Questions remain about how an attacker managed to place malware onto servers at all of Hannaford's nearly 300 grocery stores. But one researcher who has studied information exchange software warns about messaging system misconfiguration issues that could lead to the type of breach experienced by Hannaford.
IBM's Websphere MQ enables companies to exchange information across IBM and non-IBM platforms. It is responsible for connecting disparate systems, allowing credit card transactions and other sensitive information to flow between systems and applications.
Hannaford installed WebSphere MQ as part of a server consolidation project and strategy to connect its systems in a service-oriented architecture.
"Messaging systems are a complex product," said John Yeo, a security consultant with UK-based Information Risk Management. "If the traffic is unencrypted, the underlying layer is essentially unencrypted network traffic susceptible to network attacks."
It's unclear whether misconfiguration issues contributed to Hannaford's massive breach. Hannaford announced that an intruder is to blame for planting malware programs on servers running its supermarkets. The malicious software ran in stealth mode and was responsible for bilking up to 4.2 million credit and debit card numbers from the grocer's systems.
Companies are turning to the complex products as Web services are introduced into the environment as part of service oriented architecture projects. In addition to WebSphere MQ, Microsoft Message Queuing (MSMQ) provides the same features as well as Sonic MQ from Bedford, Mass.-based Progress Software Corporation.
"I don't think the products can be blamed," Yeo said. "If you have demanding requirements from business units that need complex products you have to be careful how they are deployed in the enterprise environment."
Application design flaws and poor encryption technologies could contribute to traffic being exposed, Yeo said in an Information Risk Management research report, "WebSphere MQ Threats". An attacker can deploy traffic sniffing tools to read sensitive data and transaction details.
Sometimes misconfiguration issues could allow an attacker to read and write messages to message queues and eventually find a loophole to the company servers.
Some experts are calling the Hannaford breach an inside job. Graham Cluley, a senior technology consultant for UK-based security firm Sophos, said the malware seems as though it was written either to specifically target Hannaford or to target the commerce system that Hannaford had deployed.
Chris Andrew, vice president of security technology at Lumension Security in Scottsdale, Ariz., told SearchSecurity.com that a common problem is that a company falls behind in its patch deployments, leading to misconfiguration issues and vulnerabilities that can be exploited by an attacker to gain access to critical systems.