Tuesday, February 10, 2009

Kaspersky Confirms Website Hacked

Kaspersky Lab's has confirmed that hackers using an SQL injection technique have gained access to a database containing customer information. The database had been exposed for almost 11 days prior to Kaspersky learning of the breach. It wasn't until the Romanian hackers told the firm about it last Saturday, and later posted proof of the attack that the company was aware of the issue.

According to Kaspersky representatives approximately 2,500 users' e-mail addresses and some 25,000 activation codes were at risk. However, Kaspersky researchers said that after carefully reviewing their logs, they found that the hacker was only able to lift table headlines, and not customer credit card numbers, activation codes or other sensitive information as previously claimed.

acronis true image 11"No data has actually been accessed. No data has been exposed or leaked," said Roel Schouwenberg, senior antivirus researcher for Moscow-based Kaspersky Lab. "He tried to get access to some of the content of these tables, but he failed to manage to get access to actual data. He got the directory, but he didn't get into the folders as it were."

The following press release as posted to Kaspersky's site today:

Kaspersky Lab Confirms Website Attack; Verifies No Data Was Compromised

The usa.kaspersky.com domain was attacked on Friday, February 6, 2009. The attack occurred when a SQL injection attack was launched on a subsection of the site, the support site. A vulnerability was in the code of the support site when a new version of the site was rolled out at the end of January. The attack was successful in penetrating the support site, but it was unable to take data from the site and as a result no data was compromised.

Upon notification of the vulnerability, company personnel took immediate action to address the issue, and the vulnerability was remediated within 30 minutes of notification. The attack was not able to access to any other portions of any other Kaspersky Lab sites – including ecommerce sites.

The company’s experts are currently investigating the incident and to go a step further have hired Next Generation Security Software’s David Litchfield to further investigate. Upon completion, the results of Litchfield’s report will be made public.

Kaspersky Lab recognizes the fact that this attack could have had much more serious ramifications and is doing an extra-thorough security audit of all official Kaspersky Lab sites and developing additional internal review processes to ensure the company’s corporate resources are protected from similar attacks in the future.

It should also be noted that Kaspersky Lab’s core competency as a company is developing anti-malware solutions and our research and development is a different group from our web developers, therefore the quality of the solutions we deliver has not been compromised in any way.

Crucial Memory SelectorSQL injection attacks are nothing new, and Kaspersky admitted fault for not properly securing their site. "We could have done a bit more to protect ourselves," Schouwenberg said. He also acknowledged that both internal and external monitoring of the company's Web properties had not caught the error. "A piece of the site did not receive the usual scrutiny."

According to a report today on ChannelWeb Kaspersky might not be alone. ChannelWeb is report the Kaspersky hacker, also known as Unu, has to launched a similar attack on security company BitDefender's database, posting screen shots on the hackersblog.org site.

"It seems Kaspersky aren't the only ones who need to secure their database. BitDefender has the same problems. The images speak for themselves. First we see the version, user and name of the database," the hacker said.

So the question would be seem to be, how can we trust these companies to secure our data when they can't even secure their own?

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you