SQL injection attacks led to Heartland, Hannaford breaches
Details of the attacks could spur focus on Web app security
Computerworld - This week's disclosure that the huge data thefts at Heartland Payment Systems and other retailers resulted from SQL injection attacks could finally push retailers to pay serious attention to Web application security vulnerabilities, just as the breach at TJX focused attention on wireless issues.
A federal grand jury on Monday indicted Albert Gonzalez and two unidentified Russian accomplices on charges related to data intrusions at Heartland, Hannaford Bros., 7-Eleven and three other retailers. Gonzalez is alleged to have masterminded an international operation that stole a staggering 130 million credit and debit card numbers from those companies. Gonzalez and 10 other individuals were indicted in May 2008 on charges related to similar intrusions at numerous other retailers, including TJX Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Court documents filed in connection with Monday's indictment spelled out how Gonzalez and his accomplices used SQL injection attacks to break into Heartland's systems and those of the other companies. Once they gained access to a network, the attackers then planted sophisticated packet-sniffing tools and other malware to detect and steal sensitive payment card data flowing over the retailers' networks.
In SQL injection attacks, hackers can take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online. An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. Large Web applications have hundreds of places where users can input data, each of which can provide a SQL injection opportunity.
The vulnerability is well understood, and security analysts have warned retailers about it for several years. Yet a large number of all Web-facing applications are believed to contain SQL injection vulnerabilities -- a fact that has made SQL injection the most common form of attack against Web sites.
"We see SQL injection as the top attack technique on the Web," said Michael Petitti, chief marketing officer at Trustwave, a Chicago-based company that conducts security and compliance assessments for some of the largest retailers in the world, including -- ironically -- Heartland, for whom it was a security assessor.
"Not only is it the most attempted, it is also the most successful" form of attack now employed by malicious hackers, Petitti said.
Launching such attacks is not difficult, said Chris Wysopal, co-founder and chief technology officer at Veracode, a firm that offers application penetration testing services for companies. Tools are available that allow attackers to quickly check home-grown and third-party Web applications for SQL injection vulnerabilities, he said. One such tool might find a form field on a Web page, enter data into it, and check the response it gets to see whether a SQL injection vulnerability exists.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts