Kaspersky says Web hack 'should not have happened'

Kaspersky Lab says its Web site was hacked Saturday.

It's the worst thing that can happen to a computer security vendor: This weekend, Moscow's Kaspersky Lab was hacked.

A hacker, who identified himself only as Unu, said that he was able to break into a section of the company's brand-new U.S. support Web site by taking advantage of a flaw in the site's programming.

On a conference call with reporters, Kaspersky Senior Research Engineer Roel Schouwenberg said that while he believes that the hacker did not access any customer information such as e-mail addresses, the hack would hurt the company's image. "This is not good for any company, and especially a company dealing with security," he said. "This should not have happened, and we are now doing everything within our power to do the forensics on this case and to prevent this from ever happening again."

Schouwenberg blamed the breach on a Web programming flaw that was introduced in a Jan. 29 redesign of the support site, meaning that the bug was live on Kaspersky's site for about 10 days. "Something went wrong in our internal code reviewing process," he said.

This flaw left Kaspersky's support site vulnerable to what's known as a SQL injection attack, which could have given the hacker access to about 2,500 customer e-mail addresses and to perhaps 25,000 product activation codes.

In a SQL injection attack, the hacker takes advantage of bugs in Web programs that query databases. The point is to find a way to run commands within the databases and access information that would normally be protected.

Code on Kaspersky's Web site is typically subjected to an internal and external audit. Kaspersky has hired database expert David Litchfield to investigate the incident and expects to be able to report more on the hack within 24 hours, the company said.

In an e-mail interview, Litchfield said that he has done this type of investigation before. "Typically there are no problems with investigations of this type. Of course, an attacker can attempt to hide their tracks, which makes things more difficult -- but by no means impossible."

Unu notified Kaspersky of the bug via e-mail on Friday, and then one hour later hacked into the site. Kaspersky didn't see that e-mail until much later, but the company realized it had been hacked by around noon Eastern Time on Saturday, Schouwenberg said. Just 15 minutes later, Kaspersky reverted to an older version of its support site code, which did not contain the error.

Kaspersky believes that Unu is from Romania, but is not seeking legal action in the case. Romanian authorities have limited resources and are unlikely to investigate the incident further, Schouwenberg said in an e-mail.

Worse attacks have happened. In fact, the Kaspersky hack is "barely even worth mentioning" next to major security breaches, such as the recent hack that gave criminals access to systems at credit-card processor Heartland Payment Systems, said Paul Roberts, an analyst with The 451 Group. "But Kaspersky is a security company, " he said via instant message. "So there's a much bigger reputational risk here than with, say, some supermarket."

Join the PC World newsletter!

Error: Please check your email address.

Tags kaspersky labshack

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?