ltd.'s David Litchfield, one of the world's experts on SQL injection attacks and database security, to do an independent audit of the company's systems. Schouwenberg said Kaspersky would make public the results of Litchfield's report, which is expected shortly.
"Something went wrong with our internal code-reviewing process," said Schouwenberg. "Obviously, we are not happy about that." Kaspersky is evaluating that process, he added, and the company "will be making it stricter than it was. We need to do a much better job to prevent this from happening again."
SQL injection attacks have become a major problem for Web sites, which at times have been compromised by such exploits in huge numbers. Last year, for example, more than half a million pages were hacked by a widespread campaign that compromised, among others, sites belonging to the United Nations.
Other high-profile sites that have been victimized by SQL injection attack include Microsoft's U.K.-based site.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!