Kaspersky Web Site Hacked With SQL Injection
The hacker, known as Unu, posted screen shots as well as a list of tables Feb. 7 to a blog after hacking into the security company's Web site via a simple SQL injection attack that allowed information to be exposed by entering secret username and password information.
"Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own databases," the hacker said on a hackerblog.org posting. "Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc."
Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, said that upon being made aware of the breach, the company "immediately contacted the right people, shut down the vulnerable part of the Web site within 15 minutes and reinstated the old version of the support site."
Altogether, the site was vulnerable for a total of 10 days, he said.
Schouwenberg said that the U.S. Web site -- usa.kaspersky.com -- was partly developed in-house and partly developed by a third-party contractor. The Web site vulnerability was overlooked due to a processing error that led to lack of proper scrutiny, researchers said.
"We could have done more on our side to still catch the vulnerability," Schouwenberg said. "We're doing our best to improve our process further and be more strict and prevent this kind of thing from happening again."
Kaspersky researchers said that they also are conducting an external audit to determine the nature of the hack and process improvements that could prevent it in the future.
"If we had been a little bit more thorough, we could have caught this in our own way," Schouwenberg added.
However, Kaspersky security researchers maintained that while the hacker, who was found to be from Romania, did infiltrate the company's Web site, he or she was only able to lift the names of the tables.
Kaspersky researchers said that after careful inspection, they found that no other data was lifted, such as e-mail addresses or activation codes. Schouwenberg said that customer credit card information is handled by a separate third party and not contained on the site.
"He tried to get access to some of the content of these tables, and tried to get access to actual data, but he didn't get into the folders as it were," said Schouwenberg. "Truth be told, if the hacker had been more advanced, he could have gotten access to some of the data he claimed he could."
Meanwhile, contrary to the hacker's story, Kaspersky researchers said that after checking their e-mail logs, the hacker went public with the vulnerability only one hour after e-mailing the company to alert them to the breach.
"While we do monitor those e-mail addresses, we do not monitor them 24x7," Schouwenberg said.
The hack was conducted when almost all of the security company's executive team and several of its high-level security researchers were out of town during the Kaspersky Lab's 2009 Partner Conference, held in Fajardo, Puerto Rico, Feb. 5-8.