How This SQL Command Blew Up a Billion Dollar Company
ฝัง
- เผยแพร่เมื่อ 13 มิ.ย. 2024
- A story of the Heartland Payment Systems breach from 2007-2009, the world's largest at the time. The specific details of how everything went down is unknown, so this is built on top of the USSS/FBI advisory, and various articles. The FBI advisory (see the third source) covered dozens of breaches that occurred in the late 2000s, all of which had the same attack pattern (Windows, SQL Server, xp_cmdshell, etc). But it's theoretically possible that Heartland was the odd one out, and that everything in this video is wrong ☺️
SQL injection simulator: www.hacksplaining.com/exercis...
Sources:
www.bankinfosecurity.com/hear...
blog.comodo.com/e-commerce/th...
www.researchgate.net/publicat... (***Link to FBI advisory is reference [7]***)
community.fico.com/s/blog-pos...
www.wired.com/images_blogs/th...
www.darkreading.com/attacks-b...
www.forbes.com/sites/davelewi...
www.justice.gov/opa/pr/two-ru...
www.cutimes.com/2015/06/05/he...
kwcsec.gitbook.io/the-red-tea...
www.hypr.com/security-encyclo...
blog.quest.com/ntlm-authentic...
www.crowdstrike.com/cybersecu...
Assumptions:
- In the hackers' conversation at 1:05, I arbitrarily chose Gonzalez as the "boss" since he's the only one with a Wikipedia page and I suppose has the longest resume.
- For 1:38, Amazon does not use a relational database for its product listings, and therefore no SQL queries are used in reality. But this is a relatable and simple example.
- At 2:38, whether or not Heartland used the 2000 version of SQL Server is a guess. The above Research Gate paper "Heartland Data Breach Analysis" says 2000 is likely as the website was developed 8 years prior. I believe xp_cmdshell was also first introduced in SQL Server 2000, so it could not have been a version prior to that one.
- Whether or not the web portal was connected to SQL Server with sysadmin credentials is also a guess (5:03). It is possible that the role was not sysadmin, but was granted permission to execute xp_cmdshell for unknown reasons (sysadmin can grant other roles permission to use xp_cmdshell)
- Heartland's use of NTLM (7:07) is also a guess. Many companies would have not switched over at the time, and the FBI advisory points out the use of fgdump, which is specifically used for NTLM.
- It is alluded to at 9:02 and onward, but credentials and privilege escalation could have also been obtained through other means.
- The whole "privilege escalation + hop through various hosts" illustration at 9:18 could be completely wrong, and is the biggest gap in the story. This is just the simplest way the payment network could have theoretically been reached. For all we know the hackers actually did exploit Microsoft Office to hack into the mainframe.
- Heartland never specifically said what the packets contained (9:34), but they mentioned everything that wasn't leaked, like SSNs, so the assumption here is that packets contained everything that they didn't say wasn't leaked.
- There's a HSM (hardware security module) section in the FBI advisory as well, but I figured that wasn't too important as the primary issue mentioned throughout every article is the unecrypted in-flight data.
Error corrections:
- 3:17 dll files literally contain machine code, usually compiled from C or C++
Chapters:
0:00 Brief introduction of Heartland
0:44 The Beginning
1:34 SQL and SQL injection
2:37 Heartland's use of SQL Server
5:41 Almost Caught?
6:13 Jump to the payment network
9:57 Attack shut down, public disclosure
10:48 The Perpetrators
11:24 Preventive measures
12:54 Conclusion
Music:
Aloft (by LEMMiNO) - • LEMMiNO - Aloft (BGM)
"Film Noir Background Music for Videos I Noir Jazz Playlist I No Copyright Music" - • Film Noir Background M... - วิทยาศาสตร์และเทคโนโลยี
Edit: I've since realized that no one reads the description. Pls read the description for extra notes/corrections. If you reply to this comment with any corrections I will add it to the description.
Original comment:
Is the audio quality worse in this video than the last one? Didn't notice with my headphones/speakers, just my phone. Feels like there's too much midrange
Sounds good. Btw great content, you're like @chubbyemu version of tech.This channel will blow up
On my phone it sounds a bit midrange heavy too, and maybe could use some more compression?
Initially I thought the voiceover was ai generated, I think the audio from your last video sounded better. The video is great, but I found the voice a bit distracting.
Yes, it was worse imo.
htis is my first video from you that i've seen, however from first impressions i do believe some EQ work would benefit greatly! :) otherwise i really enjoyed it, sat here and watched it while i played minecraft!!!!
1990's teaching people how to create web servers:
- Create SQL database
- Create webpage and give it direct access to said database
- Expose CRUD logic directly as UI
Sadly that's still common today..
Managers: *laugh in minimal viable product*
.
.
.
.
Managers: *Pikachu surprised face*
There were a lot of failure points, here, but the fact that they didn't guard against SQL injection is inexcusable. This company that handles credit card data is less secure than my student project that let you report celebrity sightings.
You are missing the fact that nowadays even basic software is protected vs SQL injection, but 2008 were completly different times. Now cybersecurity is lot more important and the software is way more robust. Still there will always be a way, but no so straightforward
@@Teeeh4723 Funnily, if we go back in time another 15 years, we're now looking at a time when protection against SQL injection was the norm.
Fair enough. I didn't start programming seriously until 2013. Even today, though, I still see people use raw SQL execs with unsanitized user input, bypassing the built-in protections. Not everybody knows to use prepared statements. Important for senior devs to check what the juniors are doing.
@@DonaldSubert I would argue that 99% of SQL injections issues nowadays are due to senior devs ignoring current industry practices and not because of junior devs. Most ORMs nowadays (and I say most because I'm sure there is at least kne popular ORM I've never used that contradicts my point) are extremely cautious towards not allowing SQL injections. Problem is senior devs trying to "bypass" utilizing the ORMs and directly writing SQL, mostly because it may just be quicker to them. Some are also the classical kind of crazy tech guy "I know better than the tooling!!!!". Then, they write complex queries where they miss this one spot which allows insecure inputs or simply leave the code for a junior to go "monkey sees, monkey does".
This is especially relevant in the shitty Java environment dominated by abominable dinosaurs that still believe in Oracle BS usage of stored procedures
@@HenryLoenwind Yet it's still a top 10 vulnerability lol
As a former T-SQL dev who wrote many stored procs, I can confirm that it is indeed just SQL with a fancy hat.
lmao
it really is a nice hat though
It is just sql but does two good things.
1. Can use specific kind of db and sql to full extent of posibilites and go with maximum efficiency and clearly mantian proper logic state of database and proper use of transactions (in very short time spans)
2. Keeps one source of truth, promoting DRY i and KISS in some sense and creates level of abstraction and sepearation of concerns.
Develoler more specialzed in SQL can focus clearly on his job and other developers don't bothered by SQL internals.
Drawnacks are that this specialization is needed, also tempting tendency to move bisness logic to SP, when this happen project becomes very hard to move to other database technology.
Meanwhile on Oracle DB, PL/SQL is basically a dialect of Ada that took some Duolingo courses on SQL.
@@D0Sampif you don’t like setting money on fire MySQL and Spring Boot can basically be turned into poor man’s oracle with much more 💪
This video is insanely good and for such a small channel. This channel is going to skyrocket.
thank you, random user, for predicting the future
I just subscribed to this channel and realized that this channel only got 22k subscriber. The content for such a small channel is great.
you jinxed it
Nah I fell asleep
Hopefully invest in Russian accent training 😂.
Quite hilarious that a company working with sensitive data didn't prepare for the most basic of attacks - SQL injection
Cheap, inexperienced staff to cut costs. Project managers with unrealistic scheduling expectations (guesswork).
What could possibly go wrong.
It wasn't very much of a exploit, they took months to get a admin user and just brute forced the passsord.
You can find a lot of modern websites which are still vulnerable to SQL Injection.
Was SQL injection around before then? Was it taught in schools?
"Recommendation: use passwords" had me do a double take
What I like is not just that the video is great but you provide sources and clarifications in the description. Love to see it!
Number 0: Don't build your SQL by concatenating data and code. SQL has supported placeholders since...um...forever. (Back in the days before dynamic SQL, statements had to be compiled and installed together with the programs. Building them dynamically wasn't even an option.) Using string operations to form SQL commands is simply inexcusable.
(And it also is wasteful. The server can cache the access plans for commands with placeholders, but if you concat in the data, you're sending a completely different command every time.)
I like how companies show off their fancy security features when some parts of their system rely on software that was written by cavemen on walls in prehistoric times
Sometimes that cavemen code will be better than modern one though. Really depends on the exact code
@@jan-lukas Once I attempted to rewrite the 1986 SML business logic in F#. Once.
@@sycration LOL!
Kinda like how the IRS still uses (at least in virtualized form) IBM mainframe systems from around the time of the Kennedy Administration. Things like that are why there are still jobs in writing COBOL.
"And windows will continue to support it until the heat death of the universe" gotta love microsoft
why progress with technology when you can be stuck thirty years in the past for some shmuck who doesnt want to change instead 😎
I was relatively new in the payments industry when this occurred. Now over 15 years on this has been a great trip down memory lane with a well articulated story line. You’ve got a new subscriber.
this is super informative and funny at the same time. Absolutely love it
I use SQL Sprocs and Shell via Task Scheduler to automate all kinds of stuff.
Files land in a network folder, task scheduler behaves like a cron and fires a shell script every x minutes.
Shell scans dir for files, finds them, bundles data into JSON, sends via REST to endpoint, etc.
It works well in some very specific scenarios, most of the time you get cockblocked by airlocker or solarwinds
And rightly so. Your "cockblocking" is in response to a massive security hole you've just opened up with sloppy coding because you know no better.
I don't usually post comments on youtube.
But your video is of extremely high quality. Very comprehensive and well thought out.
As soon as a question popped out in my brain you would immediately answer it right after.
Good job, sir.
Love your style, rhythm, content -- everything!! Please keep posting videos like these!!
you're such a high value subscription for me, I love your content. you make normally dry technical stuff interesting and comical. never change mate.
I was watching one of your other videos and the failure analysis presented here is just as good as what the UCSB does on their investigations and recommendations.
Great video, and good job!
The easy-to-follow explanations, visualizations and humor in this video are awesome!
These videos are so so good. Super well explained., you're able to keep it simple while still explaining more complicated parts like NTLM authentication
love your editing style and the way you break down the complex stuff , awesome video
Thanks for adding actual captions for the Deaf
SQL injection is the software equivalent of breaking a lock by hitting it with a hammer. Which is to say, the fact that it works as often as it does (i.e. at all) is extremely alarming.
i love this chanel. it has alot of humor, and my favorite, -human suffering- i mean explosions
Your videos are funny and educational both at the same time! I like the insiders too. Very awesome!!
Discovered your channel yesterday via the Cloudbleed video. Loving the content!
Wow the production quality of this video is so high. Nice work!! Great video.
Your channel is super underrated, can't wait to see how you blow up
I love the editing of this video, from the explosions to the video game and anime references. Good job. 👍
Discovered your channel like an hour ago and I'm already addicted your videos rule so hard
Great explanation of everything, this video deserves a hell of a lot more views
Please keep doing these videos, they're great!
This doesn't surprise me. I work with HPS and I often scratch my head and wonder why they haven't moved on from the 70s and 80s yet. I've worked at plenty of financial institutions, so I know they are usually resistant to change, but come on. I think being 40 years behind in technology is probably a little bit too far. Their systems and especially their modes of integration are so antiquated. Our company is moving on from them as fast as we can unwind our existing financial agreements, but they are being sunset quickly. We have had nothing but problems with them.
