Kaspersky website hacked, customer activation codes exposed

By Robert Westervelt, News Editor 09 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A Romanian hacker broke into a custom built, U.S.-based Kaspersky Lab support website on Saturday, exposing a server containing thousands of customer email addresses and up to 25,000 activation codes.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Kaspersky's Roel Schouwenberg, a senior research engineer, said the company was conducting a full investigation into the matter. Initial analysis showed that the hacker accessed no data files, he said. The Russian-based antivirus company hired high-profile database security expert David Litchfield to conduct an independent audit of its systems.

"This is not a good for any company, especially a company that deals with security," Schouwenberg said. "This should not have happened and now we're doing everything in our power to do forensics in this case and prevent it from ever happening again."

SQL injection attacks: SQL injection has been the most common attack method among hackers recently and users can expect attacks against newer programming languages such as Flash and Java to increase over time, experts say.  Jacob West, security group manager of Fortify Software, said that Flash, JavaScript, and a collection of Web 2.0 technologies are now at a greater risk for vulnerabilities because their software is running on end-user machines rather than a server. When individuals or IT professionals work with data processing on the client side in Web 2.0 technologies, one must be extra careful about where they execute the validation, West said. >>>>>>Read SQL injection

Kaspersky's support website is the central portal for home and business users to access technical support documents and a help forum. Schouwenberg said it was custom built and went live in the U.S. on Jan. 29. The website contained a coding error, which was attacked by the Romanian hacker, known as Unu, via SQL injection.

"Something obviously went wrong with our internal code reviewing process," Schouwenberg said.

Once successfully exploited, the hacker could have gained access to a server which contained about 2,500 email addresses and thousands of activation codes, Schouwenberg said. The server contained no credit card numbers or sensitive customer account data, he said.

Details of the attack were posted on the Hackersblog.orgforum where the hacker claimed to have gained access to the customer data and user accounts. The hacker said he notified Kaspersky in advance of his attack, but received no response. The hacker also claimed to have exploited a similar vulnerability in BitDefender's Portuguese website.

Schouwenberg said the company received an email an hour before the attack, giving researchers little time to respond to the vulnerability. The site was taken down about 30 minutes after details of the attack leaked. It was repaired and back online early Sunday morning.

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Database Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary