Krebs on Security

Fire Sale on Cards Stolen in Target Breach

February 19, 2014

Last year’s breach at Target Corp. flooded underground markets with millions of stolen credit and debit cards. In the days surrounding the breach disclosure, the cards carried unusually high price tags — in large part because few banks had gotten around to canceling any of them yet. Today, two months after the breach, the number of unsold stolen cards that haven’t been cancelled by issuing banks is rapidly shrinking, forcing the miscreants behind this historic heist to unload huge volumes of cards onto underground markets and at cut-rate prices.

Cards stolen in the Target breach have become much cheaper as more of them come back declined or cancelled by issuing banks.

Earlier today, the underground card shop Rescator[dot]so moved at least 2.8 million cards stolen from U.S.-based shoppers during the Target breach. This chunk of cards, dubbed “Beaver Cage” by Rescator, was the latest of dozens of batches of cards stolen from Target that have gone on sale at the shop since early December.

The Beaver Cage batch of cards have fallen in price by as much as 70 percent compared to those in “Tortuga,” a huge chunk of several million cards stolen from Target that sold for between $26.60 and $44.80 apiece in the days leading up to Dec. 19 — the day that Target acknowledged a breach. Today, those same cards are now retailing for prices ranging from $8 to $28. The oldest batches of cards stolen in the Target breach –i.e., the first batches of stolen cards sold –are at the top of legend in the graphic above; the “newer,” albeit less fresh, batches are at the bottom.

The core reason for the price drop appears to be the falling “valid rate” associated with each batch. Cards in the Tortuga base were advertised as “100 percent valid,” meaning that customers who bought ten cards from the store could expect all 10 to work when they went to use them at retailers to purchase high-priced electronics, gift cards and other items that can be quickly resold for cash.

This latest batch of Beaver Cage cards, however, carries only a 60 percent valid rate, meaning that on average customers can expect at least 4 out of every 10 cards they buy to come back declined or canceled by the issuing bank.

The most previous batch of Beaver Cage cards — pushed out by Rescator on Feb. 6 — included nearly 4 million cards stolen from Target and carried a 65 percent valid rate. Prior to Beaver Cage, the Target cards were code-named “Eagle Claw.” On Jan. 29, Rescator debuted 4 million cards bearing the Eagle Claw name and a 70 percent valid rate. The first two batches of Eagle Claw-branded cards — a chunk of 2 million cards — were released on Jan. 21 with a reported 83 percent valid rate.

Continue reading →

Time to Harden Your Hardware?

February 18, 2014

54 Comments

Most Internet users are familiar with the concept of updating software that resides on their computers. But this past week has seen alerts about an unusual number of vulnerabilities and attacks against some important and ubiquitous hardware devices, from consumer-grade Internet routers, data storage and home automation products to enterprise-class security solutions.

Last week, the SANS Internet Storm Center began publishing data about an ongoing attack from self-propagating malware that infects some home and small-office wireless routers from Linksys. The firewall built into routers can be a useful and hearty first line of protection against online attacks, because its job is to filter out incoming traffic that the user behind the firewall did not initiate. But things get dicier when users enable remote administration capability on these powerful devices, which is where this malware comes in.

The worm — dubbed “The Moon” — bypasses the username and password prompt on affected devices. According to Ars Technica’s Dan Goodin, The Moon has infected close to 1,000 Linksys E1000, E1200 and E2400 routers, although the actual number of hijacked devices worldwide could be higher and is likely to climb. In response, Linksys said the worm affects only those devices that have the Remote Management Access feature enabled, and that Linksys ships these products with that feature turned off by default. The Ars Technica story includes more information about how to tell whether your router may be impacted. Linksys says it’s working on an official fix for the problem, and in the meantime users can block this attack by disabling the router’s remote management feature.

Similarly, it appears that some ASUS routers — and any storage devices attached to them — may be exposed to anyone online without the need of login credentials if users have taken advantage of remote access features built into the routers, according to this Ars piece from Feb. 17. The danger in this case is with Asus router models including RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Enabling any of the (by-default disabled) “AiCloud” options on the devices — such as “Cloud Disk” and “Smart Access” — opens up a potentially messy can of worms. More details on this vulnerability are available at this SecurityFocus writeup.

ASUS reportedly released firmware updates last week to address these bugs. Affected users can find the latest firmware updates and instructions for updating their devices by entering the model name/number of the device here. Alternatively, consider dumping the stock router firmware in favor of something more flexible, less buggy amd most likely more secure (see this section at the end of this post for more details).

YOUR LIGHTSWITCH DOES WHAT?

Belkin WeMo Switch

Outfitting a home or office with home automation tools that let you control and remotely monitor electronics can quickly turn into a fun and addictive (if expensive) hobby. But things get somewhat more interesting when the whole setup is completely exposed to anyone on the Internet. That’s basically what experts at IOActive found is the case with Belkin‘s WeMo family of home automation devices.

According to research released today, multiple vulnerabilities in these WeMo Home Automation tools give malicious hackers the ability to remotely control the devices over the Internet, perform malicious firmware updates, and access an internal home network. From IOActive’s advisory (PDF):

Continue reading →

Yours Truly Profiled in The New York Times

February 17, 2014

82 Comments

Today’s New York Times features a profile of this author — a story titled, “Reporting from the Web’s Underbelly”. The piece, written by The Times’s Silicon Valley reporter Nicole Perlroth, observes:

Mr. Krebs, 41, tries to write pieces that cannot be found elsewhere. His widely read cybersecurity blog, Krebs on Security, covers a particularly dark corner of the Internet: profit-seeking cybercriminals, many based in Eastern Europe, who make billions off pharmaceutical sales, malware, spam, frauds and heists like the recent ones that Mr. Krebs was first to uncover at Adobe, Target and Neiman Marcus….

…Unlike physical crime — a bank robbery, for example, quickly becomes public — online thefts are hushed up by companies that worry the disclosure will inflict more damage than the theft, allowing hackers to raid multiple companies before consumers hear about it.

“There’s a lot going on in this industry that impedes the flow of information,” Mr. Krebs said. “And there’s a lot of money to be made in having intelligence and information about what’s going on in the underworld. It’s big business but most people don’t want to pay for it, which explains why they come to someone like me.”

The New Normal: 200-400 Gbps DDoS Attacks

February 14, 2014

68 Comments

Over the past four years, KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week, KrebsOnSecurity was hit by easily the most massive and intense such attack yet — a nearly 200 Gbps assault leveraging a simple attack method that industry experts say is becoming alarmingly common.

At issue is a seemingly harmless feature built into many Internet servers known as the Network Time Protocol (NTP), which is used to sync the date and time between machines on a network. The problem isn’t with NTP itself, per se, but with certain outdated or hard-coded implementations of it that attackers can use to turn a relatively negligible attack into something much, much bigger. Symantec‘s writeup on this threat from December 2013 explains the problem succinctly:

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address. In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic.

Matthew Prince, the CEO of Cloudflare — a company that helps Web sites stay online in the face of huge DDoS attacks — blogged Thursday about a nearly 400 Gbps attack that recently hit one of the company’s customers and leveraged NTP amplification. Prince said that while Cloudflare “generally [was] able to mitigate the attack, it was large enough that it caused network congestion in parts of Europe.”

“Monday’s DDoS proved these attacks aren’t just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks,” Prince wrote. “On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare’s network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.” Continue reading →

Email Attack on Vendor Set Up Breach at Target

February 12, 2014

265 Comments

The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.

Last week, KrebsOnSecurity reported that investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa. Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.

Two of those sources said the malware in question was Citadel — a password-stealing bot program that is a derivative of the ZeuS banking trojan — but that information could not be confirmed. Through a PR firm, Fazio declined to answer direct questions for this story, and Target has declined to comment, citing an active investigation.

In a statement (PDF) issued last week, Fazio said it was “the victim of a sophisticated cyber attack operation,” and further that “our IT system and security measures are in full compliance with industry practices.”

There is no question that, like Target, Fazio Mechanical was the victim of cybercrime. But investigators close to the case took issue with Fazio’s claim that it was in full compliance with industry practices, and offered another explanation of why it took the Fazio so long to detect the email malware infection: The company’s primary method of detecting malicious software on its internal systems was the free version of Malwarebytes Anti-Malware.

To be clear, Malwarebytes Anti-Malware (MBAM) free is quite good at what it’s designed to do – scan for and eliminate threats from host machines. However, there are two problems with an organization relying solely on the free version of MBAM for anti-malware protection: Firstly, the free version is an on-demand scanner that does not offer real-time protection against threats (the Pro version of MBAM does include a real-time protection component). Secondly, the free version is made explicitly for individual users and its license prohibits corporate use.

Fazio’s statement also clarified that its data connection to Target was exclusively for electronic billing, contract submission and project management. The company did not specify which component(s) of Target’s online operations that Fazio accessed externally, but a former employee at Target said nearly all Target contractors access an external billing system called Ariba, as well as a Target project management and contract submissions portal called Partners Online. The source said Fazio also would have had access to Target’s Property Development Zone portal.

According to a former member of Target’s security team who asked not to be identified, when a work order for an external vendor is created, the payment is collected through the Ariba system: Vendors log into Ariba, complete the necessary steps to close out the work order and they are later paid. But how would the attackers have moved from Target’s external billing system into an internal portion of the network occupied by point-of-sale devices? The former Target network expert has a theory:

“I know that the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application,” the source said. “Most, if not almost all, internal applications at Target used Active Directory (AD) credentials and I’m sure the Ariba system was no exception. I wouldn’t say the vendor had AD credentials but that the internal administrators would use their AD login to access the system from inside. This would mean the sever had access to the rest of the corporate network in some form or another.”

Last week’s story about Fazio’s role in the attack on Target mentioned that Target could be facing steep fines if it was discovered that the company was not in compliance with payment card industry (PCI) security standards. Among those is a requirement that merchants incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties.

Another source who managed Target vendors for a number of years until quite recently said that only “in rare cases” would Target have required a vendor to use a one-time token or other two-factor authentication approach.

“Only the vendors in the highest security group — those required to directly access confidential information — would be given a token, and instructions on how to access that portion of the network,” the source said, speaking on condition of anonymity. “Target would have paid very little attention to vendors like Fazio, and I would be surprised if there was ever even a basic security assessment done of those types of vendors by Target.”

But according to Avivah Litan, a fraud analyst at Gartner, Target wouldn’t have needed to require vendors to use two-factor logins if the company believed it had taken steps to isolate the vendor portals from its payment network.

“In fairness to Target, if they thought their network was properly segmented, they wouldn’t have needed to have two-factor access for everyone,” Litan said. “But if someone got in there and somehow escalated their Active Directory privileges like you described, that might have [bridged] that segmentation.”

OPEN-SOURCE INTEL

Many readers have questioned why the attackers would have picked on an HVAC firm as a conduit for hacking Target. The answer is that they probably didn’t, at least at first. Many of these email malware attacks start with shotgun attacks that blast out email far and wide; only after the attackers have had time to comb through the victim list for interesting targets do they begin to separate the wheat from the chaff.

But Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing Web properties that do not require a login. Indeed, many of these documents would be a potential gold mine of information for an attacker.

Continue reading →

Security Updates for Shockwave, Windows

February 11, 2014

31 Comments

Adobe and Microsoft today each issued patches to fix critical security flaws in their software. Microsoft’s February Patch Tuesday includes seven patch bundles addressing at least 31 vulnerabilities in Windows and related software. Adobe pushed out an update that fixes two critical bugs in its Shockwave Player.

More than half of the updates issued by Microsoft today earned a “critical” rating — Microsoft’s most dire. That rating is assigned to vulnerabilities that can be exploited by malware or malcontents to take complete, remote control over vulnerable systems — with no help from users.

Microsoft is urging Windows users to apply all of the available fixes, but for those who need to prioritize patches (organizations that typically test patches before deploying them enterprise-wide), Redmond places a special focus on MS14-007, a graphics vulnerability in Windows 7/8/8.1 and Windows Server 2007, 2012 and Windows RT.

The cumulative, critical security update for all versions of Internet Explorer (MS14-010) fixes two dozen vulnerabilities, including one that Microsoft says has already been publicly disclosed. The other patch that Microsoft specifically called out — MS14-011 — addresses a vulnerability in VBScript that could cause problems for IE users.

Microsoft also once again is encouraging Windows users who haven’t already done so to consider installing and using its Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help to significantly beef up the security of third-party applications that run on top of Windows. I would second their recommendation, and have reviewed EMET 4.0 here. The latest version — 4.1 — is available at this link and requires Microsoft’s .NET Framework 4 platform.

Continue reading →

Florida Targets High-Dollar Bitcoin Exchangers

February 7, 2014

131 Comments

State authorities in Florida on Thursday announced criminal charges targeting three men who allegedly ran illegal businesses moving large amounts of cash in and out of the Bitcoin virtual currency. Experts say this is likely the first case in which Bitcoin vendors have been prosecuted under state anti-money laundering laws, and that prosecutions like these could shut down one of the last remaining avenues for purchasing Bitcoins anonymously.

Working in conjunction with the Miami Beach Police Department and the Miami-Dade State Attorney’s office, undercover officers and agents from the U.S. Secret Service’s Miami Electronic Crimes Task Force contacted several individuals who were facilitating high-dollar transactions via localbitcoins.com, a site that helps match buyers and sellers of the virtual currency so that transactions can be completed face-to-face.

