Yesterday I reported how the security vendor Kaspersky had allegedly fallen victim to a SQL Injection attack, with the usa.kaspersky.com website hacked and plenty of data potentially exposed. I said that Kaspersky would no doubt make an official statement sooner rather than later, and it has. Unfortunately it is one that still leaves plenty of questions unanswered and reminds me of a man facing a firing squad with fingers in ears and yelling 'la la la' like that will stop the bullets.
Some background: a white hat hacker made a posting to a hacker forum claiming to have successfully hacked the Kaspersky site by way of a SQL Injection vulnerability late on Saturday night. The hacker, currently only know as 'unu' claims that the SQL Injection attack on usa.kaspersky.com has exposed activation codes, user details, bug lists and so on. "Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases. Seems incredible but unfortunately, its true. Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc" unu says.
Kaspersky issued the following official statement late on Sunday:
"On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site."
Trouble is, saying 'whoops, my bad, but it is all OK' is not really good enough when it is a security outfit, indeed a leading security outfit, doing the sugar coated comment routine. The only reason "no data was compromised from the site" would appear to be down to the good fortune that Kaspersky was hacked by a white hat hacker who did not have bad intentions. Otherwise, I am afraid to say, Kaspersky would currently be paddling up an even browner coloured creek with no canoe.
Things do go from bad to worse for Kaspersky though, despite that 'calm down, nothing to see here' line it is spinning. For why? Well, how about the report that 'unu' had actually exposed the breach days before making it public and only did that because Kaspersky was busy sticking fingers in ears and ignoring him. Apparently, according to and administrator at the hacker forum, unu got "no response from more discreet communiques with Kaspersky employees."
The very fact that the breach apparently exposed sensitive data such as emails and logins would suggest Kaspersky was very lucky indeed not to have been in an even bigger hole than it is now.
I suggest Kaspersky first removes those fingers from ears so it can hear the outcry, then stops digging for fear of getting buried in the coming media shitstorm and instead starts getting real and doing a little honest disclosure. By which I mean telling exactly what happened, exactly how long the usa.kaspersky.com website had been vulnerable, if that vulnerability applied to all other Kaspersky websites and if they have all been fixed.
Oh and while you are at it Kaspersky, how about a public word of thanks to 'unu' for uncovering that security hole which you missed?
I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .
good blog but you gave the definition of white hat a bad rep. A white hat protects sites and servers. what this "uno" fellow did was grey hat neither protecting or attacking just exposing the sites vulnerability. In my opinion Uno is more black hat than grey he had no business to be messing with Kapersky's site.
Tiger while i do agree with you that he had no right to attack those web pages, he is still a gray hatter because he didn't do anything with the data just told the company that he was able to do it and how. real life perspective, picking up a wallet that some dropped and didn't know that they dropped it. He could steal the money and credit cards, instead he returns it and says be more careful.