A team of hackers exploited a SQL injection vulnerability to gain access to a customer database protected by security company Kaspersky. It appears the attack did not compromise any data, according to Roel Schouwenberg, a Kaspersky senior antivirus researcher. However, it certainly dealt a blow to the company’s reputation.
“A Romanian hacker team found a vulnerability in a new site we launched in the U.S.,” Schouwenberg told TechNewsWorld. “That vulnerability allowed them to to get some access to that part of the site. Fortunately, no data has been compromised — but if the hackers had been more advanced, they could have gotten access to 2,500 email addresses and activation codes for new products.”
The hackers’ motives for carrying it out the attack are unclear.
“They said they alerted us to the problem before making it public,” said Schouwenberg. “They did — but only by an hour.”
They sent an email Saturday evening, Moscow time, to Kaspersky, he said.
The attack was likely more about the hackers’ desire for 60 minutes of fame than anything else, he speculated.
Kaspersky developed the compromised site with a third party, Schouwenberg pointed out. “Unfortunately, there was some vulnerability in the code written by the third party that slipped by our review process. We could have done a better job in catching that, for our part.”
As part of its clean-up efforts, Kaspersky has retained Next Generation Security Software’s David Litchfield to conduct an independent audit and security risk analysis. The results, expected within 24 to 48 hours, will be posed on the company’s Web site.
Previous internal reviews and audits had turned up vulnerabilities, “but they were never exploited in the wild,” Schouwenberg said.
Could Happen to Anyone?
Kaspersky, no doubt, is mortified by the incident. (Schouwenberg readily acknowledged the lapse was bad, but also pointed out that the company’s core competency is antimalware). Certainly, the breach is enough to cast doubt not only on Kaspersky’s security bona fides, but also on the industry as a whole.
Companies that rely on the Internet security industry to protect their own operations and customers have reason for concern, suggested Rohyt Belani, CEO of Intrepidus Group. “SQL injections are the most deadly, and they are very difficult to protect against,” he told TechNewsWorld. “This could have happened to almost anybody.”
Unless a coder is highly attuned to the security implications, it is easy to write an application that could be vulnerable to such an attack, he said.
Take an online mortgage application, for example. The field that requests the name should be explicitly limited to accept only alphabet characters. However, a developer might not do this, Belani said, because names can require other characters, such as apostrophes.
“Attackers know that that particular field becomes part of a database query in the back end system — so they inject SQL characters into that field, which can then modify the flow in the back end,” he explained. If the attack is successfully executed, portions of the database can be shown back to the user or corrupted in certain ways.
Need to Test
Testing is the best protection.
“Here’s another example of companies not testing their Web applications before deploying them out there for customers — and hackers,” Mandeep Khera, CMO for Cenzic, told TechNewsWorld.
This incident highlights a problem Cenzic has seen with other attacks — which is that companies often don’t find out they are being hacked for a long time — and many times, they discover it only accidentally.
“Our advice to anyone who has a Web site with forms is to start testing those for vulnerabilities,” he said, “and even if you can’t fix all the vulnerabilities right away, at least make it difficult for those hackers who are going for the low-hanging fruit.”