Here we go again. Another record setting case involving identity theft. Fox News is reporting that Albert Gonzalez is responsible for the theft of 130 million credit and debit card numbers. Funny thing is…Gonzalez is already due to stand trial later in 2009 AND 2010 for two other data thefts. Maybe you heard about one of them…TJ Maxx?
Obviously details are just emerging but some intel suggests the accused and his co-conspirators were able to breach the systems using SQL injection attacks. If that's the case I think the organizations that fell victim should be held liable for criminal negligence. Here's my argument for why.
SQL injection is the technique hackers use to insert SQL statements, queries and commands into web-based systems in order to view or extract data which normally wouldn't be visible to the end user. This stems from input which is not validated.
When you enter a term into a search field to find products by name for example, the application takes your input and creates a SQL query which it send to the database. In a normal query, your search term is passed to the database as just that, a search term. Malicious users however will put in valid SQL statements into those search boxes that are then passed to the database. It could be a command such as "Send back the table of credit card numbers". The database sees this as a valid command and sends back the full table of credit card numbers. If this input isn't checked by the application, the "search term" will be sent over to the database and it will be processed for what it is. A database execution statement, not a search term.
The sad part is that this type of malicious activity is completely avoidable. There are tools which will check each one of your input variable to ensure they cannot be manipulated in this fashion. Oh…and these tools are automated. Sure they cost money (some of them) but the risk to the confidentiality, integrity and availability of a database system open to public intrusion is just too great to ignore. This is why I say find those responsible and charge them with criminal negligence.
Now…before you go hog wild on me, I know there are some legal issues to work through here. My point is, until the system owners have some real skin in the game this will continue.
So…give me your thoughts on this. Should system owners (business owners) and administrators (IT departments) have some sort of criminal penalty applied when proper risk mitigation techniques are not followed?