Tuesday, February 10, 2009

Antivirus firm confirms hackers breached site

SQL injection attack reveals Kaspersky Lab's customer database

Kaspersky Lab, a Moscow-based security company, admitted today that a database containing customer information had been exposed for almost 11 days and that it only learned of the breach when Romanian hackers told the firm about it last Saturday.

"This is not good for any company, especially for a company dealing with security," said Roel Schouwenberg, a Kaspersky senior antivirus researcher, in a telephone conference call today. "This should not have happened."

According to Schouwenberg, no customer data was accessed. "No real data has been accessed, and no data was revealed," he said.

The hackers, who are presumed to be Romanian, went public early Saturday in a blog post. There, they claimed that after launching a SQL injection attack on Kaspersky's U.S. support site, they were able to access a customer database that included e-mail addresses and software activation codes.

Schouwenberg confirmed that the database was hacked via a SQL injection attack, but he reiterated that only the database's table labels had been accessed by the hackers, not the data itself. "A more advanced hacker could have gotten access to the information," Schouwenberg acknowledged, "including activation codes for the product and e-mail addresses. But that didn't happen."

A pool of approximately 2,500 users' e-mail addresses and some 25,000 activation codes were at risk, he said.

Schouwenberg blamed a combination of vulnerable code crafted by an unnamed third-party vendor and poor code review by Kaspersky. "We could have done a bit more to protect ourselves," he said. He also acknowledged that both internal and external monitoring of the company's Web properties had not caught the error. "A piece of the [support] site did not receive the usual scrutiny," said Schouwenberg.

The revamped support site, part of the company's U.S. operations, had been relaunched Jan. 28, leaving the database open to attack from that time until 12:15 p.m. (EST) Saturday, when Kaspersky took the new site offline and swapped in the old version.

Kaspersky has hired Next Generation Security Software Ltd.'s David Litchfield, one of the world's experts on SQL injection attacks and database security, to do an independent audit of the company's systems. Schouwenberg said Kaspersky would make public the results of Litchfield's report, which is expected shortly.

"Something went wrong with our internal code-reviewing process," said Schouwenberg. "Obviously, we are not happy about that." Kaspersky is evaluating that process, he added, and the company "will be making it stricter than it was. We need to do a much better job to prevent this from happening again."

SQL injection attacks have become a major problem for Web sites, which at times have been compromised by such exploits in huge numbers. Last year, for example, more than half a million pages were hacked by a widespread campaign that compromised, among others, sites belonging to the United Nations.

Other high-profile sites that have been victimized by SQL injection attack include Microsoft's U.K.-based site.

No comments:

Post a Comment