We've got a number of tools in our armoury [Not weapons? Ed.] - Hazel Lewis - UK government minister
|
|
|
Insecurity vendor's website gets hacked
INSECURITY VENDOR Kaspersky Labs suffered a shocker over the weekend with the firm's US website getting hacked.
Aside from the obvious irony that a firm that claims to peddle "Industry-leading Antivirus Software" had its shop front defaced and credibility tarnished, users were put at risk for over three hours by being redirected to another website containing malware. The firm is blaming the hack on security vulnerabilities in a third party application that it uses for administration.
The attack meant that those who wanted to download the Kaspersky's consumer products were redirected to a website that was "simulating a Windows XP Explorer window and a popup window showing scanning process on the local computer". It also offered up a fake antivirus program to install.
It took the firm over three hours to find out that it was inadvertently peddling malware to its users, but apparently once it figured out what was going on, it took Kaspersky a further 10 minutes to remove it. The firm now says that a "complete audit" has been carried out on all of its websites and that the compromised server is now "secure and fully back online".
Kaspersky also said that no personal data was accessed in the attack, though it followed that up by essentially admitting that it doesn't know the full consequences of the hack. In a statement the firm said, "Our researchers are currently working on identifying any possible consequences of the attack for affected users, and are available to provide help to remove the fake antivirus software."
A website hack is a very public embarrassment for any firm, but for one that promotes itself as a security vendor it is shameful. Although the firm said no personal data was obtained, questions must be asked, how did a firm that one would assume uses its own software and researchers to vet third party applications get caught out in this manner? Not only that, the three hour delay before the alarm was raised also leads to the question, who or what piece of software was asleep on the job of threat detection?
For Kaspersky Labs, it will imperative not only to ensure that similar embarrassments do not occur again but also to rebuild the firm's reputation as a competent insecurity vendor. µ
Share this:
Share
Well, it may not be glorious, but at least it's a far cry from Microsoft-levels of incompetence.
Also in a totally unrelated incident Gmail.com was blocked yesterday by Kaspersky anti-phishing filter.
One might be tempted to think that Kaspersky knows better than to false positive in their phishing database the most popular address, but one would be wrong.
I guess the McAfee false positive catastrophe earlier this year was just the beginning.
... EPIC Security FAIL.