The breach that struck Target Corp. over the 2013 holiday shopping period was the biggest in a string of recent security incidents involving retailers, with tens of millions of customers' credit card numbers and other sensitive data lost in the past year alone. Such breaches have raised many questions around the point-of-sale security practices in place at many retail outfits, and according to one expert, the use of complicated data exfiltration techniques in targeted malware and the presence of Windows XP will only make matters worse.
"Many times, what we'll see is the point-of-sale [PoS] machines will dump the card data and encrypt it, so that data leakage prevention solutions don't know that it is card data," said Chester Wisniewski, senior security advisor for antivirus vendor Sophos Ltd. "And then they take the encrypted data and move it to a central point which likely has more external access, because in a well-managed point-of-sale environment, the register shouldn't be talking to Facebook any more than to badguy.root."
In this interview, recorded at the 2014 RSA Conference, Wisniewski details some of the findings from his own research into RAM-scraping malware and other PoS threats, as well as the increased risk of running Windows XP, even the still-supported embedded version, on PoS systems, and why isolation should be the ultimate security goal in such environments.
"It's a computer. People are bored at work, they want to check their Facebook, their email. And a lot of retailers are friends with their employees, particularly smaller retailers," said Wisniewski. "And they say, 'I don't wanna be mean, of course you can get on the Internet.' So we really need to get over that and focus on the isolation."
Read the transcript below.
Hi there. I'm Brandon Blevins with searchsecurity.com. Thanks for watching this video. Joining me today is Chester Wizmiewski. Chester is senior security advisor with Sophos. Chester, it's a pleasure to have you with us today.
Wizmiewski: Thanks for having me.
Chester, one of the talks you're giving here at the 2014 R.S.A. Conference centers around point of sale RAM scraping malware. That's obviously been a source of many headlines recently. What are you seeing in the point of sale security space in recent years?
Wizmiewski: Yeah, I guess our timing was good in that we chose this topic last summer to submit to R.S.A. Then, it just happened to be there were some major breaches in between that have gotten everyone's attention.
Largely we're seeing kind of the advance of the malware in step with our advance in technology used to protect card data. Actually, one of the more interesting findings to me when we started compiling all the data from our labs was the geographic distribution in particular being so heavily focused on the United States because of the use of stripe technology here.
I'm curious what exactly attackers are targeting in point of sale environments. I, for example, have heard that Windows XP underpins many of these systems. Is that a big source of attacks?
Wizmiewski: Yeah, Windows XP largely. There are a couple of reasons for it. Regular Windows XP is end of lifed in April, but XP embedded that's used in most commercial point of sale equipment has another couple of years of life in it. So, it still will be getting patches from Microsoft, and that, I think, is leading to a lot of retailers not rushing into migrating into new platforms.
The problem with that isn't so much that oh you get patches for two more years that's great. But, what it really is about is some of the mitigations that have been introduced in newer operating systems. Whether that's OS X or whether that's Windows or Linux or any of them, they've all got things like address space layout randomization, data execution prevention, et cetera.
Those technologies actually do make it a lot harder to steal card data from these machines, and none of them are really present in Windows XP. So, it makes it easier on the attackers to not have as many hurdles to jump. It is part of the problem, I think.
For point of sale malware like the Dexter, like the LeNa, how customized is that to point of sale environments? Or, are those samples of malware that have been repurposed from, say, the Zeus source code leak?
Wizmiewski: Well, there are a lot of families of this stuff. I guess at a high level if you were doing a taxonomy of malware in credit card theft you'd start out with sort of targeted and generic.
When you talk about the major retail breaches in the U.S. this year those are targeted and very hand crafted often to specifics to those environments by some clever attackers. That's a much harder problem to deal with. Whereas the other half of it is similar to Zeus but not quite as bad.
Much of it is toolkit based. You can buy the malware on the open market. And, there's a customization tool that you as a complete newbie that knows nothing about coding can go in and say here's my command and control server I.P., and here's where I want to dump the credit cards, and here's the password I want to use to encrypt them.
From that standpoint it's a lot like Zeus. It's a kit. Anybody can use it. It's reasonably affordable. Often you see about $1000 to buy one of these pieces of malware.
But, that stuff is pretty easy for antivirus vendors to detect as well in that it's common, there's very little variation in it, it's not the most sophisticated stuff in the world, and, even to the point of not really being point of sale specific.
The malware we demonstrated today at our talk called VSkimmer just generically goes through memory looking for credit card numbers. It doesn't say I'm targeting this brand of software that's used in cash registers. It does exclude a list of things it knows it doesn't want to look at like Chrome because it might be 2 gigs worth of RAM that has no credit cards in it, so it skips that. It looks other places.
But, it's not like vendor Y's or vendor X's point of sale software is being exploited with a vulnerability or some specific hole. It's kind of generic.
Chester, I'm curious. Once point of sale malware has infiltrated a system, are there any tell tale signs? For example, are there any specific methods that attackers use to exfiltrate data from those systems?
Wizmiewski: Well, again, we'll go targeted and non-targeted. Because in the targeted space the exfiltration typically gets very complicated. Many times what we'll see is the point of sale machines will dump the card data and encrypt it so that data leakage prevention solutions don't know that it's card data. Then, they take the encrypted data and they'll move it to a central point that likely has more external access. Because in a well managed point of sale environment the register shouldn't be talking to Facebook any more than it should be talking to badguy.ru.
They'll take the data, centralize it on some central file share, FTP server, this type of thing within the environment that has some sort of external connectivity that allows them then to send it off to a Gmail account, or post it to an FTP site, or maybe launder it through several sites along the way. That's targeted.
The guys that are buying the kit for $1,000 are using much simpler things. They still do encrypt the stolen data often, but they're just directly emailing it out or they're directly connecting to FTP sites.
Or, the one I demonstrated does HTTP GET requests with the stolen card data encoded into the URL. So, every time I swipe a card... I was using Notepad. I fired up Notepad. I got my card skimmer. I swipe a card. The credit card number shows up in Notepad. A few seconds later the malware scrapes it, encodes it, and does an HTTP GET request to a website controlled by the attacker.
Chester, you had mentioned isolation is one of the keys to securing point of sale systems. I'm curious for those retailers, those restaurants, those hotels out there that are struggling to secure PoS, are there any other best practices you can mention?
Wizmiewski: Yeah. I mean the number one thing that is in the control of the retailer is that isolation, I think. Clearly, you do need antivirus and firewalls. That's just common sense to at least look for the known bads. But, there are always unknown bads. Those things aren't always going to work, which is what the isolation really provides.
I see this so often. I was recently in a bike shop in my home town in Vancouver. While I'm talking to the guy and they're putting the new tube in my tire, he looks over his shoulder, the owner, and said who installed Photoshop on the cash register.
Immediately I'm going okay it's Windows. They've got admin. It's probably not a licensed $1,000 copy of Photoshop at the bike shop computer. There are all kinds of bad signs here.
But, this isn't uncommon. It's a computer. People, well, they're bored at work. They want to check Facebook. They want to check their email. A lot of retailers are friends with their employees in small business environments in particular. They'll go I don't want to be mean. Of course you can get on the Internet.
We kind of have to get over that and really look closer at that isolation. Because I think it's one of the key components. It won't prevent the fraud as we've seen in these big cases. These guys can weasel their way through the network and eventually get it out. But, in a lot of cases it's such a big deterrent that it can protect especially smaller establishments from compromise.
Chester Wizmiewski, thanks for joining us today.
Wizmiewski: Thank you.
Brandon: Thank you for watching this video. For more of our videos please be sure to visit searchsecurity.com\video.