Kaspersky Lab, a Moscow-based security company, admitted today that a database containing customer information had been exposed for almost 11 days and that it only learned of the breach when Romanian hackers told the firm about it (the hackers in this instance were white hats). No data was actually downloaded or looked at.
The hackers (presumed from Romania), went public in a blog post. They claimed that after launching a SQL injection attack on Kaspersky’s U.S. support site, they were able to access a customer database that included e-mail addresses and software activation codes.
Roel Schouwenberg, a Kaspersky senior antivirus researcher, confirmed that the database was hacked via a SQL injection attack, but he reiterated that only the database’s table labels had been accessed by the hackers, not the data itself. “A more advanced hacker could have gotten access to the information,” Schouwenberg acknowledged, “including activation codes for the product and e-mail addresses. But that didn’t happen.”
A combination of vulnerable code crafted by an unnamed third-party vendor and poor code review by Kaspersky was to blame, thus an Application Security issue.
Kaspersky has hired Next Generation Security Software Ltd.’s David Litchfield, one of the world’s experts on SQL injection attacks and database security, to do an independent audit of the company’s systems. Considering that if Kapersky had been using Rational Appscan to look after their site, they would have been notified during a scan of the vulnerability and other issues without having to extend to external “experts” in SQL injection.
SQL Injection seems to be the major choice by hackers to compromise applications through the web frontend. Rational Appscan can test and identify SQL Injection vulnerabilities in a given system being tested.
Technorati Tags: Kapersky Labs, hackers, sql injection, customer data, compromised, breached, anti-virus
Source: www.computerworld.com
