To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The federal indictment this week of three men for their roles in the largest data security breach in U.S. history also serves as an indictment of sorts against the fraud conducted by PCI – placing the burden of security costs onto retailers and card processors when what is really needed is the payment card industry investing in a secure business process.
A federal grand jury has indicted Albert Gonzalez of Miami and two yet unnamed Russian hackers for their alleged roles in the Heartland Payment Systems Inc. and Hannaford Brothers Co. thefts of 130 million credit and debit card data, plus the 40 million credit cards grabbed from TJX.
SQL Injection still a major problem:
Three indicted for Hannaford, Heartland data breaches: A grand jury has charged three men for their role in stealing more than 130 million credit and debit cards from Heartland Payment Systems and several other companies.
The indictment makes for good reading, with references to SQL injection, distributed data collection servers, QA against major AV products and temporary messaging accounts to elude detection.
The hackers personally surveyed point of sale systems in retail outlets for vulnerabilities. This simple act takes advantage of perhaps the greatest weakness in PCI – the prohibitive expense required to secure remote sites with old solutions. There is mature technology available that encrypts credit card data at the initial swipe and keeps the data secure through processing. Any retail business, especially cash-constrained SMBs, should be using this technology on its POS devices and PCI should be mandating it.
The hackers chose SQL injection as the attack of choice. The hackers heavily used SQL injection to siphon credit card data out of unsuspecting networks. The leverage for a hacker is incredible – just a handful of malware writers were able to steal sensitive information on approximately 130 million cards (an average of about one for every other person in the U.S.). According to IBM and WhiteHat, SQL injection is still one of the leading attack vectors on the Internet. IT should conduct on all out assault on SQL injection, starting with secure software development practices of production software.
The hackers ran their malware through 20 AV products to test detection avoidance. AV is very good at stopping known attacks of mass destruction, but is quite a bit less good about catching low profile designer attacks. Effective security should augment AV filters with technology that reflects control over the unique aspects of the organization's server and endpoint configurations. IT has choices here – application whitelisting on locked-down servers will prevent execution of unauthorized software, thin clients prevent attacks from persisting at endpoints, virtual desktops and servers give IT control over endpoint configurations and automated patching systems close windows of vulnerabilities. PCI should be more assertive in recognizing that signature-based schemes and reputation services will not catch low volume activity that is the trademark of malware designed to steal information.
The hackers were not caught by corporate security, only the detection of fraudulent use of stolen credit and debit cards. Once the attacks initially defeated the security architecture, the attacks executed undiscovered for years. IT should be sure to rotate security consultancies when conducting security assessments to get the benefit of different viewpoints and processes and to reduce the risks of blind spots in the security profile. Organizations with sensitive data may also want to proactively use search engines to look outside the security infrastructure for examples of leaked data that require a security investigation. Finally, an effective log management program can help with post-attack analysis to help ensure that history does not repeat itself. It would be nice if PCI could have protected 7-Eleven and others from the same attack technique that befell TJX years earlier.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.