Aug 18 2009
Rich Mogull took the time to read through the entire indictment against the hackers who targeted not only Heartland, but also 7-Eleven and Hannaford as well. The first thing that really leaps out at me about this is that the attacks were using command execution via SQL injection or XSS via SQL injection. Given that these are both methods of attack that the PCI DSS specifically calls out to protect against, this blows a pretty big hole in the case Heartland CEO Robert Carr made that his QSA let him down. We’ve known about SQL injection for years and there should be no need for a QSA to tell a company or it’s security team about the problem. There should also be no reason that SQL command execution should be enabled on any SQL server that’s exposed to potentially malicious traffic. As Rich points out, on most modern SQL servers, this is a capability that has to be enabled, not a feature that’s turned on by default.
It’s a little surprising to me that one group of hackers is connected to so many high profile breaches, including TJX, OfficeMax and Dave & Busters. Are they an isolated group who managed to find a way into these networks or are they just the group of hackers that was stupid enough to get caught? The possibility that these guys are just the hackers who were unlucky enough to get caught worries me, since their capture may lead a number of security professionals to breath a sigh of relief and get back to life as normal. Which means arguing with management to get new tools and toys for the network while ignoring serious configuration errors like having SQL command execution enabled on transaction servers.