What Happens When Companies Don’t Give Web App Security the Attention it Deserves

19192923_sI recently blogged about Web-based threats finally getting the respect they deserve?, but a recent New York Times article reminds us what happens when companies don’t pay enough attention to this crucial area of security.

The article, titled “Wall Street’s Exposure to Hacking Laid Bare” describes not only the damage done by the five men involved in a seven year hacking spree, it also details how several different large orgnazations were attacked. In each article regarding the attacks, SQL Injection is the only attack method called out specifically. These attacks affected dozens of large sophisticated organizations including NASDAQ and Citibank and damages exceeded $300M. Wondering how these data breach costs break down? Check out our infographic on the real cost of a data breach!

Application vulnerabilities were used to penetrate into many organizations and to get at data once inside. It is spelled out in the indictments in detail. Also spelled out is how the hackers were able to bypass and disarm security mechanisms such as IDS and AV.

Just look at how many times SQL injections are called out in the indictment:

Selected Methods of Hacking Utilized by Defendants m. Structured Query Language (“SQL”) was a computer programming language designed to retrieve and manage data in computer databases.

n. “SQL Injection Attacks” were methods of hacking into and gaining unauthorized access to computers connected to the Internet.

o. “SQL Injection Strings” were a series of instructions to computers used by hackers in furtherance of SQL Injection Attacks.

p. “Malware” was malicious computer software programmed to, among other things, gain unauthorized access to computers; to identify, store, and export information from hacked computers; and to evade detection of intrusions by anti-virus programs and other security features running on those computers.

q. “Tunneling” was a method employed to create a connection between a hacked computer and an attacking computer to facilitate the transmission of, among other things, commands from the attacking computer to the hacked computer, and data from the hacked computer to the attacking computer.

The Corporate Victims of Computer Hacking

2. At various times relevant to this Second Superseding Indictment:

a. NASDAQ was the largest United States electronic stock market, and the
primary market for trading in the stocks of approximately 3,200 public companies. NASDAQ
offered its customers access to on-line accounts over the Internet, and its computer network was – 5 -located in, among other places, Middlesex County, New Jersey. Beginning in or about May 2007, NASDAQ was the victim of a SQL Injection Attack that resulted in the placement of malware on its network, and the theft of Log-in Credentials.

b. 7-Eleven, Inc. (“7-Eleven”) was headquartered in Dallas, Texas, and was the corporate parent of a convenience store chain by the same name. 7-Eleven processed credit and debit card transactions through its computer networks. Beginning in or about August 2007, 7-Eleven was the victim of a SQL Injection Attack that resulted in mal ware being placed on its network and the theft of an undetermined number of Card Numbers.

c. Carrefour S.A. (“Carrefour”) was a French multinational retailer headquartered in Greater Paris, France, and was one of the largest retailers in the world in terms of revenue and profit. Beginning as early as October 2007, Carrefour’s computer networks were breached and approximately 2 million credit Card Numbers were subsequently exfiltrated.

d. JCPenney, Inc. (“JCP”) was a major national retailer with its headquarters
in Plano, Texas. JCP processed credit card payments for its retail stores through its computer network. Beginning on or about October 23,2007, JCP was the victim of a SQL Injection Attack that resulted in the placement of mal ware on its network.

e. Hannaford Brothers Co. (“Hannaford”) was a regional supermarket chain with stores located in Maine, New Hampshire, Vermont, Massachusetts, and New York that processed credit and debit card transactions through its computer network. In or about early November 2007, a related company of Hannaford was the victim of a SQL Injection Attack that resulted in the later placement of mal ware on Hannaford’s network, the theft of approximately
4.2 million Card Numbers.

f. Heartland Payment Systems, Inc. (“Heartland”), which was located in or near Princeton, New Jersey, and Plano, Texas, among other places, was one of the world’s largest credit and debit card payment processing companies. Heartland processed millions of credit and debit transactions daily. Beginning on or about December 26,2007, Heartland was the victim of a SQL Injection Attack on its corporate computer network that resulted in mal ware being placed on its payment processing system and the theft of more than approximately 130 million Card Numbers, and losses of approximately $200 million.

g. Wet Seal, Inc. (“Wet Seal”) was a major national retailer with its headquarters in Foothill Ranch, California. Wet Seal processed credit and debit card payments
for its retail stores through its computer network. In or about January 2008, Wet Seal was the victim of a SQL Injection Attack that resulted in the placement of malware on its network.

h. Commidea Ltd. (“Commidea”) was a European provider of electronic payment and transaction processing solutions for retailers, with its headquarters in the United Kingdom. From at least as early as March 2008 through in or about November 2008, mal ware used in other known network intrusions existed on Commidea’s computer networks, and was communicating with known hacking platforms. In or about 2008, approximately 30 million Card
Numbers were exfiltrated from Commidea’s computer networks.

1. Dexia Bank Belgium (“Dexia”) was a consumer bank located in Belgium.
Between in or about February 2008 and in or about February 2009, Dexia was the victim of SQL Injection Attacks that resulted in the placement of mal ware on its network and the theft of Card Numbers that resulted in approximately $1.7 million in loss.

J. JetBlue Airways (“JetBlue”) was an airline with its headquarters in Long
Island City, New York. Between in or about January 2008 and in or about February 2011, JetBlue suffered an unauthorized intrusion resulting in the placement of malware on portions of its computer network that stored Personal Data of its employees.

k. Dow Jones, Inc. (“Dow Jones”) published news, business, and financial
information worldwide in newspapers, on television and radio, over news wires, and on the Internet. Dow Jones’s computer infrastructure was based largely in New Jersey, as well as in Minnesota, New York and elsewhere. In or before 2009, Dow Jones was the victim of unauthorized access to its computer network resulting in the placement of mal ware on its network and the theft of approximately 10,000 sets of Log-In Credentials.

1. “Bank A” was one of the leading domestic banks in the United Arab
Emirates, and was headquartered in Abu Dhabi. Between in or about December 2010 and in or about March 2011, malware was placed on Bank A’s computer networks, and was used to facilitate the theft of Card Numbers.

m. Euronet was a global provider of electronic payment and transaction processing solutions for financial institutions, retailers, service providers and individual consumers, with its headquarters in Leawood, Kansas. Between in or about July 2010 and in or about October 2011, Euronet was the victim of SQL Injection Attacks that resulted in the placement of malware on its network and the theft of approximately 2 million Card Numbers.

n. Visa, Inc. (“Visa”) was a global payments technology company that owned
and managed the “Visa” brand. Visa did not directly issue credit or debit cards, extend credit, or set rates and fees for consumers. Rather, it provided processing services to its financial institution clients through “VisaNet,” a centralized and modular payments network. Visa Jordan Card Services (“Visa Jordan”) was a Visa licensee, and Jordan’s premier payment card processor. Between in or about February 2011 and in or about March 2011, Visa Jordan was the victim of SQL Injection Attacks that resulted in the placement of mal ware on its network, and the theft of approximately 800,000 Card Numbers.

o. Global Payment Systems (“Global Payment”) was one of the world’s largest electronic transaction processing companies, with its headquarters in Atlanta, Georgia.
Between in or about January 2011 and in or about March 2012, Global Payment was the victim of SQL Injection Attacks on its computer network that resulted in mal ware being placed on its payment processing system and the theft of more than 950,000 Card Numbers, and losses of approximately $92.7 million.

p. Discover Financial Services, Inc. was a financial services company, which, among other things, issued the Discover Card credit card, and since in or about April 2008 has owned the Diners Club International (“Diners”) charge card network. Diners provided a variety of payment solutions to its customers and managed the Diners brand, which was licensed to a number of international franchisees, including Diners Singapore. Beginning on or about June 23, 2011, Diners Singapore was the victim of an SQL Injection Attack that resulted in malware placed on its network and the theft of Card Numbers; the intrusion exposed over 500,000 Diners credit cards and resulted in losses of approximately $312,000.

q. Ingenicard US, Inc. (“Ingenicard”) was a provider of international electronic cash cards headquartered in Miami, Florida, and operated one of the largest cash exchange platforms in the world. From in or about March 2012 through in or about December 9-2012, Ingenicard was the victim of SQL Injection Attacks that resulted in malware being placed on its network and the theft of Card Numbers, which were later used to withdraw over $9 million within twenty-four hours.

The organizations listed here are not small companies who don’t have resources to dedicate to security. These are large, sophisticated organizations that in most cases were felled by a common, yet easy to fix vulnerability. As time passes the cumulative potential cost this data breach, may well exceed the current $300 million estimate.

Application security experts know this is a major problem for all corporations but usually in high profile attacks spearphishing gets the limelight. The indictment also shows the limitations of security detection. The solution is application security. It can’t be spelled out more clearly than this. Dozens of high profile sophisticated companies lost hundreds of millions of dollars. You have to fix the vulnerabilities! At Veracode we speak of 42% of applications tested have SQL injection vulnerabilities but it is a faceless number. This indictment puts names to those vulnerable applications and highlights the need to indentify and fix these flaws.

honey | July 26, 2013 2:14 pm

Pwnt.

nate.v | July 30, 2013 7:37 am

how to you comprise a system from a SQLi? can you give one example of executing code other than SQL in a SQLi?

Chris Wysopal | July 31, 2013 3:43 am

Some SQL servers are configured to allow system commands to be executed from a SQL statement. Another possibility is exploiting a database vulnerability to get arbitrary code execution.
-Chris

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post