Saturday, January 18, 2014

Target Malware Attack: Are you at risk?

It's recently been made known that the Target security breach was at least partially caused by malware installed on their POS systems. There are already a number of good technical explanations of how these work, so I won't add to that. I'd rather discuss if your business is at risk. Most of the content from this post comes from an email I sent my manager on the subject.

What the malware does

When a POS system reads a card, the data travels in a path like this

Physical credit card -> Credit card reader -> USB Port -> RAM -> Application -> Encryption -> Hard disk or network

The data obviously may move back and forth between the application and the RAM a few times as it is processed, but the most vulnerable point in the path is when the data is in RAM before the application has touched it, and hence before the application can encrypt the data. So for at least a short time the data is sitting in RAM unencrypted, which is where the trojan can grab it.

Once the trojan has the data, it saves it in a DLL and then waits for a time when most stores (and consequently their networks) will be busy before sending the data to a control server over NetBIOS (which is how they get
data out without the POS having an internet connection) that can then forward the data to a server on the internet (there isn't a ton I could find on this last step, but it would probably look like other data exfiltration).

Why Target was vulnerable

Apparently the hackers were able to get this software on a large number of POS systems at Target and scrape credit card data during the busiest time of the year (Black Friday). Every customer who comes through target has to pay some how, and a lot of them use credit cards. The high rate of customers through each POS system meant that a single compromised system would see a lot of individual's information.

The fact that until now POS systems have not gotten much public attention for needing to be secured probably means they're running old operating systems (I've personally seen a lot of XP) and probably don't get patched
frequently may have made it easy to infect large numbers of POS systems very quickly.

How can I stay safe?

If you have an IT department capable of network segmentation, but your POS machines on a segment by themselves, and watch for any ICMP traffic coming out of them. Also lock down the ports that they are allowed to communicate with. Obviously they need to get windows updates and communicate with a server to send sale data, but you should know every port they talk to and prevent them from doing anything you don't understand.

If you don't have an IT department capable of doing this, make sure you patch your POS machines frequently. Run antivirus and malware detection on them. If you buy your POS machines from a vendor who handles patching, make sure your vendor is patching them and keeping them up to date.