The hacker responsible for breaking into U.S.-based Kaspersky Lab support website on Feb. 7 set off a wave of attacks against the antivirus vendor when details of the breach were published on a hacking community website.
The information was detailed in a report issued by database security expert David Litchfield, who conducted an analysis of the breach to determine if any sensitive files were accessed. Although customer data was exposed as a result of a coding error, Litchfield said no files were breached.
"The attacker's claim to be able to access customer data is correct and, as is apparent from the Web server log files, the attacker did attempt to gain access to customer data however, the attempts failed," Litchfield said in a short excerpt of the report released by Kaspersky Friday.
Latest sites hacked:
latest security vendor hacked: F-Secure confirmed the breach of a low-level database
server containing virus statistical information.
Kaspersky website hacked, customer activation codes exposed: Customer email addresses and up to 25,000 activation codes were exposed on a server for 10 days, the antivirus vendor said.
Follow up attempts by other attackers also failed to gain access to the customer data, Litchfield said. The exposed server, which was online for 10 days, contained thousands of customer email addresses and up to 25,000 software activation codes. The attacker notified Kaspersky in an email message sent an hour prior to the breach.
"On hearing of the threat, Kaspersky immediately took down the vulnerable Web server, preventing further and deeper breaches," he wrote.
A Kaspersky spokesperson said Friday that it would not make Litchfield's full report available. Litchfield did not identify any other vulnerabilities, although additional internal and external audits of systems are ongoing, the spokesperson said.
The Kaspersky support website is the central portal for the vendor's home and business users to access technical support documents and a help forum. A coding error left the website vulnerable to SQL injection attacks, a technique in which an attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data.
Litchfield said the Romanian hacker used Google to search for Web servers owned by Kaspersky that were running applications that could be vulnerable to SQL injection.
Kaspersky said it was conducting a thorough security audit of all official Kaspersky Lab sites and developing additional internal review procedures to ensure corporate resources are protected from external attacks.
Kaspersky was among three security vendors that had their websites attacked in recent days. The hacker who attacked Kaspersky's website also claimed to have exploited a similar vulnerability in a BitDefender reseller website. Security vendor F-Secure confirmed a breach Wednesday of one of its "low-level" database servers containing virus statistics.
It is not the first time that security vendors have been targeted by attackers. Several security vendor websites were breached in 1999 in a wave of attacks targeting them and hijacking their websites. Symantec Corp. had its website breached in an embarrassing attack that resulted in a worm spreading through the vendor's internal network. In 2000, McAfee Inc, known then as Network Associates, had its website defaced, although its internal systems were not breached.
Chris Wysopal, software security expert and co-founder and chief technology officer of Veracode Inc., a secure application testing vendor, called the latest attacks on security vendors a wakeup call. Security vendors targeted in the first wave of attacks a few years ago have shaped up, Wysopal said.
"Most security companies are software companies; they produce software but security is just their feature set," Wysopal said. "Their developers come from the same pool of developers as any other software company. They don't have any special training and their processes are much like that of any other software company."