Word came out this weekend that the U.S. support site for the AV Vendor Kaspersky Labs was compromised by attackers. Earlier this week an attacker used a SQL Injection attack to compromise a section of the usa.kaspersky.com website and posted a list of database tables fetched via the compromise on the hackersblog.org website.
According to Roel Schouwenberg, a senior virus analyst at Kasperky, the problem occurred in a piece of code written by a subcontractor for the U.S. office that did not go through the standard code review process. The code was in production for approximately 10 days before the attacker discovered the problem, and it was remediated some 5 hours after the detection of the attack. The attackers have claimed that they provided Kaspersky forewarning of the compromise, but it appears the notice came in approximately 1 hour before the attacker went public with the list of the tables on the support database.
While a dump of the database tables was accessed, it doesn't look like the attacker acquired anything of value. No credit card or financial account information was available for download. There was 2,500 e-mail addresses available in the database, but it appears at this time that they were not pulled from the system before the attacker announced the compromise.
The impact of the attack will be more on the P.R. side of the balance sheet than anywhere else. Kaspersky realizes this, and has retained renowned database security expert David Litchfield to do an independent audit of the incident, and they expect his initial report within the next few days.
Moral of the story? Even people in the security business have bad days and make mistakes. Kaspersky is setting a solid example on how to recover from their mistakes by keeping analysts in the loop and rapidly retaining a third party to conduct an independent audit.