• On BNET: Vote: How will Apple blow it?
February 9, 2009 11:17 AM PST

Kaspersky hires expert to analyze Web site hack

by Elinor Mills

Romanian Hacker site Hackers Blog displayed screen shots of the compromised Kaspersky site.

(Credit: Hackers Blog)

Updated 3:10 p.m. PST with comment from BitDefender.

Moscow-based security firm Kaspersky has hired a security expert to investigate the weekend breach of its U.S. site, the company said Monday.

Meanwhile, the hacker site claiming credit for the breach said on Monday that it had done the same compromise on the Portuguese Web site of antivirus provider BitDefender.

In a statement, BitDefender said an unnamed partner site was compromised and that the company was investigating the incident to help the partner prevent it from happening again. "This was an unfortunate event and while we sympathize with the sites that were affected, BitDefender was not one of those sites," the statement said.

In the Kaspersky breach, which was discovered on Saturday, no sensitive or customer data was compromised, Roel Schouwenberg, a senior antivirus researcher for Kaspersky, said on a conference call with reporters. But to allay concerns about the severity of the problem, Kaspersky has hired David Litchfield, an expert in database security, to conduct an independent audit of the systems involved, he said.

A section of Kaspersky's new U.S. support site was breached by someone using a SQL injection attack, in which a small malicious script is inserted into a database that feeds information to the Web site, according to Schouwenberg.

The portion of the site breached had been developed by an unnamed third party and was not subjected to an internal code review process as it should have been, he said. "Obviously we are not happy about that and are in the process of making the review process stricter than it currently is," he added.

"A more advanced hacker" could have potentially accessed about 2,500 e-mail addresses of customers and about 25,000 product activation codes that were on the compromised server, but that did not happen, Schouwenberg said.

Kaspersky's new U.S. support site went live on January 28 and was publicly launched on January 29, the company said. There is no indication of any other breaches since then, according to Schouwenberg.

A Kaspersky employee in Romania was alerted to the breach on Saturday after seeing a report of it on the Romanian site Hackers Blog, he said. That worker notified Kaspersky workers in the U.S. and within half an hour, the affected section of the site was taken down and then replaced with the older, secure version of the site, he added.

Asked if the company was worried its reputation would be damaged as a result of the attack, Schouwenberg said: "Honestly speaking, yes. This is not good for any company, especially a company dealing with security. This should not have happened. We are doing everything within our power to do the forensics on this case and to prevent this from ever happening again."

Someone taking credit for the breach had sent an e-mail warning the company about the problem one hour before the attack, "which gave us little if any chance to respond" in a timely manner, he said.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
advertisement
Click here!
Recent posts from Security
Microsoft to fix holes in Windows, Office
Google privacy controls: Most people won't care
Zero-day flaw found in Web encryption
Mac Game: Art project or malware?
Corporate bank accounts targeted in online fraud
Hacker breaks into jailbroken iPhones, asks for $7
Malwarebytes accuses rival of software theft
Security firm M86 acquires Finjan
Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
by Michichael February 9, 2009 4:29 PM PST
Sounds like a fairly whitehat thing to do - find a problem, warn about the problem, and demonstrate the problem. I think they shouldn't have done such a public demonstration though..
Reply to this comment
by Dalkorian February 10, 2009 9:11 AM PST
Maybe not, but it DID get their attention. That can be difficult with some of these companies, you know.
by clerkandrew February 10, 2009 5:14 AM PST
The bitdefender portugal website isn't created or maintained by bitdefender, it's maintained by a local reseller, so there is not a real problem like the hack at usa.kaspersky.com, where the site is created and maintained by kaspersky.
Reply to this comment
by Heebee Jeebies February 10, 2009 8:15 AM PST
It just goes to show that there is no such thing as secure security. We just have to do the best we can, be as diligent as possible and don't do anything stupid. But, even then where there is a will there is a way. With any luck the owners of both sites will figure out what happened and use that information to better themselves and improve protection. Then they can all wait for the next one.

Robert
Reply to this comment
by johnfranks1234 February 11, 2009 4:43 PM PST
Most companies enjoy ?security? insofar as they haven?t been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon?s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture ? absent new eCulture, breaches will, and continue to, increase. As CIO, I?m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities ? read the book BEFORE you suffer a bad outcome ? or propagate one.
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
advertisement

FAQ: Buying the right Windows 7 upgrade

Readers still have lots of questions on just which version of the software they need to buy in order to upgrade their PC. CNET News tries to offer some answers.

N.Y. lawsuit details Intel's 'largesse' toward Dell

Attorney General Andrew Cuomo's federal antitrust case filed Wednesday alleges a longstanding symbiotic relationship between Intel and Dell.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right