Because the only way to make a computer unhackable is to keep it off the internet. And even that sometimes isn't enough. There's still that one Janet Jackson song that destroys hard drives
From having read the specs of the payment processing systems back when debit cards were becoming a thing, I discovered that the "end to end" encryption was not really end to end. What happens if that at each hop your data is decrypted, possibly operated on and then re-encrypted. A payment processor would have to be able to decrypt the data in order to do their jobs.
Very cool video and I love all the hidden references. It's been a while since I've seen hunter2, and I wonder how many other ones I've missed.
Even today some developers (mostly from frontend background) still use string concatenation in SQL queries
I'd say "most".
This was an excellent video. Your explanations were succinct and informative. Thanks!
wow, I'm really impressed by the quality of this video. Great job! You've earned a sub :)
Stock for Heartland Payment systems didn't suffer much, and in 2015 they were sold to Global Payments Inc which has almost doubled from the sale price. Proving there's money in payment system software, as Mastercard and Visa can also attest.
Your vids are fascinating! Amazing work
what a gem of a channel, cya in a year with over a million subs
This is fantastic video, keep up the good stuff!
Absolutely great video. Thanks Kevin!
man I am loving this channel
The animation is as good as the information provided! And the information here is 💯
Such a well-made, executed, and entertaining video! Kudos from me!
That was crazy awesome! Thank you, author!
Dlls don't contain c++ code, they contain native assembly
Correct. makes you question what else he doesn't understand.
I think he meant native code written using C++
@@williamdrum9899 yeah maybe, seems he could've just added "machine code which was usually written in c++"
Holy cow. Love these videos!!! Please more
This video was very well paced
Using NoSQL or SQL frameworks that prevent SQL injections is not just a trend, but a highly recommended practice in modern web development. These frameworks provide an extra layer of security and help safeguard sensitive data from malicious attacks. It's crucial for developers to prioritize implementing these frameworks to ensure the integrity and safety of their websites. Stay secure, everyone!. 😁
Lmao how does Nosql prevent an sqli attack?
Do you realize sql os still used to interrogate an sql db?
An what the fuck even is a SQL framework lmao, i think you are referring to something like JPA that handles sql queries for you.
I think you are refering to a part of a larger dev. Framework which prevents SQL Injections. These exist and are highly recomended.
The Nuke API graphic had me rolling lmfaoo redis into k8s then to a nuclear missile
Fantastic content and coverage man.
+1 subscriber 😀
Loving this content!
I work in cyber security and have for over 10 years. This was a great video! I worked in the PCI for a huge portion of my career and dealt with quite a few of these types of attacks.
I wish the example you gave for SQL was THAT simple. Amazon uses hundreds of microservices to process their requests and rely mostly on DynamoDB
God this channel is sick, I loved the editing at 9:07 Made me giggle way more than it should have 🤣
All you need to do to prevent sql injection is to bind your input variables and not build the query by appending strings. The developers are really ignorant if they allow this.
Love this Channel!!
Great video. Keep up the good work
I love the editing style
This was great! Dangerously close to being a cyber security beat poem.
How are you videos so good, yet you only have 17k subs? This shit is god-tier levels of content, I'm not even a coder but this stuff is gripping.
Holy shit this was 8hrs ago and he had 17k? 19.1k now
Extended Stored Procedures run (or at least ran) on the database engine memory space. A badly done one could corrupt the database. No responsible company would use them not only because of the hackers, but because there was no need, they were dangerous and much more complex to write.
Only by reading the documentation of MS SQL Server you were strongly discouraged to use them.
They did that to themselves...
This was a SQL Server 2000 database. Back then, SQL Server did not have many of the admin tools that it has today. XP procs were used to perform many of those tasks. For example to set permissions or change a password.