One of those contacted was a localbitcoins.com user nicknamed “Michelhack.” According to this user’s profile, Michelhack has at least 100 confirmed trades in the past six months involving more than 150 Bitcoins (more than $110,000 in today’s value), and a 99 percent positive “feedback” score on the marketplace. The undercover agent and Michelhack allegedly arranged a face-to-face meeting and exchanged a single Bitcoin for $1,000, a price that investigators say included an almost 17 percent conversion fee.

According to court documents, the agent told Michelhack that he wanted to use the Bitcoins to purchase stolen credit cards online. After that trust-building transaction, Michelhack allegedly agreed to handle a much larger deal: Converting $30,000 in cash into Bitcoins.

Investigators had little trouble tying that Michelhack identity to 30-year-old Michell Abner Espinoza of Miami Beach. Espinoza was arrested yesterday when he met with undercover investigators to finalize the transaction. Espinoza is charged with felony violations of Florida’s law against unlicensed money transmitters — which prohibits “currency or payment instruments exceeding $300 but less than $20,000 in any 12-month period” — and Florida’s anti-money laundering statutes, which prohibit the trade or business in currency of more than $10,000.

Police also conducted a search warrant on his residence with an order to seize computer systems and digital media. Also arrested Thursday and charged with violating both Florida laws is Pascal Reid, 29, a Canadian citizen who was living in Miramar, Fla. Allegedly operating as proy33 on localbitcoins.com, Reid was arrested while meeting with an undercover agent to finalize a deal to sell $30,000 worth of Bitcoins.

Documents obtained from the Florida state court system show that investigators believe Reid had 403 Bitcoins in his on-phone Bitcoin wallet alone — which at the time was the equivalent of approximately USD $316,000. Those same documents show that the undercover agent told Reid he wanted to use the Bitcoins to buy credit cards stolen in the Target breach.

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley and keen follower of Bitcoin-related news, said he is unaware of another case in which state law has been used against a Bitcoin vendor. According to Weaver, the Florida case is significant because localbitcoins.com is among the last remaining places that Americans can use to purchase Bitcoins anonymously.

“The biggest problem that Bitcoin faces is actually self-imposed, because it’s always hard to buy Bitcoins,” Weaver said. “The reason is that Bitcoin transactions are irreversible, and therefore any purchase of Bitcoins must be made with something irreversible — namely cash. And that means you either have to wait several days for the wire transfer or bank transfer to go through, or if you want to buy them quickly you pay with cash through a site like localbitcoins.com.” Continue reading →

Target Hackers Broke in Via HVAC Company

February 5, 2014

268 Comments

Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.

Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.

Fazio president Ross Fazio confirmed that the U.S. Secret Service visited his company’s offices in connection with the Target investigation, but said he was not present when the visit occurred. Fazio Vice President Daniel Mitsch declined to answer questions about the visit. According to the company’s homepage, Fazio Mechanical also has done refrigeration and HVAC projects for specific Trader Joe’s, Whole Foods and BJ’s Wholesale Club locations in Pennsylvania, Maryland, Ohio, Virginia and West Virginia.

Target spokeswoman Molly Snyder said the company had no additional information to share, citing a “very active and ongoing investigation.”

It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”

Continue reading →

Adobe Pushes Fix for Flash Zero-Day Attack

February 4, 2014

49 Comments

Adobe Systems Inc. is urging users of its Flash Player software to upgrade to a newer version released today. The company warns that an exploit targeting a previously unknown and critical Flash security vulnerability exists in the wild, and that this flaw allows attackers to take complete control over affected systems.

The latest versions that include the fix for this flaw (CVE-2014-0497) are listed by operating system in the chart below.

The Flash update brings the media player to version 12.0.0.44 for a majority of users on Windows and Mac OS X. This link will tell you which version of Flash your browser has installed. IE10/IE11 and Chrome should auto-update their versions of Flash to v. 12.0.0.44. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is 32.0.1700.107 for Windows, Mac, and Linux (to learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu).

Continue reading →

These Guys Battled BlackPOS at a Retailer

February 4, 2014

149 Comments

Ever since news broke that thieves stole more than 40 million debit and credit card accounts from Target using a strain of Point-Of-Sale malware known as BlackPOS, much speculation has swirled around unanswered questions, such as how this malware was introduced into the network, and what mechanisms were used to infect thousands of Target’s cash registers.

Recently, I spoke at length with Tom Arnold and Paul Guthrie, co-founders of PSC, a security firm that consults for businesses on payment security and compliance. In early 2013, these two experts worked directly on a retail data breach that involved a version of BlackPOS. They agreed to talk about their knowledge of this malware, and how the attackers worked to defeat the security of the retail client (not named in this story).

