Kaspersky fail to protect themself from website hack

David M Williams
Monday, 09 February 2009 03:16

IT Industry - Market

Kaspersky is a leading security and anti-virus software company. Yet, this weekend a poster on the hackersblog.org forum demonstrated Kaspersky's web site was vulnerable to exploitation by one of the surely most publicised methods available – SQL injection. Pictures included!

Ahh, SQL injection, will you never die?

This term describes a method hackers and crackers can employ to gain unauthorised access to a web site. As the name suggests, SQL instructions are ‘injected’ into the web site’s legitimate input fields and rely on poor validation to trick the back-end code into executing the instructions.

SQL is a universal language used by database systems of all makes and models. Any reasonably-sized web site is database driven – particularly if it allows user logins, placement of orders, contact detail listing and editing and other such commonplace and mundane aspects of doing business online.

Consequently, because databases are employed for so much, there are an awful lot of web sites which are potentially susceptible to SQL injection.

Then again, because the risks are real, it’s a topic which has surely been covered to death in technical literature. There are no excuses for a modern software developer to be unaware of the problem and to be defensive within program code.

Yet, it happens. I demonstrated SQL injection myself, explaining how I penetrated two web sites within mere minutes using it.

Disappointingly, neither site has taken any precautionary measures to patch the problem. I wrote to them when I filed the story. Neither responded. I wrote again, and again, neither responded.

Nevertheless, these were two ‘regular’ businesses. One was a magazine distributor and the other a beverage vending machine stockist. You’d be excused for thinking management may not grasp the nature, or ramifications, of the problem (although their developers ought.)

It’s totally different when a well-known security company is subject to SQL injection however. Sure enough, this weekend it was revealed Kaspersky were ripe for exploitation in this precise manner.

No doubt there are plenty of red faces at Kaspersky today. They’re an IT company. They’re a web-savvy company. Worse, they’re a security company. They stake their reputation on their understanding of, and dealing with, security threats.

Yet here they are, proven vulnerable to a security flaw which is widely publicised and discussed. It’s not like it was something obscure.

More information, including pictures, over the page!

CONTINUED