Aug 18 2009

They didn’t just hack Heartland

Published by at 5:42 am under Hacking,PCI,Phishing, scams, etc.

Rich Mogull took the time to read through the entire indictment against the hackers who targeted not only Heartland, but also 7-Eleven and Hannaford as well.  The first thing that really leaps out at me about this is that the attacks were using command execution via SQL injection or XSS via SQL injection.  Given that these are both methods of attack that the PCI DSS specifically calls out to protect against, this blows a pretty big hole in the case Heartland CEO Robert Carr made that his QSA let him down.  We’ve known about SQL injection for years and there should be no need for a QSA to tell a company or it’s security team about the problem.  There should also be no reason that SQL command execution should be enabled on any SQL server that’s exposed to potentially malicious traffic.   As Rich points out, on most modern SQL servers, this is a capability that has to be enabled, not a feature that’s turned on by default.

It’s a little surprising to me that one group of hackers is connected to so many high profile breaches, including TJX, OfficeMax and Dave & Busters.  Are they an isolated group who managed to find a way into these networks or are they just the group of hackers that was stupid enough to get caught?  The possibility that these guys are just the hackers who were unlucky enough to get caught worries me, since their capture may lead a number of security professionals to breath a sigh of relief and get back to life as normal.  Which means arguing with management to get new tools and toys for the network while ignoring serious configuration errors like having SQL command execution enabled on transaction servers. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

One Response to “They didn’t just hack Heartland”

  1. PCI QSAon 21 Aug 2009 at 4:11 am

    I think it is not uncommon that organisations are let down by their PCI QSA’s – especially given the broad technical domains covered in the standard and skillsets required. Many consultancies try and provide all the required services, where they clearly do not have the skills, but are worried a competitor may come in and take over their account.

    On some of our PCI engagements the web application testing piece has been previously conducted by other consultancies and missed key vulnerabilities that we have found in a few minutes just using a browser and some invalid data. If we are the organisation signing off the final audit, it is our right as a QSA to reject that previous test results if we can demonstrate that it has not been performed with the right level of diligence. In the long run this benefits the customer too.

%d bloggers like this: