Attacks/Breaches
8/18/2009
04:17 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Mega-Breaches Employed Familiar, Preventable Attacks

Alleged mastermind behind Heartland, Hannaford's, and 7-11 breaches used SQL injection, sniffers, custom malware in attacks

The attacks that led to the mass theft of over 130 million credit and debit card accounts may hold the record for the biggest overall breach ever charged in the U.S., but the attackers used classic and well-known methods that could have been thwarted, according to experts.

In the wake of the big news yesterday that one man is suspected to be behind the biggest breaches ever charged in U.S. history, security experts say the indictment of 28-year-old Albert Gonzalez, aka "segvec," "soupnazi," and "j4guar17," of Miami, Fla., revealed that Gonzalez and his cohorts exploited vulnerabilities that are typically found in many cybercrime cases --SQL injection, packet sniffing, and backdoor malware designed to evade detection.

The indictment (PDF) revealed that Gonzalez, who previously had been charged for his alleged role in the breach of TJX, BJ's Wholesale Club, Barnes & Noble, and Dave & Buster's, has now also been indicted for allegedly conspiring to break into computers and stealing credit and debit card data from Heartland Payment Systems; 7-Eleven Inc., Hannaford Brothers Co., and two other major national retailers whose names were withheld in the filing.

While the attacks appear to be phased-in and coordinated, the attackers didn't employ any hacks that the victim organizations could not have defended against, experts say. SQL injection, for instance, is the most commonly exploited flaw in Web attacks, according to data from the Web Hacking Incident Database.

The attacks outlined in the indictment basically provide a roadmap for how most breaches occur, says Robert Graham, CEO of Errata Security. "This is how cybercrime is done," Graham says. "If there is a successful attack against your company, this is roughly what the hackers will have done. Thus, this should serve as a blueprint for your cyber defenses."

Rich Mogull, founder of Securosis, says the nature of the attacks didn't surprise him. "But that this, including TJX, was all traced to a single individual stunned me," Mogull says.

But aside from the revelation that just a few attackers pulled off the multiple breaches, Mogull says the attacks were preventable, mainly because they employed common hacking techniques that can be foiled.

And, he says, the attacks appear to mimic those warned in a an advisory (PDF) issued by the FBI and Secret Service in February that warned of attacks on the financial services and online retail industry that targeted Microsoft's SQL Server. The advisory included ways to protect against such attacks, including disabling SQL stored procedure calls.

"This seems to be a roadmap" to these breaches, Mogull says. "The indictment tracks very closely to the nature of attacks in that notice."

Meanwhile, Rick Howard, intelligence director for iDefense, says the fact that no new techniques were used in the hacks shows how enterprises still aren't closing known holes in their networks and applications. "They were using the same stuff that works all the time," he says. "And it's [an example of] another organization not diligent in closing up [vulnerabilities] we know about."

The indictment says that in October of 2006, Gonzalez and his co-conspirators allegedly began to systematically scout out potential corporate victims, going on-site to retail stores to gather intelligence such as the type of payment processing systems and point-of-sale systems they used, and visiting their Websites to identify potential vulnerabilities. Gonzalez allegedly provided his co-conspirators -- two of whom resided in Russia, and another in Virginia Beach, Va. -- with SQL injection strings to use for hacking into the victims' networks. He also provided them with malware to plant inside the victims' systems that would serve as a backdoor for subsequent access.

There's no indication in the filing that the database itself was breached, but Upesh Patel, vice president of business development at Guardium, says the attackers must have exploited applications with authenticated connections to the database. "The breaches involved vast amounts of data that clearly resides in the database," Patel says. "Since a SQL Injection attack exploits vulnerabilities in the database, the attack could have occurred from any end-user application that was accessing the database."

The attackers also installed sniffers to capture credit and debit-card numbers and other card data. They wrote malware that could avoid detection by anti-virus software in order to remain under the radar. The stolen data was sent back to servers operated by the suspects that were located in California, Illinois, Latvia, the Netherlands, and Ukraine, according to the indictment. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?