Mega-Breaches Employed Familiar, Preventable Attacks

Alleged mastermind behind Heartland, Hannaford's, and 7-11 breaches used SQL injection, sniffers, custom malware in attacks
Errata's Graham says the initial attack vector, SQL injection, is often dismissed by enterprises as unimportant. "We always find lots of SQL injection [flaws] with our clients. We talk to them about it, but get push-back from management and developers who claim SQL injection is just a theoretical risk. There's still widespread misunderstanding and disbelief about the severity of it," he says. Graham says he thinks that's because SQL injection flaws are different with each site, not like the typical exploit that's written to a newly disclosed vulnerability.

"While defenders will keep up to date on patches and firewalls their Websites, they rarely check for SQL injection bugs. The simple solution is to force developers to either use 'parameterized' queries or 'sanitize' input," he says. It also helps to harden your SQL-based servers.

"Once they got control of the database, they were able to escalate the attack to install malware on the systems. The simple solution is to remove all features of the database that aren't needed," he says, such as "xp_cmdshell," which attackers commonly abuse.

"There are many kinds of databases -- find a hardening guide for your database and follow it," Graham says.

AV doesn't catch custom malware like the attackers wrote for their attacks, so add policies and technologies that can spot unknown threats, he says.

And Gonzalez and his cohorts' alleged use of their own sniffers that copied card data from the network could have been thwarted with encryption, he says. "The credit card numbers were being sent unencrypted. The solution is to make sure that credit-card numbers are encrypted end-to-end, and that at no point do they exist [in an] unencrypted [form], Graham says.

Securosis' Mogull says to lock databases down to prevent any command execution via SQL, and not to use a privileged account for the relational database management system. In a blog post, he says to deploy data leakage protection to see if you can detect any card data internally before the bad guys find it, and lock down database and application servers in the transaction network to avoid custom malware infections, and to focus on egress filtering.

"This was preventable," Securosis' Mogull says of the major breaches. "There was some degree of sophistication -- like they knew HSMs -- but definitely the main way they got in is not the most sophisticated." Meanwhile, it's unclear why the other two major retailer victims included in the indictment weren't named. "Are they in violation of their breach disclosure?" Mogull says. "Something's going on there."

Gonzalez, who is in federal custody, faces a maximum sentence of 20 years in prison on wire fraud conspiracy, and another five years on conspiracy, plus $250,000 for each of the charges. The U.S. Attorney's Office in May of 2008 charged him for allegedly hacking a national restaurant chain, charges he goes to trial for in September.

And there may be more: prosecutors say they are investigating other breaches, in which Gonzalez could have been involved as well, according to published report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.