Anti-virus vendor Kaspersky was hacked over the weekend allegedly a victim of a SQL injection attack. It’s a disturbing development from my point of view and points to a security issue that can affect nearly anyone — even those who should know better. SQL injection is in my opinion difficult (though not impossible) to defend against on a live production environment, it’s something that needs to be fixed before a site or application is live.
Officially speaking Kaspersky put out a statement yesterday noting that they detected an attack but no restricted information was lost:
The attack was unsuccessful and, despite their attempts, the hackers
were unable to gain access to restricted information stored on the
website. Claims by the hackers responsible for the attack that they had
managed to gain access to user data are untrue.
Though Kaspersky has claimed no data loss they have hired noted database security expert David Litchfield to look at their databases.
I’ve sat in Litchfield security sessions at Black Hat several times and I’ve always been overwhelmed with his approach. Litchfield is what I would call a forensic investigator looking for clues in database table rows that look fairly innocuous to normal humans.
The reality from where I sit is that anti-virus software cannot stop a SQL injection attack. SQL injection is something that typically exists either in the database software itself — that needs to be patched — or in a configuration related component that ensures that commands are validated in some way.
From an end-user point of view there is no way to defend yourself from being a victim of a SQL Injection attack. The web site (or application) itself need to protect itself and by extension its end-users. Whether or not Kaspersky had unpatched software, some kind of configuration issue or if this is a new zero day attack is currently unknown. What is known is that SQL injection is a very real threat and it’s one that all vendors must take very seriously.