14 DAY TRIAL // After a SQL injection attack against the US support website belonging to Kaspersky Labs was published on the Romanian Hackers Blog, the company disclosed details of the security breach. The investigation established that no sensitive data was accessed, but the antivirus vendor hired a database security expert to audit all of its websites.
During the past weekend, the Romanian Hackers Blog published information regarding a successful attack on http://usa.kaspersky.com/support/. According to the attacker, full access to the database containing customer information, support tickets, and even product activation codes had been obtained through SQL injection techniques.
The alleged ethical hacker who is calling himself "unu," did not post any sensitive information stored in the database, which was confirmed to contain around 2,500 customer e-mail addresses and 25,000 software activation keys. "This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," he said.
However, Vitaly Kamluk, chief malware expert at Kaspersky Lab, who has been involved in the investigation into this incident, claims there were several attackers, not one, and dismisses their good intentions. "After collecting field names, the attackers made a few attempts to extract the data from tables," he writes on the Kaspersky Analyst's Diary Weblog.
Apparently, only a simple mistake prevented them from hitting the jackpot. "Those queries failed because the attackers specified the wrong database," Kamluk explains. "There were several attackers with IP addresses from Romanian ISPs," the analyst also notes.
Meanwhile, during a conference call with reporters, Kaspersky Senior Research Engineer Roel Schouwenberg explained that the vulnerability was introduced along with a new update on the support site on January 28. He also pointed out that a Romanian Kaspersky employee came across the blog entry explaining the attack and immediately alerted his U.S. colleagues, who in turn rolled back the website to its stable state before the vulnerable update was deployed.
Vitaly Kamluk shares that the attackers used a free version of an automated probing tool from Acunetix to determine that the site was vulnerable to SQL injection, and then proceeded with manual exploitation. "The attackers stopped after they got only the column and table names from the database and decided to go for glory. No data modification queries UPDATE, INSERT, DELETE... were logged," he adds.
Both Kamluk and Schowenberg challenge the hackers' claim that they published the attack only after e-mails sent to the antivirus vendor went unanswered. "After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky an email – on a Saturday to several public email boxes. They gave us exactly 1 hour to respond," Kamluk mentions, while Schowenberg concludes that " They gave us little if any chance to respond."
When asked by the reporters if the company's image might suffer as a result of this security breach, Roel Schouwenberg said that "Honestly speaking, yes. This is not good for any company, especially a company dealing with security. This should not have happened." However, he stressed that "We are doing everything within our power to do the forensics on this case and to prevent this from ever happening again." In this respect, the company has hired world-renowned database security expert David Litchfield to perform an independent security audit of websites belonging to Kaspersky Labs.
"Secure development MUST be a key priority for web development - anywhere, anytime and all the time. It is a lesson to us all - check, check and re-check your processes and your code," Vitaly Kamluk advises. "We are lucky the hackers proved to be more interested in fame than in causing damage," the software engineer concludes.
Note: This article has been updated as to correctly attribute the cited material from the Kaspersky weblog, signed VitalyK, to Vitaly Kamluk, chief malware expert at Kaspersky Lab, as opposed to Vitaly Kouzin, software engineer at Kaspersky Lab, whom it originaly credited.