Kaspersky hires expert to analyze Web site hack

Romanian Hacker site Hackers Blog displayed screen shots of the compromised Kaspersky site.

(Credit: Hackers Blog)

Updated 3:10 p.m. PST with comment from BitDefender.

Moscow-based security firm Kaspersky has hired a security expert to investigate the weekend breach of its U.S. site, the company said Monday.

Meanwhile, the hacker site claiming credit for the breach said on Monday that it had done the same compromise on the Portuguese Web site of antivirus provider BitDefender.

In a statement, BitDefender said an unnamed partner site was compromised and that the company was investigating the incident to help the partner prevent it from happening again. "This was an unfortunate event and while we sympathize with the sites that were affected, BitDefender was not one of those sites," the statement said.

In the Kaspersky breach, which was discovered on Saturday, no sensitive or customer data was compromised, Roel Schouwenberg, a senior antivirus researcher for Kaspersky, said on a conference call with reporters. But to allay concerns about the severity of the problem, Kaspersky has hired David Litchfield, an expert in database security, to conduct an independent audit of the systems involved, he said.

A section of Kaspersky's new U.S. support site was breached by someone using a SQL injection attack, in which a small malicious script is inserted into a database that feeds information to the Web site, according to Schouwenberg.

The portion of the site breached had been developed by an unnamed third party and was not subjected to an internal code review process as it should have been, he said. "Obviously we are not happy about that and are in the process of making the review process stricter than it currently is," he added.

"A more advanced hacker" could have potentially accessed about 2,500 e-mail addresses of customers and about 25,000 product activation codes that were on the compromised server, but that did not happen, Schouwenberg said.

Kaspersky's new U.S. support site went live on January 28 and was publicly launched on January 29, the company said. There is no indication of any other breaches since then, according to Schouwenberg.

A Kaspersky employee in Romania was alerted to the breach on Saturday after seeing a report of it on the Romanian site Hackers Blog, he said. That worker notified Kaspersky workers in the U.S. and within half an hour, the affected section of the site was taken down and then replaced with the older, secure version of the site, he added.

Asked if the company was worried its reputation would be damaged as a result of the attack, Schouwenberg said: "Honestly speaking, yes. This is not good for any company, especially a company dealing with security. This should not have happened. We are doing everything within our power to do the forensics on this case and to prevent this from ever happening again."

Someone taking credit for the breach had sent an e-mail warning the company about the problem one hour before the attack, "which gave us little if any chance to respond" in a timely manner, he said.

[Michichael]

Sounds like a fairly whitehat thing to do - find a problem, warn about the problem, and demonstrate the problem. I think they shouldn't have done such a public demonstration though..

[Dalkorian]

Maybe not, but it DID get their attention. That can be difficult with some of these companies, you know.

[clerkandrew]

The bitdefender portugal website isn't created or maintained by bitdefender, it's maintained by a local reseller, so there is not a real problem like the hack at usa.kaspersky.com, where the site is created and maintained by kaspersky.

[Heebee Jeebies]

It just goes to show that there is no such thing as secure security. We just have to do the best we can, be as diligent as possible and don't do anything stupid. But, even then where there is a will there is a way. With any luck the owners of both sites will figure out what happened and use that information to better themselves and improve protection. Then they can all wait for the next one.

Robert

[johnfranks1234]

Most companies enjoy ?security? insofar as they haven?t been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon?s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture ? absent new eCulture, breaches will, and continue to, increase. As CIO, I?m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities ? read the book BEFORE you suffer a bad outcome ? or propagate one.