Significant number of major businesses hit by Backoff malware

After my last post, a  new article came out about the Backoff malware.  The article, quoting the US Department of Homeland Security, said that over a thousand small, medium and enterprise U.S. businesses have been compromised by the Backoff malware package.

Backoff is fairly new – first seen last year – and scrapes the memory of POS systems.  7 POS vendors have confirmed that they have multiple clients affected.  The Secret Service is involved.  It is believed that this malware is responsible for the breaches at Target, SuperValu and UPS.

The attackers break into the POS systems using a variety of techniques and then install the malware on the system.  Once the malware is installed, every transaction on the system from that point forward will be compromised.

MItch Tanenbaum

 

Facebooktwitterredditlinkedinmailby feather

Why we are going to see more card breaches at retailers

An article in Venturebeat the other day suggested 7 reasons why we are going to continue to see credit card breaches at retailers.  First I will share their list, then I will add my own.

Their list includes:

  1. The PCI standard is failing to protect merchants from breaches
  2. Merchants are not implementing P2PE
  3. Retailers introduce new payment hardware (such as tablets) that are neither designed nor tested for security issues in a hazardous retail environment
  4. Merchants add new features to their payment platforms as patches to already buggy systems.
  5. Many of the POS systems are still running Windows XP
  6. Many card breaches lead to Russia.  Russian hackers attack American systems as a patriotic move
  7. EMV is not a silver bullet.

The article goes into more detail on each of these, but these reasons probably are obvious.  I don’t disagree with any of these conclusions.

Possibly the biggest reason that we will see continued breaches is that fixing the problem is hard.  It requires changes to software, way more testing, replacement of old, outdated platforms and changes to business processes.  All of these require time, money and possibly expertise that both brick and mortar and online retailers have not yet prioritized high enough.  So, what retailers do is comply with the PCI rules and state laws and leave it at that.

On top of it, no matter what you do, there is no quick fix.  You can do many different things and still get hacked.  It has been, and likely always will be, a cat and mouse game.

And, the public is quick to forget (although this has not yet worked for Target – they are still struggling a bit), so retailers add a few more patches and call it good.

From the retailer’s perspective, if someone told you to spend an unending bucket-o-cash on a problem without any assurances that the problem will be fixed, what would you do?

Anyone got a silver bullet?

Mitch Tanenbaum

 

Facebooktwitterredditlinkedinmailby feather

Traffic lights are easy to hack

According to an article on CNN’s web site, many traffic lights in the US are easy to hack.

Earlier this summer researchers in Michigan demonstrated how easy it was to hack into the traffic lights in an undisclosed city.

The traffic lights in question are made by Econolite, the largest manufacturer of traffic controls in the U.S.

Used to be, the controllers were all mechanical and the only way to control them was to drive to the intersection, open the control box and do what you needed to do. Now they support WiFi and anyone with a laptop – and in the case of the undisclosed city above – the default userid and password which is published in the manual – can get in and change or shut down the traffic lights.

There is a standard in the U.S. for traffic controllers, NTCIP 1202, that all manufacturers support. It is also susceptible to the same problems if cities don’t change the default settings.

The interesting thing is that with a little work cities could make the traffic lights more secure.  However, that requires money (time) and since most cities are strapped for cash, nothing is likely to change.

Until some hacker decides to shut down a city by turning off all the traffic lights or making the all red or whatever.  All of a sudden folks will get religion.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

Why do attackers like your current security strategy?

I just read a white paper on a security vendor’s (Prevoty.com) web site and I think they really understand the problem.  I have not had a chance to review their products, so I make no claims about them, but I do recommend reading the article.

First a quote from the paper:

Traditional security is like a city protected by castle walls with a moat and a drawbridge to keep invaders at bay. But now the walls have fallen down and the invaders have sprouted wings, waving to your guards as they fly over the moat. Good luck protecting your citizens.

Now onto their 5 reasons attackers love your strategy:

1. Relying on signature and past definitions exposes applications to zero-day attacks.

Most security solutions rely on the fact that what is going to happen is the future is based on what has happened in the past.  While this is partly true, it certainly isn’t exclusively true.  Examples of this are what is known as zero-day attacks – something new, something different.  It could be something as simple as something that was used in the past, but in a different context. Basing the future solely on the past is not a good security strategy.

2. A perimeter based security cannot protect today’s distributed world.

In olden days (like a few  years ago) when mobile phones, tablets and laptops were not as integrated into the enterprise as they are today, you might have been able to at least define the perimeter of your enterprise.  That would be a step towards protecting it.  Today, you cannot even tell me on what devices your corporate data exists – never mind whether you own or control those devices (the misguided principle of BYOD is the primary cause of that, but that is the subject of an entire post by itself).

3. Any attempt at active prevention that occurs outside of the application has no context

This one I might argue with a tiny little bit – but only a tiny bit.  The key point being that you MUST mitigate risk in the context that the risk exists in.  Risk is always context sensitive.

4. Developers are not, and should not be, security experts

If you are counting on your developers to protect you, you already have a problem.  This is not meant to reflect negatively on them.  That is not their focus.  Their focus is to create great applications that satisfy your business requirements.  Security is a discipline of its own and should be treated that way.

5. Your business is not application remediation

Boy, howdy!  As I said above, application, system and network security is a discipline by itself.  Hackers are working 24×7 to break into your world.  You need someone on your side that thinks the way hackers think.  Any doesn’t have to do that as a sideline.

One of the interesting things about digital attacks is that unless the attacker is unskilled or wants you to know she has been there, you often won’t know that an attacker is inside your system.  The only reason Edward Snowden is a household name today is that he ‘outed’ himself.  Initially General Alexander of the NSA told Congress that Snowden took around 250,000 documents.   Later the General said he took 1.7 million documents.  I suspect they don’t really know what the number is.  And remember, the NSA is an organization that prides itself on its data security efforts.  How does your average company compare in terms of security budget, staff and expertise to the NSA?  This is a difficult and never ending battle – for both you and the NSA.

According to a recent Experian report, 60% of small businesses that suffer a breach go out of business within 6 months.  A strategy which depends on you not being attacked may not be totally effective.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

To disclose or not to disclose

In an August 12, 2014 post on Pymnts.com, the information security executive at Urban Outfitters, Dawn-Marie Hutchinson, argued against disclosure of breaches.  In fact, the company’s policy is to notify their lawyers first so that they can use attorney-client privilege.

While I sort of understand the concept of not disclosing things too soon (like before you have any facts, for example), I have also seen companies not disclose breaches for 6 months or more.

I will argue that if customers find out that you have had a breach and decided not to tell them – without respect to whether that is even legal in many states – I can guarantee that you will tick off more people than if they find out from you in a timely and responsible fashion.  Social media will go crazy once it does get out – it always does.  Guaranteed.

For many years – prior to CA SB 1386, the grandfather of all breach laws – companies were not required to disclose and for sure, security was much better then — NOT!.

So what is the argument for not disclosing or not disclosing early?  Customers will beat us up.  Right!  What’s your point.  If you insist as a business to keep a lot of customer information and not protect it well, then you should get beat up.  The answer to that is to communicate.  Do it at the appropriate time.  Take responsibility.  Explain things.  Have people understand the world is not going to end.  And yes, you will likely take a short term hit.

Security is a business (financial) decision just like everything else a company does.  It has to be weighed against all the other needs that those dollars can also be spent on.  However, the pre-CA SB-1386 was  not more secure than the post-CA SB-1386.  In fact, most companies are paying way more attention now than they ever have.  It’s a VERY hard problem.  The hackers only have to be right (get in) one time.  The company has to be right (keep the hackers out) every time.  I have been doing this for a long time – it is not easy or simple.

Now maybe what Ms. Hutchinson was suggesting was that your first call after finding out about a possible breach should NOT be to the NY Times or Wall Street Journal.  If so, then I agree with her.    Responsible disclosure means just that.  Responsible.  You have to have some facts in order to be responsible.

Does that mean 1 day?  1 week?  1 Month.  Probably one of those.  It does not mean silence, however.

Mitch Tanenbaum

Update:  Here is another article on the issue.

 

Facebooktwitterredditlinkedinmailby feather

Does your anti virus software help or hurt you

According to a presentation at the SysScan 360 security conference, Anti Virus software and other security products have security flaws just like every other piece of software on the planet.  To some of us, that does not come as a big surprise.

The researcher, Joxean Koret, tested a number of security products and found issues with many of them.  The issues ranged from denial of service attacks to the ability to execute arbitrary code.

Anti virus software products often run with the highest system privileges possible.  Many of them are huge and when any piece of software is large, the opportunity for security holes grows.

Ben Williams, another security researcher, tested a variety of security products including web and email security gateways, firewalls, remote access servers and others.  He says the results were not great.

Security software has to be able to read hundreds of file formats.  That requires lots of code – which is one reason that the software has such a large attack surface.  More than likely, the security company did not write all this code themselves, but rather licensed it from many different companies.  The integration of code from many different vendors adds complexity to applications.  Add to this, the fact that the software is running with the highest system privileges and you can see this could present a problem.

Joxean thinks that vendors should find and fix problems themselves – or if not, pay security researchers who do find holes – so he has not disclosed all the bugs he found to the vendors.

According to an article in Network World, some of the vendors were informed and fixed the holes they were told about.

What didn’t he tell them and what holes still exist?  Good question.

M

Facebooktwitterredditlinkedinmailby feather