An independent audit of a data breach at security firm Kaspersky's U.S. Web site has confirmed that no customer data was exposed, Kaspersky said on Friday.
A Romanian hacker site used a SQL injection and cross-site scripting attack to get access to a database on a Web site of the Moscow-based Kaspersky and publicized the attack on Saturday.
Kaspersky announced on Monday that it would hire database security expert David Litchfield to analyze the breach.
In the report, Litchfield concludes that an attacker based in Romania used Google to search for Web servers owned by Kaspersky running applications that may be vulnerable to a SQL injection attack, launched an attack, and attempted to gain access to customer data, but failed.
"This caused a number of other attackers from various locations to probe the site further," the report said. "None of these follow-up attackers accessed any customer data either."
The report was delivered to Kaspersky on Thursday.
The same HackersBlog site also launched subsequent SLQ injection attacks on Web sites of two other security firms, BitDefender and F-Secure.
(Credit:
F-Secure)
Helsinki-based security firm F-Secure said on Thursday that a breach of its Web site earlier in the week by a Romanian hacker site was limited in scope and impact.
On Wednesday the HackersBlog site said it had used a SQL injection and cross-site scripting attack to get access to data on an F-Secure Web site. Earlier, the site had launched similar attacks on a site of security firm Kaspersky and one belonging to a partner of BitDefender.
F-Secure said the problem with its site was due to a bug in a Web application and not related to an unpatched system.
"One of our servers used in gathering malware statistics had a page that didn't properly sanitize input and was therefore vulnerable to attack," spokesman David Frazer said in an e-mail. "Fortunately we utilize defense-in-depth strategies so the attack was only partly successful. The Server was taken down immediately after the blog was discovered to ensure the SQL injection was contained and to also analyze the level of the threat."
Although the attackers could read the F-Secure database information, they were not able to write or manipulate the data and were unable to access any other data on that server because the SQL user only had access to its own database, he said. The data accessed was statistics information used for marketing purposes, he added.
"So while the attack is something we must learn from, it was very minimal with no impact to F-Secure, our partners or our customers," Frazer said.
A Romanian hacker site said on Wednesday it was able to breach the Web site of Helsinki-based security firm F-Secure just as it had gained access to the sites of two other security companies earlier in the week.
F-Secure is "vulnerable to SQL Injection plus Cross Site Scripting," an entry on the HackersBlog site said. "Fortunately, F-Secure doesn't leak sensitive data, just some statistics regarding past virus activity."
An F-Secure spokesman said the company had taken the affected server down and that it was a low-level server that was not critical to the company and had no sensitive or customer data on it, just statistical data for marketing purposes.
"It is slightly embarrassing as a security company that we have had the breach," David Frazer, a spokesman in F-Secure's San Jose, California office, said in a phone interview. "We certainly, as a security company, want to ensure that all of our servers are patched to the levels that they should be."
HackersBlog publicized on its site that it had breached the U.S. Web site of Moscow-based firm Kaspersky on Saturday and the Portugal site of BitDefender on Monday using the same attack techniques.
Kaspersky said on Monday that no sensitive or customer data had been exposed in the breach and that it would ask a database expert to audit its systems. BitDefender said the site that had been breached belonged to an unnamed partner and no customer data was stolen.
SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site, have become very popular exploit methods. Cross-site scripting vulnerabilities, which allow for injection of malicious code in Web pages, also are common.
Updated 3:25 p.m. PST with F-Secure comment.
Romanian Hacker site Hackers Blog displayed screen shots of the compromised Kaspersky site.
(Credit: Hackers Blog)Updated 3:10 p.m. PST with comment from BitDefender.
Moscow-based security firm Kaspersky has hired a security expert to investigate the weekend breach of its U.S. site, the company said Monday.
Meanwhile, the hacker site claiming credit for the breach said on Monday that it had done the same compromise on the Portuguese Web site of antivirus provider BitDefender.
In a statement, BitDefender said an unnamed partner site was compromised and that the company was investigating the incident to help the partner prevent it from happening again. "This was an unfortunate event and while we sympathize with the sites that were affected, BitDefender was not one of those sites," the statement said.
