Mega-Breaches Employed Familiar, Preventable Attacks
Alleged mastermind behind Heartland, Hannaford's, and 7-11 breaches used SQL injection, sniffers, custom malware in attacks
August 18, 2009
The attacks that led to the mass theft of over 130 million credit and debit card accounts may hold the record for the biggest overall breach ever charged in the U.S., but the attackers used classic and well-known methods that could have been thwarted, according to experts.
In the wake of the big news yesterday that one man is suspected to be behind the biggest breaches ever charged in U.S. history, security experts say the indictment of 28-year-old Albert Gonzalez, aka "segvec," "soupnazi," and "j4guar17," of Miami, Fla., revealed that Gonzalez and his cohorts exploited vulnerabilities that are typically found in many cybercrime cases --SQL injection, packet sniffing, and backdoor malware designed to evade detection.
The indictment (PDF) revealed that Gonzalez, who previously had been charged for his alleged role in the breach of TJX, BJ's Wholesale Club, Barnes & Noble, and Dave & Buster's, has now also been indicted for allegedly conspiring to break into computers and stealing credit and debit card data from Heartland Payment Systems; 7-Eleven Inc., Hannaford Brothers Co., and two other major national retailers whose names were withheld in the filing.
While the attacks appear to be phased-in and coordinated, the attackers didn't employ any hacks that the victim organizations could not have defended against, experts say. SQL injection, for instance, is the most commonly exploited flaw in Web attacks, according to data from the Web Hacking Incident Database.
The attacks outlined in the indictment basically provide a roadmap for how most breaches occur, says Robert Graham, CEO of Errata Security. "This is how cybercrime is done," Graham says. "If there is a successful attack against your company, this is roughly what the hackers will have done. Thus, this should serve as a blueprint for your cyber defenses."
Rich Mogull, founder of Securosis, says the nature of the attacks didn't surprise him. "But that this, including TJX, was all traced to a single individual stunned me," Mogull says.
But aside from the revelation that just a few attackers pulled off the multiple breaches, Mogull says the attacks were preventable, mainly because they employed common hacking techniques that can be foiled.
And, he says, the attacks appear to mimic those warned in a an advisory (PDF) issued by the FBI and Secret Service in February that warned of attacks on the financial services and online retail industry that targeted Microsoft's SQL Server. The advisory included ways to protect against such attacks, including disabling SQL stored procedure calls.
"This seems to be a roadmap" to these breaches, Mogull says. "The indictment tracks very closely to the nature of attacks in that notice."
Meanwhile, Rick Howard, intelligence director for iDefense, says the fact that no new techniques were used in the hacks shows how enterprises still aren't closing known holes in their networks and applications. "They were using the same stuff that works all the time," he says. "And it's [an example of] another organization not diligent in closing up [vulnerabilities] we know about."
The indictment says that in October of 2006, Gonzalez and his co-conspirators allegedly began to systematically scout out potential corporate victims, going on-site to retail stores to gather intelligence such as the type of payment processing systems and point-of-sale systems they used, and visiting their Websites to identify potential vulnerabilities. Gonzalez allegedly provided his co-conspirators -- two of whom resided in Russia, and another in Virginia Beach, Va. -- with SQL injection strings to use for hacking into the victims' networks. He also provided them with malware to plant inside the victims' systems that would serve as a backdoor for subsequent access.
There's no indication in the filing that the database itself was breached, but Upesh Patel, vice president of business development at Guardium, says the attackers must have exploited applications with authenticated connections to the database. "The breaches involved vast amounts of data that clearly resides in the database," Patel says. "Since a SQL Injection attack exploits vulnerabilities in the database, the attack could have occurred from any end-user application that was accessing the database."
The attackers also installed sniffers to capture credit and debit-card numbers and other card data. They wrote malware that could avoid detection by anti-virus software in order to remain under the radar. The stolen data was sent back to servers operated by the suspects that were located in California, Illinois, Latvia, the Netherlands, and Ukraine, according to the indictment. Errata's Graham says the initial attack vector, SQL injection, is often dismissed by enterprises as unimportant. "We always find lots of SQL injection [flaws] with our clients. We talk to them about it, but get push-back from management and developers who claim SQL injection is just a theoretical risk. There's still widespread misunderstanding and disbelief about the severity of it," he says. Graham says he thinks that's because SQL injection flaws are different with each site, not like the typical exploit that's written to a newly disclosed vulnerability.
"While defenders will keep up to date on patches and firewalls their Websites, they rarely check for SQL injection bugs. The simple solution is to force developers to either use 'parameterized' queries or 'sanitize' input," he says. It also helps to harden your SQL-based servers.
"Once they got control of the database, they were able to escalate the attack to install malware on the systems. The simple solution is to remove all features of the database that aren't needed," he says, such as "xp_cmdshell," which attackers commonly abuse.
"There are many kinds of databases -- find a hardening guide for your database and follow it," Graham says.
AV doesn't catch custom malware like the attackers wrote for their attacks, so add policies and technologies that can spot unknown threats, he says.
And Gonzalez and his cohorts' alleged use of their own sniffers that copied card data from the network could have been thwarted with encryption, he says. "The credit card numbers were being sent unencrypted. The solution is to make sure that credit-card numbers are encrypted end-to-end, and that at no point do they exist [in an] unencrypted [form], Graham says.
Securosis' Mogull says to lock databases down to prevent any command execution via SQL, and not to use a privileged account for the relational database management system. In a blog post, he says to deploy data leakage protection to see if you can detect any card data internally before the bad guys find it, and lock down database and application servers in the transaction network to avoid custom malware infections, and to focus on egress filtering.
"This was preventable," Securosis' Mogull says of the major breaches. "There was some degree of sophistication -- like they knew HSMs -- but definitely the main way they got in is not the most sophisticated." Meanwhile, it's unclear why the other two major retailer victims included in the indictment weren't named. "Are they in violation of their breach disclosure?" Mogull says. "Something's going on there."
Gonzalez, who is in federal custody, faces a maximum sentence of 20 years in prison on wire fraud conspiracy, and another five years on conspiracy, plus $250,000 for each of the charges. The U.S. Attorney's Office in May of 2008 charged him for allegedly hacking a national restaurant chain, charges he goes to trial for in September.
And there may be more: prosecutors say they are investigating other breaches, in which Gonzalez could have been involved as well, according to published report.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024