A hacker has recently launched a SQL attack and posted listings of tables contained on Moscow-based Kaspersky Lab’s US Web site. The hacker is known as Unu and he posted screen shots as well as a list of tables on February 7 to a blog, after he hacked into the security company’s Web site via a simple SQL injection attack, which allowed information to be exposed by entering secret username and password information.

Even if Kaspersky is one of the leading companies in the security and antivirus market, they are not able to secure their own databases, as an alter of the parameters gives you access to users, activation codes etc. After being made aware of the breach, the company shut down the vulnerable parts of the Web site within 15 minutes and reinstated the old version of the support site.

It seems like the site was vulnerable for a total of 10 days, and its vulnerability was overlooked due to a processing error that led to lack of proper scrutiny. Of course, Kaspersky representatives say they’ll do our best to improve their process further and that they will be stricter to prevent this kind of thing from happening again. Furthermore, Kaspersky researchers are also conducting an external audit to determine the nature of the hack and process improvements that could prevent it in the future.

The hacker was traced as being from Romania and he or she infiltrated the company’s Web site, lifting names of the tables. No other data was lifted, such as e-mail addresses or activation codes. Fortunately, customer credit card information is handled by a separate third party and not contained on the site.

Even if the hacker tried to get access to some content of those tables, he did not get into the folders as it were. It looks like the hacker was not so advanced, as an advanced one could have gotten access to some of the data he claimed he could. One hour after e-mailing the company to alert them to the breach, the hacker went public with the vulnerability.

It’s interesting to see why the hacker attacked right at that moment. Well, it looks like the hack was conducted when almost all of the security company’s executive team and several of its high-level security researchers were out of town during the Kaspersky Lab’s 2009 Partner Conference, held in Fajardo, Puerto Rico, February 5-8.

Some analysts recommend some security measures for organizations to consider, such as limit the ability of unauthenticated/casual users from having any access to backend databases, restrict both the authority the malicious hacker can obtain and reduce their ability to exculpate privilege by taking advantage of underlying app vulnerabilities. It remains to be seen if such SQL injection attacks will take place in the future as well.