Hannaford breach details indicate inside job

By Bill Brenner, Senior News Writer 28 Mar 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

It's increasingly likely that a trusted insider with administrative network access was behind the Hannaford Bros. data breach, security experts said Friday. The scope of server-based malware infections the supermarket chain acknowledged in a letter to Massachusetts regulators appears bigger than anything a remote attacker could have pulled off, they say.

This may have been instigated by someone who knew more about how data was communicated through Hannaford's systems. Graham Cluley, security consultant, Sophos

Experts said the breach should serve as a big lesson for retailers: It's as important to limit the network access of employees and regularly monitor system activity as it is to purchase security technology to block attacks from the outside. Furthermore, it's foolish for a company to consider itself bulletproof because they achieved PCI DSS compliance, as Hannaford's claims it did.

"The overarching conclusion I have that keeps getting reinforced is that the low-hanging fruit is inside the company and insiders are always getting more network privileges," said Mark MacAuley, a York, Maine-based IT security consultant who shops at Hannaford's regularly. "I don't see how anyone at Hannaford could get that level of access unless they were a very well-known entity."

That assessment comes amid the buzz over Hannaford's letter to Massachusetts Attorney General Martha Coakley and the Office of Consumer Affairs and Business Regulation, in which the Maine-based retailer concluded it was the victim of a "new and sophisticated" technique where the attacker sneaked malware onto servers at all of its nearly 300 grocery stores. The malware apparently snatched card data from customers as they swiped their card through the checkout counter machine and transferred the data overseas. A Coakley spokesperson confirmed the Attorney General's Office had received the letter, but that it would not be released to the public, even though details were published Friday in The Boston Globe.

Hannaford breach: Hannaford breach illustrates need to have a survival plan (Mar. 18, 2008)The Hannaford Bros. Co. supermarket chain is the latest company to suffer a data breach. It illustrates the need for companies to have a survival plan tucked away, experts say. Misconfiguration issues could have contributed to Hannaford breach (Mar. 19, 2008)Hannaford takes heat from officials who believe the supermarket chain was slow in disclosing its breach. Meanwhile, one of Hannaford's security vendors gets defensive. Data breach blues (Mar. 24, 2008)Some experts say the Hannaford supermarkets breach exposes some problems with the PCI Data Security Standard. Is the standard strong enough? Take our poll. The pros and cons of data breach insurance The security incident at the Hannaford supermarket chain and elsewhere have some wondering if it's time to purchase data breach insurance. But experts say there are drawbacks.

An inside job?
Graham Cluley, senior technology consultant for UK-based security firm Sophos, said the fact that the malware was not the conventional kind that might intercept keyboard presses as a consumer logs into their online bank but instead something apparently designed to lift credit card data as it was streamed through the servers suggests it was written either to specifically target Hannaford or to target the commerce system that Hannaford had deployed.

"It almost seems too much of a coincidence to think that remote hackers could have chanced upon infecting each and every server with appropriate malware by exploiting a traditional security flaw such as a firewall misconfiguration or out-of-date antivirus solution," he said. "This may have been instigated by someone who knew more about how data was communicated through Hannaford's systems."

While the conventional wisdom points to an inside job, not everyone is convinced that was the case. Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, said it's unlikely that an insider could have or would have driven to every store on the eastern seaboard to infect every server. There are scenarios where an outside attacker could have pulled off the breach, he said. For example, they could have compromised one laptop or server, getting the foothold necessary for a broader attack.

"Another possibility is a direct attack through the more traditional methods where the thief gains access to an administrative system or account and branches out from there. A Web application attack was also possible, he said.

Compliance does not mean security
Much has been made of the fact that Hannaford's was on top of its PCI DSS compliance, which requires merchants to institute a variety of security controls to protect customer card data. MacAuley said companies often assume they're ironclad because they've been deemed compliant, but that's not the case. He said, for example, that PCI DSS leaves out some common-sense mandates, such as encrypting data at the moment a card is swiped.

"At financial services institutions, a big concern is the potential man-in-the-middle attack, where they could insert a sniffer and pull out data as it flows by," MacAuley said. "You can mitigate the risk by encrypting at the point of capture." Avivah Litan, a vice president at Stamford, Conn.-based Gartner Inc., agreed, saying encryption should be at the "point of swipe."

There is one area where PCI DSS compliance could make life easier for Hannaford, however. If the company was indeed compliant at the time the breach occurred, Litan said the banks will have a hard time getting the supermarket chain to pay for all the credit and debit cards that have to be reissued.

"Under PCI rules, if they're compliant at the time of breach, the buck passes to the merchant bank," she said. "The issuing banks will want to get their money back. Visa will go to Hannaford's bank for that, and that bank would normally take the money out of Hannaford under normal circumstances. But if they were compliant and certified the day of the breach, then the acquiring bank is responsible because they accepted the compliance report."

Layer the security and pray
In the final analysis, companies need a layered security program so that if one defense fails, the bad guy must poke through other defenses. Even with a layered security program, the experts say there's no guarantee the company can prevent every attack from succeeding.

Chris Andrew, vice president of security technology at Lumension Security in Scottsdale, Ariz., said from his experience, a common problem is that a company falls behind in its patch deployments. Meanwhile, IT shops fail to control what kinds of devices employees can plug into company machines.

His advice is to avoid approaching security with a set-it-and-forget-it mentality.

"Good security requires constant care and it doesn't take much for an exploitable hole to develop," he said.

Tags: Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary