Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/18/2009
04:17 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Mega-Breaches Employed Familiar, Preventable Attacks

Alleged mastermind behind Heartland, Hannaford's, and 7-11 breaches used SQL injection, sniffers, custom malware in attacks

The attacks that led to the mass theft of over 130 million credit and debit card accounts may hold the record for the biggest overall breach ever charged in the U.S., but the attackers used classic and well-known methods that could have been thwarted, according to experts.

In the wake of the big news yesterday that one man is suspected to be behind the biggest breaches ever charged in U.S. history, security experts say the indictment of 28-year-old Albert Gonzalez, aka "segvec," "soupnazi," and "j4guar17," of Miami, Fla., revealed that Gonzalez and his cohorts exploited vulnerabilities that are typically found in many cybercrime cases --SQL injection, packet sniffing, and backdoor malware designed to evade detection.

The indictment (PDF) revealed that Gonzalez, who previously had been charged for his alleged role in the breach of TJX, BJ's Wholesale Club, Barnes & Noble, and Dave & Buster's, has now also been indicted for allegedly conspiring to break into computers and stealing credit and debit card data from Heartland Payment Systems; 7-Eleven Inc., Hannaford Brothers Co., and two other major national retailers whose names were withheld in the filing.

While the attacks appear to be phased-in and coordinated, the attackers didn't employ any hacks that the victim organizations could not have defended against, experts say. SQL injection, for instance, is the most commonly exploited flaw in Web attacks, according to data from the Web Hacking Incident Database.

The attacks outlined in the indictment basically provide a roadmap for how most breaches occur, says Robert Graham, CEO of Errata Security. "This is how cybercrime is done," Graham says. "If there is a successful attack against your company, this is roughly what the hackers will have done. Thus, this should serve as a blueprint for your cyber defenses."

Rich Mogull, founder of Securosis, says the nature of the attacks didn't surprise him. "But that this, including TJX, was all traced to a single individual stunned me," Mogull says.

But aside from the revelation that just a few attackers pulled off the multiple breaches, Mogull says the attacks were preventable, mainly because they employed common hacking techniques that can be foiled.

And, he says, the attacks appear to mimic those warned in a an advisory (PDF) issued by the FBI and Secret Service in February that warned of attacks on the financial services and online retail industry that targeted Microsoft's SQL Server. The advisory included ways to protect against such attacks, including disabling SQL stored procedure calls.

"This seems to be a roadmap" to these breaches, Mogull says. "The indictment tracks very closely to the nature of attacks in that notice."

Meanwhile, Rick Howard, intelligence director for iDefense, says the fact that no new techniques were used in the hacks shows how enterprises still aren't closing known holes in their networks and applications. "They were using the same stuff that works all the time," he says. "And it's [an example of] another organization not diligent in closing up [vulnerabilities] we know about."

The indictment says that in October of 2006, Gonzalez and his co-conspirators allegedly began to systematically scout out potential corporate victims, going on-site to retail stores to gather intelligence such as the type of payment processing systems and point-of-sale systems they used, and visiting their Websites to identify potential vulnerabilities. Gonzalez allegedly provided his co-conspirators -- two of whom resided in Russia, and another in Virginia Beach, Va. -- with SQL injection strings to use for hacking into the victims' networks. He also provided them with malware to plant inside the victims' systems that would serve as a backdoor for subsequent access.

There's no indication in the filing that the database itself was breached, but Upesh Patel, vice president of business development at Guardium, says the attackers must have exploited applications with authenticated connections to the database. "The breaches involved vast amounts of data that clearly resides in the database," Patel says. "Since a SQL Injection attack exploits vulnerabilities in the database, the attack could have occurred from any end-user application that was accessing the database."

The attackers also installed sniffers to capture credit and debit-card numbers and other card data. They wrote malware that could avoid detection by anti-virus software in order to remain under the radar. The stolen data was sent back to servers operated by the suspects that were located in California, Illinois, Latvia, the Netherlands, and Ukraine, according to the indictment. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16860
PUBLISHED: 2019-11-19
Code42 app through version 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local machine could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an ele...
CVE-2019-16861
PUBLISHED: 2019-11-19
Code42 server through 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated ...
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.