SQL injection attacks led to Heartland, Hannaford breaches
Details of the attacks could spur focus on Web app security
Computerworld - This week's disclosure that the huge data thefts at Heartland Payment Systems and other retailers resulted from SQL injection attacks could finally push retailers to pay serious attention to Web application security vulnerabilities, just as the breach at TJX focused attention on wireless issues.
A federal grand jury on Monday indicted Albert Gonzalez and two unidentified Russian accomplices on charges related to data intrusions at Heartland, Hannaford Bros., 7-Eleven and three other retailers. Gonzalez is alleged to have masterminded an international operation that stole a staggering 130 million credit and debit card numbers from those companies. Gonzalez and 10 other individuals were indicted in May 2008 on charges related to similar intrusions at numerous other retailers, including TJX Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Court documents filed in connection with Monday's indictment spelled out how Gonzalez and his accomplices used SQL injection attacks to break into Heartland's systems and those of the other companies. Once they gained access to a network, the attackers then planted sophisticated packet-sniffing tools and other malware to detect and steal sensitive payment card data flowing over the retailers' networks.
In SQL injection attacks, hackers can take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online. An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. Large Web applications have hundreds of places where users can input data, each of which can provide a SQL injection opportunity.
The vulnerability is well understood, and security analysts have warned retailers about it for several years. Yet a large number of all Web-facing applications are believed to contain SQL injection vulnerabilities -- a fact that has made SQL injection the most common form of attack against Web sites.
"We see SQL injection as the top attack technique on the Web," said Michael Petitti, chief marketing officer at Trustwave, a Chicago-based company that conducts security and compliance assessments for some of the largest retailers in the world, including -- ironically -- Heartland, for whom it was a security assessor.
"Not only is it the most attempted, it is also the most successful" form of attack now employed by malicious hackers, Petitti said.
Launching such attacks is not difficult, said Chris Wysopal, co-founder and chief technology officer at Veracode, a firm that offers application penetration testing services for companies. Tools are available that allow attackers to quickly check home-grown and third-party Web applications for SQL injection vulnerabilities, he said. One such tool might find a form field on a Web page, enter data into it, and check the response it gets to see whether a SQL injection vulnerability exists.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts