filmov
tv
How This SQL Command Blew Up a Billion Dollar Company
Показать описание
A story of the Heartland Payment Systems breach from 2007-2009, the world's largest at the time. The specific details of how everything went down is unknown, so this is built on top of the USSS/FBI advisory, and various articles. The FBI advisory (see the third source) covered dozens of breaches that occurred in the late 2000s, all of which had the same attack pattern (Windows, SQL Server, xp_cmdshell, etc). But it's theoretically possible that Heartland was the odd one out, and that everything in this video is wrong ☺️
Sources:
Assumptions:
- In the hackers' conversation at 1:05, I arbitrarily chose Gonzalez as the "boss" since he's the only one with a Wikipedia page and I suppose has the longest resume.
- For 1:38, Amazon does not use a relational database for its product listings, and therefore no SQL queries are used in reality. But this is a relatable and simple example.
- At 2:38, whether or not Heartland used the 2000 version of SQL Server is a guess. The above Research Gate paper "Heartland Data Breach Analysis" says 2000 is likely as the website was developed 8 years prior. I believe xp_cmdshell was also first introduced in SQL Server 2000, so it could not have been a version prior to that one.
- Whether or not the web portal was connected to SQL Server with sysadmin credentials is also a guess (5:03). It is possible that the role was not sysadmin, but was granted permission to execute xp_cmdshell for unknown reasons (sysadmin can grant other roles permission to use xp_cmdshell)
- Heartland's use of NTLM (7:07) is also a guess. Many companies would have not switched over at the time, and the FBI advisory points out the use of fgdump, which is specifically used for NTLM.
- It is alluded to at 9:02 and onward, but credentials and privilege escalation could have also been obtained through other means.
- The whole "privilege escalation + hop through various hosts" illustration at 9:18 could be completely wrong, and is the biggest gap in the story. This is just the simplest way the payment network could have theoretically been reached. For all we know the hackers actually did exploit Microsoft Office to hack into the mainframe.
- Heartland never specifically said what the packets contained (9:34), but they mentioned everything that *wasn't* leaked, like SSNs, so the assumption here is that packets contained everything that they didn't say wasn't leaked.
- There's a HSM (hardware security module) section in the FBI advisory as well, but I figured that wasn't too important as the primary issue mentioned throughout every article is the unecrypted in-flight data.
Error corrections:
- 3:17 dll files literally contain machine code, usually compiled from C or C++
Chapters:
0:00 Brief introduction of Heartland
0:44 The Beginning
1:34 SQL and SQL injection
2:37 Heartland's use of SQL Server
5:41 Almost Caught?
6:13 Jump to the payment network
9:57 Attack shut down, public disclosure
10:48 The Perpetrators
11:24 Preventive measures
12:54 Conclusion
Music:
Sources:
Assumptions:
- In the hackers' conversation at 1:05, I arbitrarily chose Gonzalez as the "boss" since he's the only one with a Wikipedia page and I suppose has the longest resume.
- For 1:38, Amazon does not use a relational database for its product listings, and therefore no SQL queries are used in reality. But this is a relatable and simple example.
- At 2:38, whether or not Heartland used the 2000 version of SQL Server is a guess. The above Research Gate paper "Heartland Data Breach Analysis" says 2000 is likely as the website was developed 8 years prior. I believe xp_cmdshell was also first introduced in SQL Server 2000, so it could not have been a version prior to that one.
- Whether or not the web portal was connected to SQL Server with sysadmin credentials is also a guess (5:03). It is possible that the role was not sysadmin, but was granted permission to execute xp_cmdshell for unknown reasons (sysadmin can grant other roles permission to use xp_cmdshell)
- Heartland's use of NTLM (7:07) is also a guess. Many companies would have not switched over at the time, and the FBI advisory points out the use of fgdump, which is specifically used for NTLM.
- It is alluded to at 9:02 and onward, but credentials and privilege escalation could have also been obtained through other means.
- The whole "privilege escalation + hop through various hosts" illustration at 9:18 could be completely wrong, and is the biggest gap in the story. This is just the simplest way the payment network could have theoretically been reached. For all we know the hackers actually did exploit Microsoft Office to hack into the mainframe.
- Heartland never specifically said what the packets contained (9:34), but they mentioned everything that *wasn't* leaked, like SSNs, so the assumption here is that packets contained everything that they didn't say wasn't leaked.
- There's a HSM (hardware security module) section in the FBI advisory as well, but I figured that wasn't too important as the primary issue mentioned throughout every article is the unecrypted in-flight data.
Error corrections:
- 3:17 dll files literally contain machine code, usually compiled from C or C++
Chapters:
0:00 Brief introduction of Heartland
0:44 The Beginning
1:34 SQL and SQL injection
2:37 Heartland's use of SQL Server
5:41 Almost Caught?
6:13 Jump to the payment network
9:57 Attack shut down, public disclosure
10:48 The Perpetrators
11:24 Preventive measures
12:54 Conclusion
Music:
0:13:11
How This SQL Command Blew Up a Billion Dollar Company
0:01:46
The QUICKEST Way to Get SQL Command Help
0:00:18
How to learn SQL? Check out this fun resource!
0:00:33
This SQL trick will blow your mind #SQL #sqlserver #dba #ssms #database #data #dataanalytics #dev
0:00:20
How to write SQL in seconds 😳 with AI ✅👍#sql #ai #oracle #shorts
0:00:56
This will Blow your MIND #sql #merge #dataengineering #datascience #dataanalytics #sqlserver #data
0:00:38
What is SQL?!?
0:00:22
Get HIRED with a single SQL command!
0:00:10
Want to learn SQL? Check this out 🤩
0:00:56
This will Blow your MIND #SQL #dataengineering #dataanalytics #datascience #sqlserver #database
0:00:36
Data Analyst SQL Question for Beginner
0:12:32
This AI is writing Mind blowing SQL Queries #chatgpt | End of SQL Jobs ?
0:00:58
5 SQL Tips for CTE | Things You Wish You Knew Earlier!
0:00:10
I can’t believe I just discovered this SQL tool 🤩 #tech
0:03:08
Let Power Query write your SQL for you!
0:00:30
Free resource to learn SQL | You won’t regret it 🤯 #dataanalytics #sql #immigrants #shorts
0:00:14
SQL Tricks You Never Knew You Needed, Part 1: Order By WHAT?!
0:00:16
Create table in database sql server #shorts
0:00:55
SQL Query Short Cuts ||SQL Server Shortcut Keys configuration
0:00:28
SQL Quiz-1 | SQL Tutorial for Beginners
0:00:11
Free Amazing AI Tool To Master SQL #SQL #AI #Coding #SoftwareDevelopment
0:00:30
3 SQL Interview Prep Resources #shorts
0:00:42
SQL Tutorial: Lesson 5 - Where #shorts
0:13:19
Now You Have AI Assisted SQL Query Generator- Don't Worry You Will Not Lose Jobs!
Комментарии