Kaspersky Web Site Hacked With SQL Injection

"Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own databases," the hacker said on a hackerblog.org posting.

Written by Stefanie Hoffman
ChannelWeb
February 09, 2009
Original Article

A security vulnerability in Moscow-based Kaspersky Lab's U.S. Web site was made public after a hacker launched a SQL attack and posted listings of tables contained on the security company's site.

The hacker, known as Unu, posted screen shots as well as a list of tables Feb. 7 to a blog after hacking into the security company's Web site via a simple SQL injection attack that allowed information to be exposed by entering secret username and password information.

"Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own databases," the hacker said on a hackerblog.org posting. "Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc."

Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, said that upon being made aware of the breach, the company "immediately contacted the right people, shut down the vulnerable part of the Web site within 15 minutes and reinstated the old version of the support site."

Altogether, the site was vulnerable for a total of 10 days, he said.

Schouwenberg said that the U.S. Web site -- usa.kaspersky.com -- was partly developed in-house and partly developed by a third-party contractor. The Web site vulnerability was overlooked due to a processing error that led to lack of proper scrutiny, researchers said.

"We could have done more on our side to still catch the vulnerability," Schouwenberg said. "We're doing our best to improve our process further and be more strict and prevent this kind of thing from happening again."

Kaspersky researchers said that they also are conducting an external audit to determine the nature of the hack and process improvements that could prevent it in the future.

"If we had been a little bit more thorough, we could have caught this in our own way," Schouwenberg added.

However, Kaspersky security researchers maintained that while the hacker, who was found to be from Romania, did infiltrate the company's Web site, he or she was only able to lift the names of the tables.

Kaspersky researchers said that after careful inspection, they found that no other data was lifted, such as e-mail addresses or activation codes. Schouwenberg said that customer credit card information is handled by a separate third party and not contained on the site.

"He tried to get access to some of the content of these tables, and tried to get access to actual data, but he didn't get into the folders as it were," said Schouwenberg. "Truth be told, if the hacker had been more advanced, he could have gotten access to some of the data he claimed he could."

Meanwhile, contrary to the hacker's story, Kaspersky researchers said that after checking their e-mail logs, the hacker went public with the vulnerability only one hour after e-mailing the company to alert them to the breach.

"While we do monitor those e-mail addresses, we do not monitor them 24x7," Schouwenberg said.

The hack was conducted when almost all of the security company's executive team and several of its high-level security researchers were out of town during the Kaspersky Lab's 2009 Partner Conference, held in Fajardo, Puerto Rico, Feb. 5-8.





More Links:
image
Contact us for help and product info
image
View our F.A.Q.section
image
Site Map
image

 

 

Upgrade to the 3Gweb®
Self-Defending
Web server

before
you get a hit  
by an attacker!

 


image

ć€€ć€€ę¶ę„ē½‘址ļ¼šwww123321.1010zz.cn/q.exe