The U.S. Department of Justice's indictment of Albert Gonzalez on Monday seems to have all the elements of a Hollywood crime drama: A hacker gains access to millions of credit and debit card numbers and has the power to take down a nation. Too bad for Tinseltown, the attack itself was about as sexy and a pile of routers.
According to the indictment, Gonzalez, 28, gained a foothold into the systems of credit card processors such as Heartland Payment Systems and retailers like OfficeMax, Barnes & Noble and TJX Cos. using an amateur hacking technique called "wardriving," which uses wireless access points to find vulnerable networks from which to launch attacks. Once connected to those private networks, Gonzalez used a well-known technique called "SQL injection" to trick Web applications into forking over private information that gave him deeper access into networks. Even though it sounds complicated, techies liken this kind of hack to simply turning the front doorknob to get into a house.
In the seven-layer Open System Interconnection model, a popular reference guide for securing a network software stack, the application layer is at the top. SQL injection is a Web-based attack that happens on this surface level. Securing the application layer is entry-level security stuff, which raises the question of why so many credit card handlers were vulnerable in the first place.
They certainly shouldn't have been vulnerable, says Kurt Roemer, chief security strategist of Citrix Systems. Citrix is on the board of advisers for the Payment Card Industry (PCI) security standards council, an industry effort for hardening the security systems of businesses that handle credit cards.
Roemer says businesses need to use either a Web application scanner or Web application firewall to guard against SQL injections. A Web application scanner likely would have likely caught the SQL injection vulnerabilities Gonzalez exploited. If it didn't, an application firewall probably would have isolated the attacker from gaining access to other parts of the compromised networks.
"PCI specifically calls this out," Roemer says. "The way these guys got hacked there's no way they would have satisfied" those standards.
The PCI rules also try to mitigate the threats of wardriving. Earlier this year, the PCI standards body called for the phase-out of any wireless networks using WEP encryption, a digital lock that takes only a couple of minutes to break.
Though the way Gonzalez broke into systems is hardly the work of a criminal mastermind, Roemer says he's impressed by how Gonzalez and his co-conspirators were able to use relatively simple means to gain powerfully damaging access.
"The criminals would rather have something that's pretty easy and gets them the maximum amount of data," he says. "I'm just amazed at how they profiled all these companies and actually had a complete attack methodology."
Original Source : Taylor Buley, Forbes.com / Yahoo.com