COMMENTARY: The Implications of the Kaspersky SQL Injection Attacks

The blogs are abuzz tonight following reports that the Moscow-based anti-virus company Kaspersky has not secured the web application(s) on it’s US servers from SQL Injection attacks.

I have been a fan of Kaspersky because I found their anti-virus software to be effective, and I have often recommended it. If the reports are true, I hope Kaspersky resolves the vulnerability quickly, and puts in place layers of security to protect against similar vulnerabilities in the future. I have not personally attempted to replicate this attack on Kaspersky’s servers. Attempting such penetration tests might constitute a federal felony.

If the report turns out to be accurate, it would be a black-eye on Kaspersky. The blogger that first reported the attack has, so far, withheld the confidential information he was able to gleen from the site.It is not a stretch to assume that members of the Dark Web have tried similar attacks, and they usually will use the confidential information they are able to steal to make money by conducting further information crimes.

There is a reason why the PCI credit card standard mandates running either a Web Application Scanner (WAS) or a Web Application Firewall (WAF). In my day job as a security consultant, I regularly encounter IT managers that say they are compliant with PCI, but in reality they are not. Lack of running a WAS or WAF is one of the most frequent elements missing.

In the face of constant Dark Web attacks, it is prudent for companies to run a WAS, a WAF, and do web application logic and code checks. It’s pruduent to have these layers of security for all entities running web applications, regardless of any PCI mandates.

It seems that many organizations build their web applications based upon the functions they need the site to do, THEN they go back in to add security. I don’t know if this was the case with Kaspersky, but that practice is the norm in my experience. And the consequences are high for putting security at the end of the project. Listen to Episode 39 of the Data Security Podcast to learn how got busted by the FTC for putting security in place AFTER their site was up and running. The FTC case, in part, relyed upon own Privacy Policy.

I don’t know if the FTC will go after Kaspersky, but it seems that the legal theory used to bust might be applicable. Indeed, the Kasperky US web site’s Privacy Policy states: “We have taken security measures, consistent with international information practices, to protect your personal information. These measures include technical and procedural steps to protect your data from misuse, unauthorized access or disclosure, loss, alteration, or destruction.”

Yikes! To borrow a phrase, “Moscow, we (may) have a problem.”

User Host Name and Password for mysql.user

Moscow, we (may) have a problem

Disclosure: The information security company I work for offers Web Application Scanning and Web Application Firewalls as part of it’s information security offerings. That company also offers a variety of anti-virus and anti-malware solutions.

Tip: Kaspersky is often mis-pronounced by Americans. Many say: Kah-PEAR-skee. But if you look closely the name of the company, and the name of the founder is pronounced: Kah-SPARE-skee.

I have not contacted Kaspersky for a comment on this vulnerability. You can read more about this possible vulnerability at The Hacker’s Blog.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: