This week's disclosure that the huge data thefts at Heartland Payment Systems and other retailers resulted from SQL injection attacks could finally push retailers into paying serious attention to Web application security vulnerabilities, just as the breach at TJX focused attention on wireless issues.
A federal grand jury on Monday indicted Albert Gonzalez and two unidentified Russian accomplices on charges related to data intrusions at Heartland, Hannaford Bros., 7-Eleven, and three other retailers. Gonzalez, is alleged to have masterminded an international operation that stole a staggering 130 million credit and debit cards from those companies. Gonzalez and 10 other individuals were indicted in May 2008 on charges related to similar intrusions at numerous other retailers, including TJX Companies, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Court documents filed in connection with Monday's indictment spelled out how Gonzalez and his accomplices used SQL injection attacks to break into Heartland's systems and those of the other companies. Once they gained access to a network, the attackers then planted sophisticated packet-sniffing tools and other malware to detect and steal sensitive payment card data flowing over the retailer's networks.
In SQL injection attacks, malicious hackers can take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online. An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. Large Web applications have hundreds of places where users can input data, each of which can provide an SQL injection opportunity.
The vulnerability is well understood and security analysts have warned retailers about it for several years. Yet, a large number of all Web-facing applications are believed to contain SQL injection vulnerabilities -- a fact that has made SQL injection the most common form of attack against Web sites these days.
"We see SQL injection as the top attack technique on the Web," said Michael Petitti, chief marketing officer at Trustwave, a Chicago-based company that does security and compliance assessments for some of the largest retailers in the world. "Not only is it the most attempted, it is also the most successful" form of attack now employed by malicious hackers, he said.