Tracing Gonzalez’ Footsteps: Exploiting “Low-Risk” SQL Injection

September 4, 2009

Here’s what we need to learn from the many crimes of Albert Gonzalez unwrapped in the federal indictments pending against him for allegedly breaking into the networks of several giant corporations and stealing mountains of their most closely-guarded electronic data – sometimes what appears to be your least critical IT vulnerability, from a business perspective, might prove to be the one that gets you.

(And why most organizations, based on that reality, need to find a more efficient manner of understanding the implications of individual vulnerabilities to better assess their overall level of IT risk.)

519-albert_gonzalez_embedded_prod_affiliate_56In the case of the much maligned Heartland Data Systems, this scenario is exactly what appears to be what did them in, at least based on the charges leveled at Gonzalez and some of his unidentified (and yet-to-be incarcerated) “business” partners.

For these companies, which were already spending copious amounts of time and money trying to protect their customers’ credit card information, it looks as if Gonzalez et al were able to identify flaws that did not by themselves expose protected data – and as a result likely received less attention from risk assessors than other vulnerabilities – and then leverage those “low-priority” weak points to tunnel deeper into the businesses’ most sensitive networks and databases.

The real irony is that, since they’d already been certified as compliant with the Payment Card Industry (PCI) Data Security Standard – a set of data security regulations required by the world’s largest credit and debit card providers, these organizations almost certainly had the information that would have helped them figure out just how someone like Gonzalez could do exactly what he did in their hands – they just didn’t have the right filter through which to translate it to show them just what was indeed possible.

These companies had been compelled to conduct fairly thorough vulnerability scanning of their networks and even some penetration testing, as these are processes required under PCI, but couldn’t see through the data to identify the broader risks.

The Problem With Most Risk Assessments

core_icon_redAs I recounted this story during a Webcast that Core Security hosted for roughly 1,000 attendees yesterday, many of the security auditors that I speak to can cite stories similar to the fate that befell the companies compromised by Gonzales; where auditors have identified a vulnerability that allows some level of access to a server or data that is of little value to the organization and the business focuses on the value of the data exposed, but ends up paying for that mistake.

The pain the auditors express to me is in finding a way to convince IT and business management that this issue should not be examined in a vacuum (and as a result be given a low risk rating) but be seen in the context of the network as a whole.

Fortunately for those auditors armed with IMPACT Pro, they can produce an attack graph that diagrams just how a single vulnerability often exposes other parts of the network, and try to use that to convince decision makers what they really need to do to prioritize risks.

And I’d argue that this example provided by Gonzalez is a virtual template for most of the successful data theft incidents that we’re seeing throughout corporate and government IT environments today.

Because of the pervasiveness of security vulnerabilities, particularly in newer technologies such as Web applications, and the intrinsic interconnectivity of IT systems, attackers are able to find small fissures in organizations’ security perimeters and then use those weak points to eventually get their hands on their most valuable electronic assets.

In illustrating the specific SQL injection and escalation techniques employed by Gonzalez in his campaigns utilizing our flagship penetration testing solution, IMPACT Pro, and demonstrating precisely how these actions can be carried out using the product’s patented agent technology – which allows testers to exploit a single vulnerability and then pivot internally using other vulnerabilities resident across Web applications networks, endpoints – I think we also provide the strongest case for the incredible strategic value that our technology provides to its users.

By going one step further and performing penetration tests against those vulnerabilities discovered during the PCI assessment process using a system like CORE IMPACT that allows you to understand how a low-level SQL injection vulnerability in your Web application can provide attackers with subsequent access to your most closely protected databases, the organizations targeted by Gonzalez could have sorted through their security data and gotten a much clearer view of their most critical risks before these types of electronic data catastrophes ever occurred.

Again, for those of you who didn’t see the Gonzalez webcast, you can find it here.

-Alex Horan, Product Management Director


  • Penetration testing

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!