It all kicked off last night with a posting to hacker board claiming to have carried out a relatively simple SQL Injection attack on one the world's biggest and best known IT security companies: Kaspersky.
The hacker, currently only know as 'unu' claims that the SQL Injection attack on usa.kaspersky.com has exposed activation codes, user details, bug lists and so on. "Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases. Seems incredible but unfortunately, its true. Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc" unu says.
If this proves to be true, and Kaspersky has yet to confirm or deny the claims, it will prove to be hugely embarrassing as it exploits one of the simplest of hacking methodologies - the old change a bit of the URL trick. Here at DaniWeb we exposed how an online visa application system fell victim to the same tactic, potentially exposing the personal details, including passport numbers and travel plans, of hundreds of thousands of Indian citizens. Our revelation ultimately led to the UK Foreign Office being found guilty of breaching the Data Protection Act.
So has Kaspersky been hacked? Well Kaspersky is obviously investigating and will no doubt issue a statement sooner rather than later. I would expect for first thing Monday morning at the very latest if it wants to keep a lid on this thing. However, the screen shots that have been posted at the hacker blog certainly seem convincing enough and do tend to suggest that it could be for real.
The Register reports that this is not the first time Kaspersky has been on the wrong end of a SQL injection attack. El Reg says Kaspersky's Malaysian site and some subdomains were defaced by a pro-Turkish hacker in July, and there have been a total of some 36 Kaspersky website defacements since the year 2000.
Gunter Ollmann, the chief security strategist at IBM Internet Security Systems, is certainly in no doubt over the seriousness of the claim, warning "...this type of critical flaw can probably be used to usurp legitimate purchases and renewals of their products - which could include the linking to malicious and backdoored versions of their software - thereby infecting those very same customers that were seeking protection from malware in the first place."