Bach Seat

Updated 04-05-09 – Wired is reporting that on August 28, 2009, accused hacker, Albert Gonzalez accepted a plea agreement with federal prosecutors in Boston. According to the report’s Gonzalez has agreed to plead guilty to all the charges in a 19-count indictment and will face a sentence of 15 to 25 years for master-minding the mega data breach. He’s also agreed to forfeit nearly $3 million in cash as well as a Miami condo, a BMW car, a Tiffany diamond ring and three Rolex watches that he gave to others as gifts, a Glock 27 firearm seized from him at the time of his arrest and a 350C currency counter, among other items.

The agreement resolves the case against Gonzalez in Massachusetts — which charged him with hacking into TJX, Barnes & Noble, and OfficeMax — as well as a case in the eastern district of New York that charged him with hacking into the Dave & Busters restaurant change. There are still outstanding charges alleging that Gonzalez also hacked into Heartland Payment Systems, Hannaford Brothers, ATMs stationed in 7-11 stores, and two unnamed national retailers.

Gonzalez is scheduled to officially enter his plea at a court hearing on September 11. His lawyer, Rene Palomino, did not return calls seeking comment from the New York Times.

—

Updated 08-30-09 – On 08-24-09 The Financial Times reported that Gonzalez and crew penetrated a network linking 2,200 Citibank-branded ATMs kiosks inside 7-Eleven stores from late 2007 through to at least February 2008. The ATMs displayed Citibank’s logo. The network and the machines were owned by Texas-based CardTronics, which took in monthly fees from Citi. Reportedly the group lifted card and PIN codes from the system, and their allies manufactured new cards that were used to get about $2m in cash from Citibank ATMs elsewhere. An FBI affidavit said Yuriy Ryabinin of Brooklyn withdrew $750,000 from Citibank accounts in February 2008.

—

The U.S. Department of Justice handed down an indictment in the Heartland Payment Services data breach on August 17, 2009.  The Heartland, data breach is the largest data theft on record in the U.S. The Feds allege that beginning in October 2006, 28-year-old Albert Gonzalez, aka “segvec,” “soupnazi,” and “j4guar17,” of Miami, FL, and his unnamed co-conspirators, in Russia and Virginia executed the Heartland data breach. This attack led to the theft of over 130 million credit and debit cards accounts. Gonzales faces two counts of conspiracy and conspiracy to engage in wire fraud.

Heartland Payment Systems data breach

In addition to stealing credit and debit card data from New Jersey-based Heartland Payment Systems; the conspirators also targeted 7-Eleven Inc., and Hannaford Brothers, a supermarket chain based in Maine, along with two other major national retailers whose names were withheld. According to the Government planning for the attacks began in 2006. The indictment says that in October of 2006, Gonzalez and his co-conspirators began to search for potential corporate victims by gathering intelligence such as the credit and debit card systems used by their targets.

7/11 data breach

In August 2007, 7-Eleven was hit with a SQL injection attack which resulted in an undetermined number of accounts being compromised. In November 2007, Hannaford reportedly detected a Trojan designed to skim magnetic stripe information from the checkout stations. This attack compromised 4.2 million accounts. Beginning on or about Dec. 26, 2007, Heartland was hit with a SQL injection attack on its corporate network that resulted in malware being placed on its payment processing system and the theft of more than 130 million credit and debit card numbers and corresponding card data.

According to the indictment, Gonzalez and his cohorts exploited vulnerabilities that are typically in many cybercrime cases. SQL injection attacks were used to insert specially crafted malware designed to evade detection. Once inside the corporate networks, the attackers used sniffers to conducted reconnaissance, find and steal credit and debit card numbers, and other information. According to the DOJ, the group tested their malware by putting it up against about 20 different anti-virus programs. The group used computers in California, Illinois, Latvia, the Netherlands, and Ukraine to stage attacks and store malware and stolen information.

Could have been defended against

While the attacks seem to be phased-in and coordinated, the attackers used classic and well-known methods that could have been defended against, experts say.  Robert Graham, CEO of Errata Security told Dark Reading that the attacks outlined in the indictment basically offer a roadmap for how most breaches occur, “This is how cybercrime is done,” Graham says. “If there is a successful attack against your company, this is roughly what the hackers will have done. Thus, this should serve as a blueprint for your cyber defenses.”

In a Dark Reading article, Rich Mogull, founder of Securosis, says the attacks were preventable, mainly because they employed common hacking techniques that can be foiled.  He points out that the attacks seem to mimic those in an advisory issued by the FBI and Secret Service that warned of attacks on the financial services and online retail industry that targeted Microsoft’s SQL Server. The advisory included ways to protect against such attacks, including disabling SQL stored procedure calls. “This seems to be a roadmap” to these breaches, Mogull says. “The indictment tracks very closely to the nature of attacks in that notice.”

“The attack took planning and organization, but ultimately it was done with relatively common attack techniques,” said Rohit Dhamankar, director of DVLabs at TippingPoint in an eWeek article, “It just goes to show that even the most basic type of attack can do serious damage and enterprises need to be more vigilant about protecting the outward-facing portions of their networks.”

Rick Howard, intelligence director for iDefense, told Dark Reading that enterprises still aren’t closing known holes in their networks and applications. “They were using the same stuff that works all the time,” he says. “And it’s [an example of] another organization not diligent in closing up [vulnerabilities] we know about.”

Prevention

Upesh Patel, vice president of business development at Guardium, told Dark Reading the attackers must have exploited applications with authenticated connections to the database. “Since a SQL Injection attack exploits vulnerabilities in the database, the attack could have occurred from any end-user application that was accessing the database.”

Errata’s Graham says the initial attack vector, SQL injection, is often dismissed by enterprises as unimportant. “We always find lots of SQL injection [flaws] with our clients. We talk to them about it, but get push-back from management and developers who claim SQL injection is just a theoretical risk.”

As a fix, Graham recommends, ”The simple solution is to force developers to either use ‘parameterized’ queries or ‘sanitize’ input.” He also suggests that SQL-based servers be hardened. “Once they got control of the database, they were able to escalate the attack to install malware on the systems. The simple solution is to remove all features of the database that aren’t needed,” he says, such as “xp_cmdshell,” which attackers commonly abuse. Graham goes on to suggest that anti-virus doesn’t catch custom malware like the attackers wrote for their attacks, so add policies and technologies that can spot unknown threats.

Gonzalez crews’ alleged use of their own sniffers that copied card data from the network could have been thwarted with encryption according to Richard Wang, Sophos Labs‘ U.S. manager. Wang tells InternetNews that the data should have been encrypted while in transit on the wire.

Sopho’s Wang says that the databases need to be secured, “Businesses should secure the application code, and make sure that the underlying server and operating system are up to date with the latest patches.” Securosis’ Mogull says not to use a privileged account for the relational database management system. In a blog post, Mogull says to deploy data leakage protection to see if you can detect any card data internally before the bad guys find it, and l to focus on egress filtering.

“This was preventable,” Securosis’ Mogull says of the major breaches. “There was some degree of sophistication — like they knew HSMs — but definitely the main way they got in is not the most sophisticated.”

Gonzalez, who is in federal custody, faces a maximum sentence of 20 years in prison on wire fraud conspiracy, and another five years on conspiracy, plus $250,000 for each charge. In May 2008, the U.S. Attorney’s Office for the Eastern District of New York charged Gonzalez with an alleged role in the hacking of a computer network run of restaurant chain Dave & Buster’s. The trial on those charges is scheduled to begin in Long Island, N.Y., in September.

In August of 2008, the Department of Justice announced more indictments against Gonzalez and others for a number of retail hacks affecting eight major retailers and involving the theft of data related to 40 million credit cards. Those charges were filed in the District of Massachusetts. Gonzalez is scheduled for trial on those charges in 2010.

rb-

The work we do on behalf of our clients often includes many of the steps highlighted in this incident. We always insist that vendors harden any servers brought on to a client’s site and that unnecessary services be removed. Before we recommend the Owner accept any installation, the vendor has to fully patch the OS and any applications provided. More recently we have started to include internal and external facing port scans.

Heartland Payment Systems Reports Breach

TJX Hacker Charged With Heartland, Hannaford Breaches

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.