Security Watch

Data Thefts Happened via SQL Server

Software from the biggest software company in the world is bound to be used by hackers for nefarious reasons. Plus: Redmond, Sophos scrap on security; ScanSafe survey finds more companies banning Facebook, Twitter.

• By Jabulani Leffall
• 08/25/2009

The digital smash and grab jobs at payment process and remittance company Heartland Payment Systems Inc., and discount retailer TJX Companies Inc. have a few things in common, according to the U.S. Department of Justice: cross-site scripting and a compromised SQL database program.

The most common incursion into the SQL server application is called an injection attack, where exploits are mostly triggered using a SQL Server extended stored procedure command as an entry point into an infected system. Such a process is key to continued maintenance of any given database powered by SQL and can also be a way in through cross-site scripting, or XSS, attacks..

The Justice Department said that in the case of hacker Albert Gonzalez, who along with accomplices was charged two weeks ago with stealing hundreds of millions of credit and debit card records from Heartland, and Hannaford Bros. grocery chain, Gonzalez and company employed SQL injection.

Court papers state that once inside, the hackers deployed smart malware, packet sniffing tools and other automated bugs that found and copied payment card data.

This blogger has been reporting on this issue for more than a year and experts have been warning about such attacks for even longer.

In tandem with XSS attacks, an SQL injection breach can be wickedly simple, said Manoj Apte, vice president at cloud security company Zscaler.

"Cross-site scripting is, unfortunately, stupidly simple for hackers," Apte said. "It requires very little expertise, and it's easy to find vulnerable Web sites." Because it's so easy, he said, "XSS is creating a whole new generation of script kiddies."

Redmond, Sophos in Security Scrap
Microsoft has often taken issue with claims from security service and software vendor Sophos, and vice versa. This week, the feud continues over Windows 7's XP mode interoperability tool, which allows Windows 7 users to have XP compatibility with a virtual PC session.

"Windows 7's planned XP compatibility mode risks undoing much of the progress that Microsoft has made on the security front in the last few years and reveals the true colors of the OS giant," said Richard Jacobs, Sophos' CTO in a post.

While Jacobs touted the progress Redmond has made with its Security Development Lifecycle for the physical OS and related systems, he said, "XP mode reminds us all that security will never be Microsoft's first priority."

Microsoft lobbed back with a salvo calling once again into question "the facts." In his return shot, Redmond virtualization maven and Windows developer James O'Neill said people with the title of Chief Technology Officer should have a "better grasp of the key facts before reaching for the insulting rhetoric."

"I should be well disposed to (Sophos) but I've had occasion before now to roll my eyes at what their spokespeople have said – the pronouncements being of the 'lets make the news, and never mind the facts' variety."

O'Neill went on to say that XP mode is just standard virtualization software and a pre-configured virtual machine, which can be patched just like a regular OS on a regular physical PC. Accordingly one can install anti-virus software on a virtual machine in the same way they would a tangible bricks and mortar workstation.

The two companies have a history of antagonism, so the hemming and hawing will likely continue. But there's a lesson here to be learned for channel partners and value-added resellers: If there's a gap in a Windows program, fix it then tailor it to the individual needs of an enterprise processing environment and that's that. In this instance cooler heads can always prevail.

More Employers Ban Facebook Twitter
A SaaS security company ScanSafe survey found that three quarters of companies are blocking social networking sites -- namely, Twitter and Facebook -- more frequently now than ever. Respondents said that even online shopping, weapons, alcohol, sports and personal e-mail were preferable to letting workers spend time Facebooking and tweeting.

It seems that the recent denial-of-service attack hitting Twitter was a noteworthy event for IT security pros and administrators and, by extension, managers are now starting to take notice.

The public sector is ahead of the game. Already the U.S. Marine Corp. has banned its troops from using Twitter and Facebook for a year. Moreover, the U.S. Department of Defense is also putting social media technology under review.

So if you're an IT staffer or tech maven eading this and you plan to click over to Facebook or Twitter afterward -- just for a little while, before you get back to real work -- do it now. If a recent survey is any indication, many enterprises are getting leery of social networking sites and the threats they represent (to say nothing of the gazillions of man-hours spent not doing work). Heck, I just updated my Facebook status right before penning this blog. Time well spent? Not really, but it's fun and I guess that's what hackers and malware purveyors are counting on.