Skip the navigation

SQL injection attacks led to Heartland, Hannaford breaches

Details of the attacks could spur focus on Web app security

August 18, 2009 10:32 PM ET

Computerworld - This week's disclosure that the huge data thefts at Heartland Payment Systems and other retailers resulted from SQL injection attacks could finally push retailers to pay serious attention to Web application security vulnerabilities, just as the breach at TJX focused attention on wireless issues.

A federal grand jury on Monday indicted Albert Gonzalez and two unidentified Russian accomplices on charges related to data intrusions at Heartland, Hannaford Bros., 7-Eleven and three other retailers. Gonzalez is alleged to have masterminded an international operation that stole a staggering 130 million credit and debit card numbers from those companies. Gonzalez and 10 other individuals were indicted in May 2008 on charges related to similar intrusions at numerous other retailers, including TJX Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

Court documents filed in connection with Monday's indictment spelled out how Gonzalez and his accomplices used SQL injection attacks to break into Heartland's systems and those of the other companies. Once they gained access to a network, the attackers then planted sophisticated packet-sniffing tools and other malware to detect and steal sensitive payment card data flowing over the retailers' networks.

In SQL injection attacks, hackers can take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online. An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. Large Web applications have hundreds of places where users can input data, each of which can provide a SQL injection opportunity.

The vulnerability is well understood, and security analysts have warned retailers about it for several years. Yet a large number of all Web-facing applications are believed to contain SQL injection vulnerabilities -- a fact that has made SQL injection the most common form of attack against Web sites.

"We see SQL injection as the top attack technique on the Web," said Michael Petitti, chief marketing officer at Trustwave, a Chicago-based company that conducts security and compliance assessments for some of the largest retailers in the world, including -- ironically -- Heartland, for whom it was a security assessor.

"Not only is it the most attempted, it is also the most successful" form of attack now employed by malicious hackers, Petitti said.

Launching such attacks is not difficult, said Chris Wysopal, co-founder and chief technology officer at Veracode, a firm that offers application penetration testing services for companies. Tools are available that allow attackers to quickly check home-grown and third-party Web applications for SQL injection vulnerabilities, he said. One such tool might find a form field on a Web page, enter data into it, and check the response it gets to see whether a SQL injection vulnerability exists.



Our Commenting Policies