SQL injection attacks led to massive data breaches

Heartland, Hannaford attack details could spur focus on Web app security

This week's disclosure that the huge data thefts at Heartland Payment Systems and other retailers resulted from SQL injection attacks could finally push retailers into paying serious attention to Web application security vulnerabilities, just as the breach at TJX focused attention on wireless issues.

A federal grand jury on Monday indicted Albert Gonzalez and two unidentified Russian accomplices on charges related to data intrusions at Heartland, Hannaford Bros., 7-Eleven Inc. and three other retailers. Gonzalez, is alleged to have masterminded an international operation that stole a staggering 130 million credit and debit cards from those companies.

Gonzalez and 10 other individuals were indicted in May 2008 on charges related to similar intrusions at numerous other retailers, including TJX Companies Inc. Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

Court documents filed in connection with Monday's indictment spelled out how Gonzalez and his accomplices used SQL injection attacks to break into Heartland's systems and those of the other companies.

Once they gained access to a network, the attackers then planted sophisticated packet-sniffing tools and other malware to detect and steal sensitive payment card data flowing over the retailer's networks.

In SQL injection attacks, malicious hackers can take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online.

An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. Large Web applications have hundreds of places where users can input data, each of which can provide an SQL injection opportunity.

The vulnerability is well understood and security analysts have warned retailers about it for several years. Yet, a large number of all Web-facing applications are believed to contain SQL injection vulnerabilities -- a fact that has made SQL injection the most common form of attack against Web sites these days.

"We see SQL injection as the top attack technique on the Web," said Michael Petitti, chief marketing officer at Trustwave, a Chicago-based company that does security and compliance assessments for some of the largest retailers in the world.

"Not only is it the most attempted, it is also the most successful" form of attack now employed by malicious hackers, he said.

Launching such attacks is not difficult, said Chris Wysopal, co-founder and chief technology officer at Veracode Inc., a firm that offers application penetration testing services for companies. Tools are available that allow attackers to quickly check home-grown and third-party Web applications for SQL injection vulnerabilities, Wysopal said.

One such tool might find a form field on a Web page, enter data into it, and check the response it gets to see whether a SQL injection vulnerability exists.

"It doesn't require much expertise at all," he said. "It is at the script kiddie level to do these kinds of attacks." Exacerbating the situation is the fact that many companies are still using older versions of the MS SQL server database that allow attackers to essentially take complete control of the database via SQL injection, Wysopal said.

The use of SQL injection attacks has gained popularity as companies have gotten better at shutting down other avenues for breaking into corporate systems and networks, said Matt Marshall, vice president of security engineering at Redspin Inc., which performs security assessments for businesses.

"One of the few ports that are still allowed through the firewall is Web traffic through the Web server," he said. "It is one of the few avenues of attacks that are still readily available" to hackers.

Those factors seem to have influenced Gonzalez' plans in attacking retailers.

Initially, most of the attacks -- including the one at TJX -- took advantage of weak wireless access points. But starting around August 2007, he stopped using wireless vulnerabilities and turned almost exclusively to SQL injection attacks.

The success of those attacks and the high-profile nature of the retailers affected are likely to push more companies to deal with Web application security issues.

"When vulnerable technologies get deployed, security people notice it and inform [clients], but no action is usually taken until attackers start becoming successful," Marshall said. "Until TJX, people didn't start locking down their wireless networks. If Heartland and Hannaford are not a wake-up call [for Web application security], I wonder what is."

According to Wysopal and others, there are several measures companies can take to limit their exposure to SQL injection vulnerabilities. One involves a code review of all Web applications to identify input validation errors. Companies need to identify such coding flaws and ensure that a Web form only accepts legitimate input.

Web application firewalls can also be useful in protecting against SQL injection attacks, though they must be tuned properly to automatically block malicious traffic while permitting legitimate traffic to get through.

Hardening the underlying database and ensuring that the Web application connecting to it has limited access are also helpful in fending off attacks, Wysopal said.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksdata breachsql injection

More about etworkOfficeMax

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts