1,105,594 Community Members

Kaspersky confirms hack with fingers firmly in ears

Member Avatar
(happygeek)
Reputation Points: 1,411 [?]
Q&As Helped to Solve: 452 [?]
Skill Endorsements: 166 [?]
 
0
 

Yesterday I reported how the security vendor Kaspersky had allegedly fallen victim to a SQL Injection attack, with the usa.kaspersky.com website hacked and plenty of data potentially exposed. I said that Kaspersky would no doubt make an official statement sooner rather than later, and it has. Unfortunately it is one that still leaves plenty of questions unanswered and reminds me of a man facing a firing squad with fingers in ears and yelling 'la la la' like that will stop the bullets.

Some background: a white hat hacker made a posting to a hacker forum claiming to have successfully hacked the Kaspersky site by way of a SQL Injection vulnerability late on Saturday night. The hacker, currently only know as 'unu' claims that the SQL Injection attack on usa.kaspersky.com has exposed activation codes, user details, bug lists and so on. "Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases. Seems incredible but unfortunately, its true. Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc" unu says.

Kaspersky issued the following official statement late on Sunday:

"On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site."

Riiiiiiiiight.

Trouble is, saying 'whoops, my bad, but it is all OK' is not really good enough when it is a security outfit, indeed a leading security outfit, doing the sugar coated comment routine. The only reason "no data was compromised from the site" would appear to be down to the good fortune that Kaspersky was hacked by a white hat hacker who did not have bad intentions. Otherwise, I am afraid to say, Kaspersky would currently be paddling up an even browner coloured creek with no canoe.

Things do go from bad to worse for Kaspersky though, despite that 'calm down, nothing to see here' line it is spinning. For why? Well, how about the report that 'unu' had actually exposed the breach days before making it public and only did that because Kaspersky was busy sticking fingers in ears and ignoring him. Apparently, according to and administrator at the hacker forum, unu got "no response from more discreet communiques with Kaspersky employees."

The very fact that the breach apparently exposed sensitive data such as emails and logins would suggest Kaspersky was very lucky indeed not to have been in an even bigger hole than it is now.

I suggest Kaspersky first removes those fingers from ears so it can hear the outcry, then stops digging for fear of getting buried in the coming media shitstorm and instead starts getting real and doing a little honest disclosure. By which I mean telling exactly what happened, exactly how long the usa.kaspersky.com website had been vulnerable, if that vulnerability applied to all other Kaspersky websites and if they have all been fixed.

Oh and while you are at it Kaspersky, how about a public word of thanks to 'unu' for uncovering that security hole which you missed?

Member Avatar
Davey Winder

I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .

Member Avatar
Techwriter10
Veteran Poster
1,050 posts since Apr 2008
Reputation Points: 42 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 6 [?]
 
0
 

Great post and in a word, incredible. They do realize they are a security company, right?

Ron

Member Avatar
tiger86
Posting Pro
530 posts since Feb 2008
Reputation Points: 16 [?]
Q&As Helped to Solve: 11 [?]
Skill Endorsements: 8 [?]
 
0
 

good blog but you gave the definition of white hat a bad rep. A white hat protects sites and servers. what this "uno" fellow did was grey hat neither protecting or attacking just exposing the sites vulnerability. In my opinion Uno is more black hat than grey he had no business to be messing with Kapersky's site.

Member Avatar
bochiman
Newbie Poster
1 post since Feb 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

http://www.downloadtube.com/blog/2009/02/13/kaspersky-website-cracked-by-hackers-with-ip-addresses-from-romanian-isps/
The official Kaspersky report: The attacks were based on SQL injection and the penetration of usa.kaspersky.com was successful, but the hackers did not compromised or stolen sensitive data, like personal details or activation codes. The attack through SQL injection was possible due to a vulnerability of the website, which was fixed after the notification of the hacking attempt. Practically, this security issue does not affected any other Kaspersky websites or the e-commerce sections.

Member Avatar
hacknaintcrackn
Newbie Poster
1 post since Jan 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Tiger while i do agree with you that he had no right to attack those web pages, he is still a gray hatter because he didn't do anything with the data just told the company that he was able to do it and how. real life perspective, picking up a wallet that some dropped and didn't know that they dropped it. He could steal the money and credit cards, instead he returns it and says be more careful.

Member Avatar
wildsniper
Newbie Poster
3 posts since Jan 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 0 [?]
 
0
 

Ridiculous, a security company get hacked.

You
Post:
Start New Discussion
View similar articles that have also been tagged: