An article titled A First Look at the Target Intrusion, Malware posted on January 15 by @briankrebs contained an initial analysis of BlackPOS a POS malware targeting retail systems. Retail POS along with other related software, including security systems and software appears to be a common weak link. The hackers have concluded that if you focus on these common software programs and create malware that specifically exploits vulnerabilities within the POS to cause retail mass security breaches of credit cards and possibly PII data. At this point, it is as easy as obtaining the client lists within these systems and performing targeted attacks. Many customer lists are proudly listed on the POS service provider’s website or if they are a publicly traded company, this information could be included within SEC filings.
So what is the solution? 1) Start performing a secure coding process. 2) Use automated source code scanning tools to identify poorly written and insecure source code. 3) A company should contractually require their service providers' source code is independently reviewed by a company that specializes in secure coding review. 4) Build code and validate it is not easily exploited with malware hooks.
A very common problem security experts see is no accountability for service providers to notify their other customers if their software or system is a key component involved in another data breach. Unfortunately in recent events, there is the appearance that some service providers prefer to sweep the security vulnerabilities under the rug and keep it quiet, meanwhile other merchants using the same software and systems may be under attack from the same malware. While malware signatures can take a while to be identified to update anti-virus/malware software to help other companies detect malware, it is very frequent that malware is polymorphic, and not all signatures are provided. Malware is becoming very sophisticated whereby it can have many of the same attributes, but not be identical when it is within a POS system.
Another problem with the recent security breaches comes down to picking the right QSA company. The QSA business has a few common “low price” leaders that will “pass” customers to fit within budget constraints. The PCI SSC has been strong in condemning these types of practices, however, this does not prevent the time and budget pressures put on individual consultants. When Intersec Worldwide conducts QSA assessments, Intersec will include industry lessons learned with their clients and will find issues previously missed by other QSAs because we find many missing layers of protective security that the “low price” leaders overlooked. Sometimes these oversights are caused by a lack of skills but many times it is because there is not enough time allowed in the budget with these QSA firms. The key to preventing a massive credit card security breach is having layers of protective security. This is clearly missing for every security breach report that is reported. The key to preventing a security breach is “layered security” and being diligent and vigilant in your daily security controls. Security should not be treated as a once-a-year event, like a tax filing, but rather a critical daily operation for the organization.
Bottom line, notification requirements need to change in contracts, case law, by regulatory bodies, or some other enforcement method to ensure all customers are notified before it’s too late and the economic damage is already done.
A second updated analysis of the recent Target security breach was posted by Krebs On Security regarding BMC Software: http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/
Intersec Worldwide completed an analysis of a similar situation back in June at the HITEC conference for a PCI Boot Camp. The link provided is a PowerPoint Presentation of Intersec Worldwide’s security analysis of a grocery store chain impacted by similar malware used at Target: http://www.hftp.org/Pages/Events/HITEC/Schedule/hitecday1.aspx