While some of this discussion may be geektacular at times (what I affectionately like to call “Geek Factor 5”), there’s something in here for everyone. Their observations about the methods and approaches used in this attack point to an adversary that is skilled, organized, patient and thorough.

So you first saw BlackPOS at a retailer in early January 2013?

Tom: Yes, it did seem like a game changer at that point because of the way it hooked into the POS system. By that I mean the fact that it hooks into the POS process, and it’s not just a general memory scraper like some people have stated.

Help me understand the distinction between a memory scraper and malware that runs completely in memory?

Tom: Well, it’s very specific. It’s what’s called an inter-process communications hook. If you look at a memory scraper — so if you were to dump the memory on your laptop right now — you would get this big old blob of information and you would have to filter through it to find what you’re looking for. But this [malware] is very specific: It’s very much designed for the POS system it’s running on, because it knows exactly where to hook and where the memory location is going to be when the data it’s looking for is flowing through it. But if you look at what it captures, it captures only the track data [information stored on the magnetic strip on the backs of cards]. So, it’s actually very, very sophisticated and that’s why I think this isn’t just a teenage hacker who put this together in his basement. I think this is a more sophisticated development effort. [HP last week published some interesting, uber-geeky details about the memory behavior of the version of BlackPOS found at Target].

Paul: It certainly hooks into a specific process, but we did not figure out if it was just good at scraping the memory of that process, or whether it actually altered the process to hook into the code somehow. That part of the code was obfuscated and not reviewed during the engagement.

What did you think of the iSight paper?

Tom: The iSight paper was good, and what it described was very similar to what we saw in the first variants of BlackPOS. But it didn’t talk about how it appeared on the network or where it came from or how a retailer might defend themselves against it.

In your prior experience with BlackPOS, has it been used against the same POS that Target uses? A source who seemed to have a clue told me that their setup was somewhat homegrown.

Tom: That I don’t know. I haven’t really looked at what Target uses. With a homegrown system, the problem is if you’re going to build a process hook, you have to have a test environment, you have to know what you’re looking at and what memory addresses to go after, and that’s not exactly something that gets published.

Paul: Target has a homegrown POS.

So you think it’s likely they were using some off-the-shelf equipment and software? Wouldn’t it be enough for the attackers in this case to have obtained a physical point of sale device that was once used at Target?

Tom: If they have one, sure, that would be different. I don’t know if they’re using a commercial product. A lot of the big retailers use commercial products and will customize those with their back end system. But at the front end and what happens at front of the house…a lot of those are just retail off-the-shelf applications. A lot of those retailers, when you have a hard disk that breaks on one of the [checkout] lanes, they’ve got an outsourced service provider of that POS that comes out there with a new hard disk and fixes it.

How do the bad guys break in, and how do they actually get the malware pushed out to the point-of-sale?

Tom: A lot of the POS systems use whitelisting software of some kind, such as Bit9 or SolidCore. Those two companies are the two you see most out there in the industry.

Paul: It could also come in through the point-of-sale application update process.

By whitelisting, you mean sort of the opposite approach of antivirus, right? As in, if the file or program isn’t approved by the whitelisting software, it simply won’t run on the system?

Tom: The software update processes at a point-of-sale that is running one of those [whitelisting applications] has to come through one of the software update channels and has to be reviewed for the update and approved. And when it’s approved, the whitelisting software says okay this patch is approved to come online.

It’s probably a good idea at this point to make sure we’re defining the terminology in a uniform way. When you think of point-of-sale device, are you talking about the cash register, or the card swipe terminal, or…

Tom: I’m using point-of-sale to mean the payment application that is running on the cash register. The vast majority of those devices, when you check out at the grocery store or large retailer, those are just PCs, and yes they’re mostly running Windows XP or WEPOS as their operating system. But above that, you have what I call the point-of-sale, or the point-of-sale application, and that’s the stuff that the cashier is interfacing with at the time you’re checking out. It’s a software application, running as multiple pieces of software inside the register itself. And whitelisting is put on to protect the register from any sort of unsolicited modification. A lot of the attacks before this [whitelisting became more broadly used] involved where you corrupt a sales clerk to put a USB stick in the cash register and infect the PC with some malware. But by using a whitelisting software, the USB stick will not work and the operations personnel back in the head office will get notified that something isn’t right with that register.

If they get past a whitelisting system, doesn’t that suggest that someone on the inside would have to be involved?

Tom: No, not really. You have to also consider the distribution server that distributes the point-of-sale software.

Paul: Right… three possible ways… it could come through a legitimate update channel, or the retailer was lax in their update procedures, or the attackers hacked the console of the whitelisting software and just whitelisted it themselves.

Continue reading →

Last »