 |  |  |  |  |  |  |  |
Kaspersky confirms hack with fingers firmly in ears
Yesterday I reported how the security vendor Kaspersky had allegedly fallen victim to a SQL Injection attack, with the usa.kaspersky.com website hacked and plenty of data potentially exposed. I said that Kaspersky would no doubt make an official statement sooner rather than later, and it has. Unfortunately it is one that still leaves plenty of questions unanswered and reminds me of a man facing a firing squad with fingers in ears and yelling 'la la la' like that will stop the bullets.
Some background: a white hat hacker made a posting to a hacker forum claiming to have successfully hacked the Kaspersky site by way of a SQL Injection vulnerability late on Saturday night. The hacker, currently only know as 'unu' claims that the SQL Injection attack on usa.kaspersky.com has exposed activation codes, user details, bug lists and so on. "Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases. Seems incredible but unfortunately, its true. Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc" unu says.
Kaspersky issued the following official statement late on Sunday:
"On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site."
Riiiiiiiiight.
Trouble is, saying 'whoops, my bad, but it is all OK' is not really good enough when it is a security outfit, indeed a leading security outfit, doing the sugar coated comment routine. The only reason "no data was compromised from the site" would appear to be down to the good fortune that Kaspersky was hacked by a white hat hacker who did not have bad intentions. Otherwise, I am afraid to say, Kaspersky would currently be paddling up an even browner coloured creek with no canoe.
Things do go from bad to worse for Kaspersky though, despite that 'calm down, nothing to see here' line it is spinning. For why? Well, how about the report that 'unu' had actually exposed the breach days before making it public and only did that because Kaspersky was busy sticking fingers in ears and ignoring him. Apparently, according to and administrator at the hacker forum, unu got "no response from more discreet communiques with Kaspersky employees."
The very fact that the breach apparently exposed sensitive data such as emails and logins would suggest Kaspersky was very lucky indeed not to have been in an even bigger hole than it is now.
I suggest Kaspersky first removes those fingers from ears so it can hear the outcry, then stops digging for fear of getting buried in the coming media shitstorm and instead starts getting real and doing a little honest disclosure. By which I mean telling exactly what happened, exactly how long the usa.kaspersky.com website had been vulnerable, if that vulnerability applied to all other Kaspersky websites and if they have all been fixed.
Oh and while you are at it Kaspersky, how about a public word of thanks to 'unu' for uncovering that security hole which you missed?
Some background: a white hat hacker made a posting to a hacker forum claiming to have successfully hacked the Kaspersky site by way of a SQL Injection vulnerability late on Saturday night. The hacker, currently only know as 'unu' claims that the SQL Injection attack on usa.kaspersky.com has exposed activation codes, user details, bug lists and so on. "Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases. Seems incredible but unfortunately, its true. Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc" unu says.
Kaspersky issued the following official statement late on Sunday:
"On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site."
Riiiiiiiiight.
Trouble is, saying 'whoops, my bad, but it is all OK' is not really good enough when it is a security outfit, indeed a leading security outfit, doing the sugar coated comment routine. The only reason "no data was compromised from the site" would appear to be down to the good fortune that Kaspersky was hacked by a white hat hacker who did not have bad intentions. Otherwise, I am afraid to say, Kaspersky would currently be paddling up an even browner coloured creek with no canoe.
Things do go from bad to worse for Kaspersky though, despite that 'calm down, nothing to see here' line it is spinning. For why? Well, how about the report that 'unu' had actually exposed the breach days before making it public and only did that because Kaspersky was busy sticking fingers in ears and ignoring him. Apparently, according to and administrator at the hacker forum, unu got "no response from more discreet communiques with Kaspersky employees."
The very fact that the breach apparently exposed sensitive data such as emails and logins would suggest Kaspersky was very lucky indeed not to have been in an even bigger hole than it is now.
I suggest Kaspersky first removes those fingers from ears so it can hear the outcry, then stops digging for fear of getting buried in the coming media shitstorm and instead starts getting real and doing a little honest disclosure. By which I mean telling exactly what happened, exactly how long the usa.kaspersky.com website had been vulnerable, if that vulnerability applied to all other Kaspersky websites and if they have all been fixed.
Oh and while you are at it Kaspersky, how about a public word of thanks to 'unu' for uncovering that security hole which you missed?
0
•
•
•
•
Great post and in a word, incredible. They do realize they are a security company, right?
Ron
Ron
0
•
•
•
•
good blog but you gave the definition of white hat a bad rep. A white hat protects sites and servers. what this "uno" fellow did was grey hat neither protecting or attacking just exposing the sites vulnerability. In my opinion Uno is more black hat than grey he had no business to be messing with Kapersky's site.
0
•
•
•
•
http://www.downloadtube.com/blog/200...romanian-isps/
The official Kaspersky report: The attacks were based on SQL injection and the penetration of usa.kaspersky.com was successful, but the hackers did not compromised or stolen sensitive data, like personal details or activation codes. The attack through SQL injection was possible due to a vulnerability of the website, which was fixed after the notification of the hacking attempt. Practically, this security issue does not affected any other Kaspersky websites or the e-commerce sections.
The official Kaspersky report: The attacks were based on SQL injection and the penetration of usa.kaspersky.com was successful, but the hackers did not compromised or stolen sensitive data, like personal details or activation codes. The attack through SQL injection was possible due to a vulnerability of the website, which was fixed after the notification of the hacking attempt. Practically, this security issue does not affected any other Kaspersky websites or the e-commerce sections.
Similar Threads
- News Story: Study Confirms What CIOs Have Known All Along (Internet Marketing Job Offers)
- Fat Fingers (Geeks' Lounge)
- News Story: Torvalds confirms there will be no Linux kernel 3.0 (Linux Servers and Apache)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Network Security Posts
- Today's Posts
- Unanswered Threads
advertising age amd android apple avatar bluegene botnet browser business cellphone censorship china chips copyright crime data database development dos downloads economy email encryption energy enterprise europe facebook firefox gadget games gaming google government hack hacker hacking hardware ibm ibm.news intelibm internet iphone ipod itunes law legal linux mac malware marketing mcafee medicine memory microsoft mobile mozilla music news openoffice opensource os pc piracy porn privacy ps3 recession redhat report research russia search security sex socialnetworking software spam sun supercomputer supercomputing survey technology trends trojan twitter ubuntu uk video virus vista web windows windows7 working worm x86 xbox yahoo youtube
