• Total Members: 12780
  • Latest: eduard
  • Total Posts: 28039
  • Total Topics: 8052
  • Online Today: 817
  • Online Ever: 51419
  • (01. January 2010., 09:27:49)

Author Topic: Kaspersky Red-Faced Over SQL Injection Hack  (Read 1297 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7152
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Kaspersky Red-Faced Over SQL Injection Hack
« on: 11. February 2009., 16:18:04 »

A group of hackers who were apparently not advanced enough to take full advantage of their mischief nevertheless managed to embarrass security firm Kaspersky. They may have been looking to build their hacker creds when they breached a database under the firm's protection by taking advantage of a SQL injection vulnerability.

A team of hackers exploited a SQL injection vulnerability to gain access to a customer database protected by security company Kaspersky. It appears the attack did not compromise any data, according to Roel Schouwenberg, a Kaspersky senior antivirus researcher. However, it certainly dealt a blow to the company's reputation.

"A Romanian hacker team found a vulnerability in a new site we launched in the U.S.," Schouwenberg told TechNewsWorld. "That vulnerability allowed them to to get some access to that part of the site. Fortunately, no data has been compromised -- but if the hackers had been more advanced, they could have gotten access to 2,500 email addresses and activation codes for new products."

The hackers' motives for carrying it out the attack are unclear.

Insufficient Notice

"They said they alerted us to the problem before making it public," said Schouwenberg. "They did -- but only by an hour."

They sent an email Saturday evening, Moscow time, to Kaspersky, he said.

The attack was likely more about the hackers' desire for 60 minutes of fame than anything else, he speculated.

Kaspersky developed the compromised site with a third party, Schouwenberg pointed out. "Unfortunately, there was some vulnerability in the code written by the third party that slipped by our review process. We could have done a better job in catching that, for our part."

As part of its clean-up efforts, Kaspersky has retained Next Generation Security Software's David Litchfield to conduct an independent audit and security risk analysis. The results, expected within 24 to 48 hours, will be posed on the company's Web site.

Previous internal reviews and audits had turned up vulnerabilities, "but they were never exploited in the wild," Schouwenberg said.

Could Happen to Anyone?

Kaspersky, not doubt, is mortified by the incident. (Schouwenberg readily acknowledged the lapse was bad, but also pointed out that the company's core competency is antimalware). Certainly, the breach is enough to cast doubt not only on Kaspersky's security bona fides, but also on the industry as a whole.

Companies that rely on the Internet security industry to protect their own operations and customers have reason for concern, suggested Rohyt Belani, CEO of Intrepidus Group. "SQL injections are the most deadly, and they are very difficult to protect against," he told TechNewsWorld. "This could have happened to almost anybody."

Unless a coder is highly attuned to the security implications, it is easy to write an application that could be vulnerable to such an attack, he said.

Take an online mortgage application, for example. The field that requests the name should be explicitly limited to accept only alphabet characters. However, a developer might not do this, Belani said, because names can require other characters, such as apostrophes.

"Attackers know that that particular field becomes part of a database query in the back end system -- so they inject SQL characters into that field, which can then modify the flow in the back end," he explained. If the attack is successfully executed, portions of the database can be shown back to the user or corrupted in certain ways.

Need to Test

Testing is the best protection.

"Here's another example of companies not testing their Web applications before deploying them out there for customers -- and hackers," Mandeep Khera, CMO for Cenzic, told TechNewsWorld.

This incident highlights a problem Cenzic has seen with other attacks -- which is that companies often don't find out they are being hacked for a long time -- and many times, they discover it only accidentally.

"Our advice to anyone who has a Web site with forms is to start testing those for vulnerabilities," he said, "and even if you can't fix all the vulnerabilities right away, at least make it difficult for those hackers who are going for the low-hanging fruit."


Samker's Computer Forum -

Kaspersky Red-Faced Over SQL Injection Hack
« on: 11. February 2009., 16:18:04 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising