COMMENTARY: The Implications of the Kaspersky SQL Injection Attacks
The blogs are abuzz tonight following reports that the Moscow-based anti-virus company Kaspersky has not secured the web application(s) on it’s US servers from SQL Injection attacks.
I have been a fan of Kaspersky because I found their anti-virus software to be effective, and I have often recommended it. If the reports are true, I hope Kaspersky resolves the vulnerability quickly, and puts in place layers of security to protect against similar vulnerabilities in the future. I have not personally attempted to replicate this attack on Kaspersky’s servers. Attempting such penetration tests might constitute a federal felony.
If the report turns out to be accurate, it would be a black-eye on Kaspersky. The blogger that first reported the attack has, so far, withheld the confidential information he was able to gleen from the site.It is not a stretch to assume that members of the Dark Web have tried similar attacks, and they usually will use the confidential information they are able to steal to make money by conducting further information crimes.
There is a reason why the PCI credit card standard mandates running either a Web Application Scanner (WAS) or a Web Application Firewall (WAF). In my day job as a security consultant, I regularly encounter IT managers that say they are compliant with PCI, but in reality they are not. Lack of running a WAS or WAF is one of the most frequent elements missing.
In the face of constant Dark Web attacks, it is prudent for companies to run a WAS, a WAF, and do web application logic and code checks. It’s pruduent to have these layers of security for all entities running web applications, regardless of any PCI mandates.
Yikes! To borrow a phrase, “Moscow, we (may) have a problem.”
Disclosure: The information security company I work for offers Web Application Scanning and Web Application Firewalls as part of it’s information security offerings. That company also offers a variety of anti-virus and anti-malware solutions.
Tip: Kaspersky is often mis-pronounced by Americans. Many say: Kah-PEAR-skee. But if you look closely the name of the company, and the name of the founder is pronounced: Kah-SPARE-skee.
I have not contacted Kaspersky for a comment on this vulnerability. You can read more about this possible vulnerability at The Hacker’s Blog.