@@alexaneals8194 Worse yet. But I used SQL server before 2000 when it was yet based on Sybase and both had he grant command. It was inexcusable then as it is inexcusable now. If I earned 2 bucks every time someone said "It can't be done without a cursor" or "It can't be done without an XP" I would be rich now.
Loving these vids
I understood almost none of this, but for some reason the first step strikes me as similar to what happens to when you can get infinite items of choice from stardew valley by renaming your character a special line
I only know a little SQL but I feel like I learned so much from this video!
A sequel is a continuation in a series, not a database querying language, the later would be pronounced "S-Q-L". This a my cozy hill and I will die on it.
People who call it sequel never read a good book about SQL. Usually the first chapter is about this topic and the origin of SEQUEL. Which is not SQL.
It's pronounced "SQUEEL"
Much like the SQL star wars movies
Keep up the good content!
The more I learn while studying computer science degree, the funnier these videos become
Great job on this video
I subbed haha made me laugh many times and was very informative and interesting
Great video! I felt like I was watching a spy movie the whole time!
The amount of explosions in this video is impressive
Bro your videos are freaking hilarious
2:48 i was distracted while this was playing on my headphones and i thought something happened when i heard you read off the list
The eXPlosions were just perfect 😂
I wonder how many such hacks go unnoticed right now at this moment. We only hear about the ones that get caught.
There's hundreds out there, mostly from crap software vendors who hire cheap, inexperienced low knowledge developers.
This is 100% quality content
great detailed video
Cool video, but the initial description about how Amazon works is most probably wrong. You don't usually implement search (especially not Amazon) as a full text search over a table in a relational database. What companies usually do is to use technologies like Apache Solr, Lucene or Elasticsearch, for instance they could use a cronjob to periodically update an Elasticsearch index using data taken from the actual database.
It was just an example using a well-known website, not meant to be taken seriously
@@therealjib yeah I know, I just wanted to point that out because some people might get the wrong ideas on how complex search functionalities work.
I love that things randomly explode sometimes
okay, but the one recommendation i don't see is "don't run ancient garbage, especially if it's developed by microsoft". also known as "properly maintain your systems".
6:31 One thing that could have happened during the development of this system: project manager: “What’s taking you so long?” Dev: “Christ, this pyramid of privileges, it’s so complicated.” Project manager: “Just use the sysadmin account for everything and move on!”
Amazon uses DynamoDB for its product catalog which is a NoSQL database, however, you may be able to query it like that. I'm not super familiar with DynamoDB queries compared to SQL.
nah
There goes Bobbski Tablesova making mischief again!
Unbelievably good and funny!
It's crazy how places that are allowed to store your data at all, let alone do it badly. Companies that store any amount of data beyond what is required should just be shut down entirely at this point, either that or the owner of the company should be forced to give every single bit of their personal information (including passwords) up to everyone affected, seeing how they love to store other peoples sensitive information and all :p
I never thought that I could understand such a complex attack.
Video so good it gave me hope that I too can learn Cyber-Security.
Thanks Kevin! And of course, liked+subbed :)
i've been watching a bunch of your videos in a row and i've learned that it's always active directory's fault
LMAO ur videos r fires n love the references esp the one at 10:04 LFMAOAO
Dude love the video, can you do ronin network breech
i am having trouble how to realize e2e encryption if your app relies on querying data stored in a nosql database. mongodb has a public beta for achieving this but how are you supposed to secure your app with other nosqls ?
This is such a good video
Big fan of your work. Don’t stop! (Definitely not a bot)
Good video!
Seeing videos like this always makes me wonder: all that time and energy that the hackers have invested, couldn’t they have invested it in a normal job? I mean, it sounds very difficult and they were never sure it was ever going to pay off. In fact, some of them landed in prison.
They can and likely do have normal jobs
that Csgo gun sound on point
How did a security firm deem them compliant when they were using such outdated tech?
Cries in COBOL
Great video