Update la Hackersblog

Am scris nu demult despre white - hacking-ul celor de la http://hackersblog.org asupra kaspersky (usa.kaspersky.com hacked … full database acces , sql injection ), am scris aici. Si apoi urmeaza replica celor de la kaspersky:

The American support website of Kaspersky Lab was illegally accessed by hackers on Saturday, delivering a black eye to a company responsible for providing security solutions to some 250 million users worldwide.

“Yes, this is not good,” Roel Schouwenberg, Kaspersky’s senior anti-virus researcher, said on a conference call Monday with reporters. “This is not good for any company, especially for a company dealing with security. We are now doing everything within our power to do the forensics on this case.”

A Romanian hacker using the nickname “Unu” claimed responsibility for the attack, which leveraged SQL injection to exploit a vulnerability in the site’s code that enabled the hackers to view a list of database tables.

The intruders, however, did not access or leak any data. But Schouwenberg said a more sophisticated hacker could have accessed 2,500 customer email addresses and 25,000 product activation codes that were residing on the server.

The incident affected http://usa.kaspersky.com/support, a new part of the Kaspersky website that officially was launched Jan. 29 and had been live 10 days prior to the breach, Schouwenberg said. The support site was built by a third-party code developer.

Kaspersky learned of the attack at noon Saturday, and 15 minutes later took down the new site and replaced it with the older version, which is still operating, according to the company.

“We fell victim because something went wrong in our internal code reviewing process,” Schouwenberg said. “Obviously, we are not happy about that and we are in the process of making the review process stricter than it currently is.”

The company has hired David Litchfield, considered a leading expert on database security, to conduct a forensic exam. Kaspersky plans to release the results of the study as soon as they are available.

What is not surprising is how the hackers got in. Last year, SQL injection, related to improper validation of user input that allows hackers to run queries on a database, became the most common web-application vulnerability, according to IBM-ISS’ annual X-Force Trend and Risk Report.

Matt Wood, senior security researcher at Hewlett-Packard’s web security research group, said the support site appears to have not been properly vetted prior to going live.

“Any time you roll out any kind of new code, it’s likely to have some kind of problem in it,” he told SCMagazineUS.com on Monday.

Wood said it appears the Kaspersky support site wrongly allowed privileged access.

“There’s no reason your support site needs to have access to mission-critical data on the database,” he said. “That’s Security 101.”

Companies such as Kaspersky — which is headquartered in Moscow, but has offices in Woburn, Mass. — must have a comprehensive process in place to validate the security of new code, especially code developed by third parties.

“There’s a lot of stuff you can do to protect against this sort of thing that it sounds like they didn’t adhere to,” Wood said.

The same Romanian hacker also claimed responsibility for gaining access to the Portuguese website of security firm BitDefender. But a company spokeswoman said BitDefender was not impacted.

“A partner site was compromised, and we are working to investigate exactly what happened so we can help our partner prevent this from happening again,” the spokeswoman told SCMagazineUS.com on Monday. (de aici)

si :

A forensic exam has confirmed Kaspersky Lab’s initial findings that Romanian hackers did not compromise any personal data when they launched an SQL injection attack against the anti-virus company’s U.S. support site. David Litchfield of Next Generation Security Software said in a Thursday report that other attackers, upon learning of the vulnerable site at usa.kaspersky.com, attempted to access data but also were unable.(de aici)

Intrebarea este: Oare cei de la Kaspersky USA, mai navigheaza pe net? Adica mai fac cite un search pe Google, ca sa se mai documenteze?


Sursa
2009-02-13 23:50:01



Comenteaza





Ultimele 25 posturi adăugate

09:04:42Ialoveni Armonios 1994, revelația mondială la 10 euro pe raft —» Fine Wine
11:46:06Sistemul care vrea să răstoarne PAS-ul. Chirtoacă despre mafie, hoție, scandalul din familie și fotbal 🔥💥🔝 —» Sandu GRECU
10:15:29ÎN PRAG DE CARTE NOUĂ —» Leo Butnaru
21:32:05World Cup —» APort | "Pentru un român care știe citi, cel mai greu lucru e să nu scrie." I.L. Carag
09:11:12Franța, după ziua națională —» APort | "Pentru un român care știe citi, cel mai greu lucru e să nu scrie." I.L. Carag
08:16:37DIN ANII 90... —» Leo Butnaru
18:13:09Parteneriatul pentru Europa: primele discuții privind agenda comună de acțiuni 🔝 —» Sandu GRECU
05:35:14DINSPRE MITURI SPRE NOI —» Leo Butnaru
05:27:03POETUL ȘI POEZIA SALVÂNDU-SE DIN GULAG —» Leo Butnaru
13:15:37Moldoveanca Romina Hîncu a cucerit primul său titlu ITF 💥 —» Sandu GRECU
05:59:25PUȚINĂ PEDAGOGIE —» Leo Butnaru
15:55:16🔥🔥🔥 SCANDAL la Comitetul Olimpic! 💥💥💥 CNOS vrea să elimine Federația de lupte din membrii săi! —» Sandu GRECU
19:18:28Vasile Tarlev: Nu eu am distrus Stadionul Republican. Atacant la echipa Bucuria. Despre Voronin și circ —» Sandu GRECU
19:13:06Tehnologie, energie verde și investiții în tineri: Istoria de succesului a Agro-Firmei „Plaiul Bîrlădean” 🌞 —» Sandu GRECU
19:07:23„Rolul meu ca primar nu este să fac promisiuni, ci să livrez rezultate” – Leonid Boaghi, primarul satului Sireți 💫 —» Sandu GRECU
17:04:57Fosta ambasadoare în India se judecă cu Ministerul de Externe —» Curaj.TV | Media alternativă
15:25:42Despre scandalul de la Dumbrava, BH (Live) —» Curaj.TV | Media alternativă
09:29:40DIN REVISTA DE TRADUCERI LITERARE —» Leo Butnaru
20:44:08De la pasiunea pentru arta culinară, la o carieră de succes în managementul ospitalității: Povestea Ninei Stratu 💫 —» Sandu GRECU
07:13:21Copyright: Deciziile vicedirectorului AGEPI, au costat autorii peste 7 milioane de lei 🤬🤬🤬 —» Sandu GRECU
04:40:33LACONICE —» Leo Butnaru
18:31:28Muzica unește generații. Gheorghe Mustea, sărbătorit la 75 de ani printr-un concert aniversar la Chișinău —» Curaj.TV | Media alternativă
18:31:28Muzica unește generații. Gheorghe Mustea, sărbătorit la 75 de ani printr-un concert aniversar la Chișinău —» Curaj.TV | Media alternativă
13:22:13Cu hijab-ul la defilare —» APort | "Pentru un român care știe citi, cel mai greu lucru e să nu scrie." I.L. Carag
18:56:52Păcălit de avocați și de magistrați (ru) —» Curaj.TV | Media alternativă