In the Kaspersky breach, which was discovered on Saturday, no sensitive or customer data was compromised, Roel Schouwenberg, a senior antivirus researcher for Kaspersky, said on a conference call with reporters. But to allay concerns about the severity of the problem, Kaspersky has hired David Litchfield, an expert in database security, to conduct an independent audit of the systems involved, he said.
A section of Kaspersky's new U.S. support site was breached by someone using a SQL injection attack, in which a small malicious script is inserted into a database that feeds information to the Web site, according to Schouwenberg.
The portion of the site breached had been developed by an unnamed third party and was not subjected to an internal code review process as it should have been, he said. "Obviously we are not happy about that and are in the process of making the review process stricter than it currently is," he added.
"A more advanced hacker" could have potentially accessed about 2,500 e-mail addresses of customers and about 25,000 product activation codes that were on the compromised server, but that did not happen, Schouwenberg said.
Kaspersky's new U.S. support site went live on January 28 and was publicly launched on January 29, the company said. There is no indication of any other breaches since then, according to Schouwenberg.
A Kaspersky employee in Romania was alerted to the breach on Saturday after seeing a report of it on the Romanian site Hackers Blog, he said. That worker notified Kaspersky workers in the U.S. and within half an hour, the affected section of the site was taken down and then replaced with the older, secure version of the site, he added.
Asked if the company was worried its reputation would be damaged as a result of the attack, Schouwenberg said: "Honestly speaking, yes. This is not good for any company, especially a company dealing with security. This should not have happened. We are doing everything within our power to do the forensics on this case and to prevent this from ever happening again."
Someone taking credit for the breach had sent an e-mail warning the company about the problem one hour before the attack, "which gave us little if any chance to respond" in a timely manner, he said.
The U.S. Web site of Russian antivirus vendor Kaspersky Lab was hacked over the weekend, exposing the company's customer database. But Kaspersky denies any data was compromised and says the vulnerability wasn't critical.
An unidentified hacker reported over the weekend that he was able to access a complete profile of the company's databases, revealing its clients' names, activation codes, list of bugs the company tracks, and client e-mail addresses.
The hacker claims to have hacked Kaspersky's databases using an SQL injection attack, which exploits a vulnerability in an application's database layer.
The method has become a popular means to gain information via Web-facing applications or as a way to use popular Web sites to spread malicious software.
Microsoft's U.K. Web site came under a similar attack in 2007 when hackers used an SQL injection to inject HTML code that seemingly defaced its Web pages.
The Kaspersky hacker, who published findings on Hackersblog.org, has since said that confidential data will not be released.
The "Kaspersky team doesn't need to worry about us spreading their confidential stuff. Our staff will never save or keep any confidential data. We just point our fingers to big Web sites with security problems," the hacker reported.
Kaspersky has admitted that a subsection of its USA.Kaspersky.com domain was vulnerable on Saturday when a hacker "attempted an attack on the site."
"The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site," a company representative said in a statement.
Liam Tung of ZDNet Australia reports from Sydney.
More than half of the security vulnerabilities disclosed during 2008 had no patches available from the vendor by the end of the year, according to a report released on Monday by IBM's X-Force research group.
Vendors with the most vulnerabilities disclosed in 2008.
(Credit: IBM X-Force)Meanwhile, 46 percent of vulnerabilities from 2006 and 44 percent from 2007 still had no patch by the end of 2008, the 2008 X-Force Trend and Risk report said. X-Force documented a record number of 7,406 new vulnerabilities last year.
Overall, Microsoft is the vendor that tops the list in percentage of vulnerabilities disclosed, the report said. The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years, the report said. There were no breakdowns by vendor or operating system for unpatched vulnerabilities.
Most of the spam last year appeared to come from Russia (12 percent), followed by the U.S. (9.6 percent), and Turkey (7.8 percent), although the spam senders could be located in a different location, the report says.
China unseated the U.S. as the country hosting the largest number of malicious Web sites for the first time last year.
Meanwhile, 46 percent of all malware attacks last year were Trojans targeting people playing online games and doing online banking, and 90 percent of phishing attacks targeted financial institutions, according to the report.
Two main trends attackers used last year were SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site, and malicious URLs hosting exploits.
The operating systems with the most vulnerability disclosures in 2008.
(Credit: IBM X-Force)Updated 2:25 p.m. PST to add that report does not list which vendors and operating system platforms had the most unpatched vulnerabilities.
The use of malware on Web sites to steal passwords and other sensitive information is skyrocketing, according to a new report from the Anti-Phishing Working Group.
The number of URLs with hidden code for stealing passwords nearly tripled between July 2007 and July 2008, to a record high of 9,529, while the number of malicious-application variants hit a high of 442 this May, the APWG reports in its quarterly report (PDF) issued this week.
(Credit:
Anti-Phishing Working Group)
The increase is primarily due to malicious code being used in SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site. Typically, the host site is legitimate such as BusinessWeek's, not a phishing site created for the sole purpose of stealing consumer data.
The financial-services industry is the most targeted sector for phishing attacks, followed by those focusing on auctions and payment services, the report found.
"Cybercriminals continue to increase their activities to levels never before seen in the five years since the APWG has been monitoring phishing and crimeware," APWG Chairman Dave Jevans said in a statement.
The recession is prompting even more malicious activity online, he said.
"The current financial crisis has also been used by phishers to create new scams that try to scare consumers into entering their usernames and passwords into sites that mimic those of well-known distressed financial institutions," Jevans said. "As the economy degrades, we are seeing a continual increase in malicious and criminal activity on the Internet."
Another report issued this week shows that IT security professionals view cybercrime and data breaches as the top security risks, followed by mobility, outsourcing, cloud computing, mobile devices, peer-to-peer file sharing, Web 2.0 services, and malware.
Meanwhile, respondents who work in IT operations listed outsourcing as the biggest risk, followed by mobile devices and cybercrime, in the 2008 Security Mega Trends Survey conducted by The Ponemon Institute on behalf of Lumension Security. In the survey, 577 respondents work in IT security, and 825 work in IT operations.
Of those surveyed, 83 percent of the IT security workers and 79 percent of IT operations professionals reported that their organization had a data breach due to customer or employee information being lost or stolen. Overall, 92 percent of the organizations have experienced a cyberattack.
Another survey, released on Thursday by CA, looks at behaviors and perceptions among American adults and teens of their safety online.
Fifty-seven percent of adults fear that they may become victims of identity fraud online within the next two years, and 90 percent worry about the security of their personal data. Meanwhile, 35 percent of teens leave their social-networking profiles open to viewing by strangers, 38 percent post their education information, 32 percent disclose their e-mail addresses, and 28 percent reveal their birth date.
Updated at 1:15 p.m. with CA study details.
According to a report out Wednesday, antivirus vendor Sophos says it detects one Web page with malicious content every 5 seconds--a trend that is up 300 percent from 2007.
In its Security Threat Report for the first half of 2008, Sophos says it finds just over 16,000 malicious pages each day, mostly the result of malicious SQL-injection attacks on legitimate Web sites such as the attack on Sony's U.S. PlayStation site in July. Tricks used by criminal hackers include using simple HTML code to place via SQL-injection a 1x1 pixel element (about the size of a pin prick) on an infected page. In loading the page, the Internet browser would then contact a server running exploit scripts and malicious code. But because the sites are legitimate, some security vendors struggle with blocking infected Web pages.
As for illegitimate sites, Sophos notes that Geocities and Blogger both make it easy for anyone to set up a Web site without much identification. Blogger, owned by Google, is particularly problematic, says Sophos, with the blog site alone accounting for nearly 2 percent of all malware hosts. It is not only possible for the Blogger sites to host malicious code, but criminal attackers can also inject links to malicious sites in the comments sections of the blogs.
A spokeperson for Google said "Google takes the security of our users very seriously, and we work hard to protect them from malware. Using Blogger, or any Google product, to serve or host malware is a violation of our product policies. We actively work to detect and remove sites that serve malware from our network."
- prev
- 1
- next
