Yesterday, prosecutors in Atlanta announced indictments against an alleged crime ring from Eastern Europe. The achievements of their hackers point to frightening means of financial data theft. According the reports, the hackers attacked payment processor RBS WorldPay, cloned prepaid ATM cards, and used them to withdraw cash totaling $9 million from 280 cities globally. These attacks took place in November 2008, and the timing is significant given that similar breaches of card data were occurring via SQL injection attacks.
In the Spring of 2008, fully automated SQL injection attacks were spreading rapidly – but the reports were focused on the visible outcomes and listed them as “i-frame attacks” rather than their root-cause of a database attack. At the time we warned that SQL injection attacks were both increasing and becoming more severe, moving to attacks whose purpose was to serve as much malicious code on as many web sites as possible. In the few months between that time and November 2008, the attacks moved beyond proof of concept and annoyance hacks to direct database manipulation and fraud. One year later, our call to action remains the same: all companies need to address the vulnerabilities the web environment poses to their databases. We recommend additional security precautions be added, so that SQL injection attacks are blocked, ensuring that the database cannot be used directly to mount a costly and embarrassing data breach.
Showing newest posts with label RBS WorldPay; Database Attack; Data Breach. Show older posts
Showing newest posts with label RBS WorldPay; Database Attack; Data Breach. Show older posts
Wednesday, 11 November 2009
Wednesday, 16 September 2009
Data Breaches: The way to a corporation’s data-heart is through their applications-stomach
Again we learn, that like the old adage “the way to man’s heart is through his stomach”, “the way to a corporation’s data is through their applications”. A hacker announced that he was able to get through to the RBS WorldPay Database via a SQL Injection vulnerability in one of their web applications. This is nothing new.
Last week the CEO of Heartland Payment Systems, Robert Carr, highlighted that it is not just web applications that have the flaws. The breach, that ultimately had more than approximately 130 million card numbers leaked from Heartland’s payment systems, was actually initiated through an unrelated corporate application. This too, was exploited via SQL Injection, allowing the attacker to use the database to get a “position” on the network from which undetectable-malware delivered a sniffer that was installed to collect passing card numbers from the card payment system.
Heartland had many penetration testers and certified security auditors (including PCI QSAs) constantly crawling all over their systems – even after they had learned of the injection attack. They had been reassured that their card data was still safe for many months. Alas, history tells us that they had a false sense of security – until they went looking for the sniffer based on lessons learned in the Hannaford Brother's data breach.
Now – like Heartland – the initial claim of RBS (owners of WorldPay) is that no data was leaked in this recent exploit. How long will it be before we learn otherwise?
Last week the CEO of Heartland Payment Systems, Robert Carr, highlighted that it is not just web applications that have the flaws. The breach, that ultimately had more than approximately 130 million card numbers leaked from Heartland’s payment systems, was actually initiated through an unrelated corporate application. This too, was exploited via SQL Injection, allowing the attacker to use the database to get a “position” on the network from which undetectable-malware delivered a sniffer that was installed to collect passing card numbers from the card payment system.
Heartland had many penetration testers and certified security auditors (including PCI QSAs) constantly crawling all over their systems – even after they had learned of the injection attack. They had been reassured that their card data was still safe for many months. Alas, history tells us that they had a false sense of security – until they went looking for the sniffer based on lessons learned in the Hannaford Brother's data breach.
Now – like Heartland – the initial claim of RBS (owners of WorldPay) is that no data was leaked in this recent exploit. How long will it be before we learn otherwise?
Subscribe to:
Posts (Atom)
