Kaspersky Says No Data Lost In SQL Attack
The hacker, known in the hackerblog.org community as Unu, posted screen shots as well as a list of tables from the database on Feb. 7 after hacking into Kaspersky Lab's Web site by a SQL injection attack. The attacker was able to infiltrate the Web site, and subsequently launch malicious code, by entering user password credentials.
"Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own databases," the hacker said on a hackerblog.org posting. "Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc."
However, Kaspersky researchers said that after carefully reviewing their logs, they found that the hacker, who they said was located in Romania, was only able to lift table headlines, and not customer credit card numbers, activation codes or other sensitive information as previously claimed.
"No data has actually been accessed. No data has been exposed or leaked," said Roel Schouwenberg, senior antivirus researcher for Moscow-based Kaspersky Lab. "He tried to get access to some of the content of these tables, but he failed to manage to get access to actual data. He got the directory, but he didn't get into the folders as it were."
Meanwhile, the hacker known as Unu appeared to launch a similar attack on security company BitDefender's database, posting screen shots on the hackerblog.org site.
"It seems Kaspersky aren't the only ones who need to secure their database. BitDefender has the same problems. The images speak for themselves. First we see the version, user and name of the database," the hacker said.
Schouwenberg said that had the hacker's technique been more sophisticated, he could have accessed 2,500 e-mail addresses, new subscription information and 25,000 activation codes, among other information. Meanwhile, Shouwenberg said the hacker also was not able to access credit card information due to the fact that credit card numbers are processed separately off site.
"The hacker was also saying that he could have gotten access to credit cards. We do not handle credit cards ourselves -- that's handled by a third party. That's never been exposed," he said.
The security error dated back to Jan. 28 when the company rolled out changes to the support portion of its U.S. site -- usa.kaspersky.com -- and remained vulnerable for about 10 days before the hacker went public with the attack Feb. 7, researchers said.
Schouwenberg said that upon receiving word of the attack, Kaspersky administrators shut down the vulnerable part of the Web site and reinstated the old version of the site. He also said that Kaspersky hired renowned database security expert David Litchfield to conduct an independent security audit to assess the company's security infrastructure.
"Obviously there's some lack of trust but we want to give 100 percent transparency," he said.
Schouwenberg said that the company's U.S. Web site was developed partly in-house and partly by a third party. He also said that Kaspersky researchers failed to properly scrutinize and check the site for errors, therefore overlooking the security vulnerability contained in the outsourced part of the site.
"We have started a process to improve detecting these kinds of vulnerabilities in the new portion of the U.S. support site. [The Web site] did not go through the normal scrutiny, and that's how that code got to live," Schouwenberg said.
Security researchers say that it is unlikely that the company will press charges against the hacker.
"No data has been stolen or copied," Schouwenberg said. "It's unlikely that [Romanian police] will invest the time to actually conduct the research if no data has actually been leaked."