Yesterday I reported how the security vendor Kaspersky had allegedly fallen victim to a SQL Injection attack, with the usa.kaspersky.com website hacked and plenty of data potentially exposed. I said that Kaspersky would no doubt make an official statement sooner rather than later, and it has. Unfortunately it is one that still leaves plenty of questions unanswered and reminds me of a man facing a firing squad with fingers in ears and yelling 'la la la' like that will stop the bullets.
Some background: a white hat hacker made a posting to a hacker forum claiming to have successfully hacked the Kaspersky site by way of a SQL Injection vulnerability late on Saturday night. The hacker, currently only know as 'unu' claims that the SQL Injection attack on usa.kaspersky.com has exposed activation codes, user details, bug lists and so on. "Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases. Seems incredible but unfortunately, its true. Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc" unu says.
Kaspersky issued the following official statement late on Sunday:
"On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site."
Trouble is, saying 'whoops, my bad, but it is all OK' is not really good enough when it is a security outfit, indeed a leading security outfit, doing the sugar coated comment routine. The only reason "no data was compromised from the site" would appear to be down to the good fortune that Kaspersky was hacked by a white hat hacker who did not have bad intentions. Otherwise, I am afraid to say, Kaspersky would currently be paddling up an even browner coloured creek with no canoe.
Things do go from bad to worse for Kaspersky though, despite that 'calm down, nothing to see here' line it is spinning. For why? Well, how about the report that 'unu' had actually exposed the breach days before making it public and only did that because Kaspersky was busy sticking fingers in ears and ignoring him. Apparently, according to and administrator at the hacker forum, unu got "no response from more discreet communiques with Kaspersky employees."
The very fact that the breach apparently exposed sensitive data such as emails and logins would suggest Kaspersky was very lucky indeed not to have been in an even bigger hole than it is now.
I suggest Kaspersky first removes those fingers from ears so it can hear the outcry, then stops digging for fear of getting buried in the coming media shitstorm and instead starts getting real and doing a little honest disclosure. By which I mean telling exactly what happened, exactly how long the usa.kaspersky.com website had been vulnerable, if that vulnerability applied to all other Kaspersky websites and if they have all been fixed.
Oh and while you are at it Kaspersky, how about a public word of thanks to 'unu' for uncovering that security hole which you missed?