Security firm’s Web site hacked
Security firm Kaspersky has confirmed a customer database was exposed for up 10 days and its Web site was eventually hacked. But it insists no personal information was exposed and denies ignoring warnings from the hackers.
The firm is now hiring the highly-regarded security expert David Litchfield to examine the breach in detail and recommend ways to prevent similar attacks. Kaspersky’s Roel Schouwenberg said, “This should not have happened. We are now doing everything within our power to do the forensics and prevent this from ever happening again.”
The problem was down to a new section of code, developed by an outside party, which was inserted into the support section of Kaspersky’s US Web site. The code left the relevant database open an SQL injection attack in which hackers are able to carry out queries which aren’t meant to be publicly available.
The new code went live on Jan. 28. A hacker calling himself Unu e-mailed the firm last Friday about the vulnerability and then hacked the site an hour later. Kaspersky apparently didn’t seem the e-mail at the time, but discovered the hack on Saturday and reverted to the old code 15 minutes later.
The hacker only managed to get access to the structure of the database; a more skilled attacker may have been able to get to the data itself. That would have exposed 2,500 customer e-mails and around 25,000 activation codes for Kaspersky’s security products.
It appears the offender is from Romania. Kaspersky isn’t pursuing legal action as it believes authorities in that country won’t provide enough support to make the effort worthwhile.
The same hacker is now claiming to have broken into a database belonging to a Portuguese seller for another security firm, BitDefender. He appears to have been more successful in this attack and has published what appear to be personal details of customers.
Related Posts:
May 6th, 2009
One of the solution that can work for you is a software called dotDefender – it’s a web application firewall that will protect your web application from getting hacked not only from SQL Injection but from Cross Site Scripting, Path Traversal, Bad User-Agent, Asprox (The Chinese bot) and many more of unknown attacks.
dotDefender got awards from a few major institutes such as: TechWorld.com Awards in 2008, SANS Top 20 list and Frost & Sullivan.
You can download a free 30 day trial and check how the numbers of attacks on your website drops significantly.
August 18th, 2011
My spouse and i ended up being absolutely joyful that Michael could deal with his preliminary research from your ideas he grabbed in your site. It is now and again perplexing to simply happen to be offering information which often many people may have been making money from. And now we discover we need the writer to give thanks to for that. The type of illustrations you have made, the straightforward website navigation, the friendships you can assist to promote – it’s many astonishing, and it’s leading our son and our family do think this issue is cool, which is exceptionally vital. Thank you for all the pieces!