Misconfiguration issues could have contributed to Hannaford breach

By Robert Westervelt, News Editor 19 Mar 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The fallout over the data breach at Hannaford Bros. continued Wednesday, as Massachusetts officials suggested the supermarket chain was too slow in disclosing the incident and one of the retailer's security vendors went on the defensive.

This demonstrates that there are a lot more targeted attacks out there and the targeted attacks have a high monetary risk. David Precopio, vice president of marketing and business development, Rapid7

Officials suggested in published reports that under state law, Hannaford should have notified the Massachusetts Office of Consumer Affairs and Business Regulation as soon as the company became aware of it. As of Wednesday afternoon, the consumer affairs office had yet to receive the official notification. The law took effect last year in the wake of the massive data breach at Framingham, Mass.-based TJX Companies Inc.

The Maine-based supermarket chain revealed Tuesday that it first detected something amiss three weeks ago but that it stalled its disclosure until it could gather more information for customers. In any event, The Boston Globe reported, Hannaford's may not have been bound by the law because only credit and debit card numbers were compromised, not personally identifiable information such as Social Security numbers, names, addresses and account numbers.

Meanwhile, Hannaford's network security vendor, Boston-based Rapid 7, has come under fire from the Attrition.org website for its apparent attempt to wipe all mention of Hannaford's from its site, even though the company made plenty of public relations hay out of the relationship when it first secured Hannaford's as a customer.

In a phone conversation Tuesday, David Precopio, vice president of marketing and business development at Rapid 7 said the breach would not have been picked up by its scanning appliance, NeXpose. Hannaford installed the network scanner in 2006.

"We were 100% assured today that our system had nothing to do with the breach or anything that NeXpose could have scanned," he said. "This wasn't an issue with scanning performance."

Misconfigured networks: Misconfigured networks create huge security risks: Security experts say IT pros should be more concerned about the risks created by misconfigured networks than all the flaws and exploit code they read about.

Precopio said Hannaford renewed its support license two weeks ago. The Nexpose scanner scans all network systems, from laptops to databases.

"The Hannaford case was something outside the reach of what our product would scan for," Precopio said, adding that the scanner doesn't monitor Internet traffic handled by an ISP or other services that may have been VPNed in. A network configuration issue also would be overlooked, he said. To cover those security gaps, companies should turn to gap analysis tools or penetration testing, he said.

"This demonstrates that there are a lot more targeted attacks out there and the targeted attacks have a high monetary risk," Precopio said.

Investigators could also be looking at WebSphere MQ, which is used as a network-messaging carrier for sensitive applications such as ATM and credit card transactions. Hannaford installed WebSphere MQ as part of a server consolidation project and strategy to connect its systems in a service-oriented architecture. But recently security researchers have been looking at the implementation complexities of WebSphere MQ and the risks it introduces.

John Yeo, a security consultant with UK-based Information Risk Management, said demanding requirements from business units often leads to insecure implementations. Put simply, traffic could be exposed through misconfiguration issues when WebSphere MQ was installed and maintained. Security consultants recently told SearchSecurity.com that misconfigured networks are a growing problem that poses a bigger threat than the software vulnerabilities that typically gain all the attention. The problem runs the gamut from mismatched applications and hardware, security systems that are put in place but not regularly maintained to wireless access points that are opened with no defenses attached, according to IT consultants who have seen the problems first hand.

Yeo said traffic using WebSphere MQ could be exposed through traffic sniffing, allowing an attacker to read sensitive financial account data and transaction details. By default the traffic is unencrypted. Queue managers are also often misconfigured allowing a user to read and write messages to message queues.

"Reading messages from the application's message queue will expose customer and financial account data," Yeo said in a research report, "WebSphere MQ Threats."

Application design flaws and poor encryption technologies could also contribute to traffic being exposed via WebSphere MQ.

"Due to the types of data typically transported by WebSphere MQ – confidential business intelligence or B2B transaction logs, the endgame scenario is not necessarily a full system compromise; unauthorized read access to the messages may have equally adverse consequences," Yeo said in the research report.

Senior News Writer Bill Brenner contributed to this report.

Tags: Identity Theft and Data Security Breaches,  Configuration Management Planning,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Configuration Management Planning Integrated change management reduces security risks EMC adds configuration management with Configuresoft acquisition McAfee to acquire Solidcore Systems for whitelisting Product Review: Shavlik's NetChk Compliance Security services: Fiberlink's MaaS360 Mobility Platform CISSP Essentials training: Domain 10, Operations Security 5 Steps for Developing Strong Change Management Program Best Practices Misconfigured networks create huge security risks Private sector should learn from government insecurity Compliance drives security configuration management Configuration Management Planning Research Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary