Fraud Case Exposes Hackers' StrategyFraudsters Targeting Smaller Organizations Via SQL Attacks
According to court records, Rogelio Hackett Jr. saved stolen credit card details on computers and in e-mail accounts. He often sold this data, which was then used by those who bought the information to make fraudulent charges. Hackett, set to be sentenced in July, could face 12 years in prison.
How did he do it? Via SQL injection. He gained access to back-end databases through a Web application that leverages the same databases. In August 2007, and then again on a later date, he accessed an online ticketing service provider and got the credit card numbers, says Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP. "It's not inconceivable that at least some of the hacks he was involved in related to him being in the system for a while," operating under the proverbial radar, Sabett says.
"He exploited SQL vulnerabilities," Sabett says. "And despite the fact that SQL injections are well documented, we're still seeing companies that are getting hit and compromised by that kind of attack."
Sights Set on Smaller TargetsIn the scheme of hacking attacks, Hackett's theft pales when compared to the likes of Albert Gonzalez, the mastermind behind the Heartland Payment Systems breach that led to the theft of 130 million credit and debit numbers, also through SQL injection. But as Avivah Litan, distinguished analyst at Gartner Research, points out, Hackett's case highlights how widespread and diverse hacking has become. "For every Rogelio Hackett Jr. that gets arrested, there are likely at least another dozen or more 'Hacketts' or 'hackers' that are not," Litan says.
According to Verizon's 2011 Data Breach Investigations Report, while compromised records resulting from data breaches dropped from 144 million in 2009 to 4 million in 2010, breach numbers themselves have grown. This year's Verizon report includes analysis of 761 data breaches, the highest caseload ever included in the seven-year-old annual report. The 2010 breach total comes close to matching the total number of breaches Verizon analyzed over the previous six-year period.
The primary growth driver: Hackers are targeting smaller, less secure databases. "Today, it's more disorganized crime," since many of the most sophisticated hackers, including Gonzalez, are now behind bars, says Bryan Sartin, director of investigative response at Verizon and an author of the latest data breach report.
Litan says the Hackett case echoes Sartin's sentiment. "We need to concern ourselves more with smaller-scale heists that are able to stay under the radar of law enforcement and the card companies for a longer period, since they are not as massive in scale," she says. "This arrest also reinforces the notion that the hackers can come from anywhere," not just Eastern Europe.
SQL Injections: Too EasyAccording to court records, Hackett began his hacking career in the late 1990s by searching for and exploiting SQL vulnerabilities. More than a decade later, the same method of attack continued to reap rewards. "These SQL injections are allowing someone in through the side fence, not the front door," Sabett says. Josh Corman, research director of the Enterprise Security Practice at The 451 Group, says SQL injections, oftentimes, go right through firewalls. "That's why we need to look at application-level security," Corman says. "Firewalls need to be augmented, with things like web-application firewalls."
Dan Grosu, an IT security consultant who in 2009 blogged about the root of the Heartland attack, SQL injection, says detecting and preventing SQL attacks comes down to getting rid of anything that is not properly formatted. "This would address the problem at its root and therefore is the most recommended course of action," he says. "Frankly speaking, the industry has taken a reactive stance to security rather than a proactive one. Institutions have launched web applications in a rush to be competitive in a very dynamic market, and thus emphasizing heavily the user experience and additional bells and whistles, but spending little development, validation and testing efforts on security."
Sabett says many industries have not made investments to improve security because they have no incentive to do so. "The sum of it is the liability model," he says. "What would incent companies to do more to protect themselves? Does it need to be mandated, regulated? We haven't yet gotten to a point of what I would consider to be equilibrium."