Attacks/Breaches
8/18/2009
04:17 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Mega-Breaches Employed Familiar, Preventable Attacks

Alleged mastermind behind Heartland, Hannaford's, and 7-11 breaches used SQL injection, sniffers, custom malware in attacks

The attacks that led to the mass theft of over 130 million credit and debit card accounts may hold the record for the biggest overall breach ever charged in the U.S., but the attackers used classic and well-known methods that could have been thwarted, according to experts.

In the wake of the big news yesterday that one man is suspected to be behind the biggest breaches ever charged in U.S. history, security experts say the indictment of 28-year-old Albert Gonzalez, aka "segvec," "soupnazi," and "j4guar17," of Miami, Fla., revealed that Gonzalez and his cohorts exploited vulnerabilities that are typically found in many cybercrime cases --SQL injection, packet sniffing, and backdoor malware designed to evade detection.

The indictment (PDF) revealed that Gonzalez, who previously had been charged for his alleged role in the breach of TJX, BJ's Wholesale Club, Barnes & Noble, and Dave & Buster's, has now also been indicted for allegedly conspiring to break into computers and stealing credit and debit card data from Heartland Payment Systems; 7-Eleven Inc., Hannaford Brothers Co., and two other major national retailers whose names were withheld in the filing.

While the attacks appear to be phased-in and coordinated, the attackers didn't employ any hacks that the victim organizations could not have defended against, experts say. SQL injection, for instance, is the most commonly exploited flaw in Web attacks, according to data from the Web Hacking Incident Database.

The attacks outlined in the indictment basically provide a roadmap for how most breaches occur, says Robert Graham, CEO of Errata Security. "This is how cybercrime is done," Graham says. "If there is a successful attack against your company, this is roughly what the hackers will have done. Thus, this should serve as a blueprint for your cyber defenses."

Rich Mogull, founder of Securosis, says the nature of the attacks didn't surprise him. "But that this, including TJX, was all traced to a single individual stunned me," Mogull says.

But aside from the revelation that just a few attackers pulled off the multiple breaches, Mogull says the attacks were preventable, mainly because they employed common hacking techniques that can be foiled.

And, he says, the attacks appear to mimic those warned in a an advisory (PDF) issued by the FBI and Secret Service in February that warned of attacks on the financial services and online retail industry that targeted Microsoft's SQL Server. The advisory included ways to protect against such attacks, including disabling SQL stored procedure calls.

"This seems to be a roadmap" to these breaches, Mogull says. "The indictment tracks very closely to the nature of attacks in that notice."

Meanwhile, Rick Howard, intelligence director for iDefense, says the fact that no new techniques were used in the hacks shows how enterprises still aren't closing known holes in their networks and applications. "They were using the same stuff that works all the time," he says. "And it's [an example of] another organization not diligent in closing up [vulnerabilities] we know about."

The indictment says that in October of 2006, Gonzalez and his co-conspirators allegedly began to systematically scout out potential corporate victims, going on-site to retail stores to gather intelligence such as the type of payment processing systems and point-of-sale systems they used, and visiting their Websites to identify potential vulnerabilities. Gonzalez allegedly provided his co-conspirators -- two of whom resided in Russia, and another in Virginia Beach, Va. -- with SQL injection strings to use for hacking into the victims' networks. He also provided them with malware to plant inside the victims' systems that would serve as a backdoor for subsequent access.

There's no indication in the filing that the database itself was breached, but Upesh Patel, vice president of business development at Guardium, says the attackers must have exploited applications with authenticated connections to the database. "The breaches involved vast amounts of data that clearly resides in the database," Patel says. "Since a SQL Injection attack exploits vulnerabilities in the database, the attack could have occurred from any end-user application that was accessing the database."

The attackers also installed sniffers to capture credit and debit-card numbers and other card data. They wrote malware that could avoid detection by anti-virus software in order to remain under the radar. The stolen data was sent back to servers operated by the suspects that were located in California, Illinois, Latvia, the Netherlands, and Ukraine, according to the indictment. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-4350
Published: 2014-09-19
Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file.

CVE-2014-4376
Published: 2014-09-19
IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments.

CVE-2014-4390
Published: 2014-09-19
Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

Best of the Web
Dark Reading Radio