Kaspersky patch own back yard, but delude self

By David M Williams
Monday, 09 February 2009 15:34

Market

Technology security firm Kaspersky suffered egg on its face this weekend after a hacker posted details, including screenshots, of a successful SQL injection attack on the firm's web site. Kaspersky have released an official statement which suffers from an amazing dose of reality denial.

Earlier I reported on iTWire about Kaspersky’s ironic vulnerability to SQL injection, surely one of the most publicised exploits that database developers learn to guard against.

Kaspersky have put out an official statement on the matter which says

“On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site.

“The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn’t critical and no data was compromised from the site.”

It’s a typical media statement and it’s what you would expect a company to say. It gives a reassuring message that, while acknowledging an exploit was possible, nothing happened. An attack attempt failed, Kaspersky reacted super-fast, and no data was laid bare.

The problem is, it’s all a load of crock.

First, the hacker who reported the vulnerability – unu – did more than just “attempt” anything. The screenshots given show a successful breach of the Kaspersky web site.

Further, unu lists all the database tables used by the site. It is a bald-faced lie to say no data was compromised. Perhaps a more accurate wording would be that nobody who accessed the site chose to publicise the data they saw. That’s quite different to “no data was compromised.”

In fact, Kaspersky are being duplicitous when they say the site was only vulnerable for a brief time, and moreso when they say the vulnerability was eliminated within a rapid time frame.

Firstly, the vulnerability has existed – whether known or not – since the time the version of the website compromised by unu had been put into production.

Secondly, according to an administrator at the hackerblog web site that unu used to publish the vulnerability, unu had only gone public after many failed attempts to get Kaspersky to take the matter seriously.

It transpires unu sent e-mails to info@kaspersky.com, forum@kaspersky.com and webmaster@kaspersky.com days earlier. Nobody from Kaspersky responded and nobody patched the site.

Finally, unu posted a description of the problem with accompanying screenshots and only then did Kaspersky react. Even then, it wasn’t swift. According to The Register other people were able to reproduce unu’s exploit based on the information presented in the blog posting, announcing that it was active the entire day following unu’s announcement.

I’m sure Kaspersky have been humbled by the experience and are keen to save face. Yet, lying about what took place is just an insult to the Internet community including their own customers.