August 15, 2014 DATA BREACHES

The Supervalu Data Breach

And again, another story about a POS compromised and CC data stolen.  One has to wonder just how many more are out there, that we’ll never hear about.

We always knew that POS were vulnerable and inherently weak.  It was merely a matter of time before this issue exploded.  Honestly?  At this point, it’s much safe to infer that no POS is really safe.  This begs the question – how are hackers able to infect these systems?

I’m imagining being at a store, waiting in the checkout line.  The POS is a MS Windows system, but it only runs the POS application; usually nothing else is to be done on it.  No email, no web access.  So, theoretically, no malware should be downloaded on that machine. And yet, that is often precisely the case.

The Dexter Trojan, for example, parses memory dumps for specific POS software, looking for Track 1 and Track 2 CC data, meaning the Trojan must be installed on the POS.   What’s going on in those networks that allows hackers to install malware on a POS?  When you investigate these situations, you usually end up finding some sort of weak access protection somewhere on the network, i.e., things like remote desktop access open to the internet.  This allows access to another computer on the network and, from hereon, hackers can push the malware to the POS.

Another possibility is open wireless access which isn’t properly segregated from the POS network.

Although PCI DSS clearly specifies the criteria to be followed when setting up a wireless network within a retail store, and distinguishes between “in scope” and “out of scope” (out of scope meaning that there’s absolutely no link between the POS network and the wireless network), I can only surmise from all these attacks that such criteria isn’t always adhered to.

Malware writers are very inventive in the way they distribute their code but not all hope is lost.  There are ways to keep them out.

Companies must think in very strict security terms at all times and by this, I don’t mean just installing an AV on the POS.  Opening up RDP to the internet for example, exposes your MS accounts to a hacker, who has all the time and tools he needs to find your weakest password and get in.  Once he’s in, there’s absolutely no telling what damage he can cause.  He doesn’t even need to compromise the POS themselves; a variant of Dexter called Stardust will “sniff” CC data in a network, without the need to be installed on the POS.

The real way to protect a POS is to ensure that the POS network is truly separated from the rest of the network, in every physical and logical way possible.

Failing which, any computer within the network of a company, in the event it becomes compromised, can become a great danger to the entire network and allow the deployment of POS Trojans.