The news that federal authorities have indicted the man they claim is responsible for the TJX attack for also allegedly hacking into the networks of Heartland Payment Systems, 7-Eleven and the Hannaford Brothers grocery chain shows that law enforcement is indeed stepping up its work on cybercrime. But it also provides what is probably the clearest evidence to date that the people executing these attacks are highly competent, organized and motivated.
If you missed it, a New Jersey grand jury on Monday indicted a man named Albert Gonzalez for the attacks that resulted in more than 100 million credit and debit card numbers being stolen from Heartland, 7-Eleven and Hannaford. The interesting part of this is that Gonzalez already is in hot water with the federal government for his alleged role in the attack on TJX. Gonzalez is awaiting trial on charges related to the TJX attack and has been a confidential informant for the Secret Service for some time.
Apparently some of his work with the Secret Service involved Gonzalez giving up his alleged co-conspirators on the Heartland attack, two unnamed hackers. It’s unclear exactly who did what to whom, but that’s really beside the point. Those are technicalities that really only concern the prosecutors and defense attorneys.
What IT security teams and other interested parties should be concerned with are how these attacks happened and the level of organization and professionalism involved. The how seems to have varied from incident to incident. The TJX attack allegedly was the result of an attacker sitting outside one of the company’s stores, sniffing the wireless network traffic and then going from there. In the more recent attacks, the vector apparently was SQL injection, the current weapon of choice for discriminating attackers everywhere. In the indictment, authorities say that in the cases of Hannaford, 7-Eleven, Heartland and a couple of other unidentified companies the attackers used SQL injection to get into the networks and then planted malware.
All of this was done after the attackers had done some serious advance legwork, both on the Web and in the real world. From the indictment:
“It was further part of the conspiracy that GONZALEZ and P.T. would travel to retail stores of potential corporate victims, both to identify the payment processing systems that the would-be victims used at their point of sale terminals (e.g., “checkout” computers) and to understand the potential vulnerabilities of those systems.”
In other words, this was not something that this group did on a lark. They put a considerable amount of time and effort into this plan. They knew what they were looking for, they knew where to find it and they knew how to get it. And once they had their plan in place, it appears that their targets made it all too easy for them to succeed. SQL injection vulnerabilities are a pervasive and insidious problem, but they’re also well-understood and there are effective methods for finding and fixing them.
As Rich Mogull of Securosis points out, the method of attack was simple, familiar and preventable.
But, as the recent waves of mass SQL injection attacks against legitimate Web sites show, there are hundreds of thousands, if not millions, of sites out there that are ripe for compromise. This is simply more reinforcement for the old axiom that the good guys have to get everything right in order to succeed, while the bad guys only need to get one thing right in order to succeed.
So the question now is, what, if anything, have IT security teams learned from these attacks? Unfortunately, the answer may well be: nothing. SQL injection is not a revolutionary new technique that caught everyone by surprise, nor is it news that attackers are focusing on high-value targets, such as retailers and payment processors, which have a large volume of financial transactions crossing their wires.
Obvious targets, common techniques and predictable results. Perhaps the detailed post-mortem of these incidents will provide us with some new lessons from all of this, but in the meantime it all looks depressingly familiar.