Getting Serious about SQL Injection and the TJX Hacker

Your humble blogwatcher has selected these bloggy morsels for your enjoyment.

Dan Goodin registers his discontent:

Federal authorities have charged a previously indicted hacker with breaching additional corporate computers and stealing data for at least 130 million credit and debit cards, the biggest identity theft case ever prosecuted in the United States. Albert "Segvec" Gonzalez and two unnamed Russians were indicted on Monday for attacks that hit credit card processor Heartland Payment Systems, retailers 7-Eleven and Hannaford Brothers, and two unidentified companies. The 28-year-old resident of Miami already stood accused of perpetrating a breach on stores owned by TJX.


Documents filed in US District Court in Newark, New Jersey claim that ... the trio used SQL injection attacks to install sniffer software on the companies' servers to intercept credit card data as it was being processed. ... The breach has proved to be a major embarrassment for Heartland, which ... has so far allocated $12.6m to cover costs stemming from the loss of sensitive card-holder data. ... If convicted, each faces a maximum of 35 years in prison and $1.25m in fines. MORE

Kim Zetter adds :

The constellation of hacks connected to the TJX hacker is growing. ... these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies. Jury selection is slated to begin Sept. 14 in one of those cases.


Gonzalez was a Secret Service informant who once went by the nickname “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003. Authorities discovered his connection to Shadowcrew and soon put him to work undercover on the site ... [which] led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to “Segvec” and moved to Miami where he allegedly resumed his life of crime. MORE

Jacqui Cheng asks, "Feel like checking your credit report yet?":

The [TJX] theft ... occurred, unsurprisingly, due to glaring security holes in the computer systems that process and store payment information. Gonzales' success came for similarly stupid reasons.


It turns out that one of the systems in the payment processing chain had been infected with an unidentified bit of malware designed to track and report the magnetic information stored on the back of a credit card as that data was sent through the system. Though Heartland said that no personally identifiable information was transmitted, that magnetic data could easily be transferred to a new physical card. MORE

Dennis Fisher says it's "Sadly familiar" :

The news ... shows that law enforcement is indeed stepping up its work on cybercrime. But it also provides what is probably the clearest evidence to date that the people executing these attacks are highly competent, organized and motivated. ... What IT security teams and other interested parties should be concerned with are how these attacks happened and the level of organization and professionalism involved.


This was not something that this group did on a lark. They put a considerable amount of time and effort into this plan. They knew what they were looking for, they knew where to find it and they knew how to get it. And once they had their plan in place, it appears that their targets made it all too easy for them to succeed. SQL injection vulnerabilities are a pervasive and insidious problem, but they're also well-understood and there are effective methods for finding and fixing them. MORE

Objects in J.R. Raphael's mirror may be closer than they appear :

Put into perspective, the Heartland case is far above and beyond any data theft in the past; ... the number of affected accounts in the hack is equal to nearly half the total number of compromised accounts in all breaches on record since 2005.

To be fair, that total number is likely on the low side: Many breaches have unknown numbers of affected records ... and some cards may have been breached multiple times. Still, it provides a rough estimate of where this hack stands in the big picture. MORE

Rich Mogull rolls his eyes:

It looks like we now know exactly how all these recent major breaches occurred.


No surprises. All preventable, although clearly these guys know their way around transaction networks if they target [Hardware Security Modules] and proprietary financial systems. Seems like almost exactly what happened with CardSystems back in 2004. No snarky comment needed. MORE

This story, "Getting Serious about SQL Injection and the TJX Hacker" was originally published by Computerworld.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon