The data breach at Hannaford, the US grocery chain, which enabled the theft of info on more than 4.2 million credit card accounts was caused by a sophisticated piece of malware that attackers installed in all the company's retail outlets. Installed on more than 300 servers in at least six states, the malware was able to …
I would bet it was one of their own techs...
I think this smells very much like an inside job.
Network security (more like the total lack there of) between servers has always been a "pet peave" of mine.
IT departments want little or no firewall between servers so they can push updates, quickly and automated. Well when the system has that many rights it can be greatly abused by someone inside who is (pick one of the following) bored, needing extra cash, vindictive, or just plain crazy.
A very large company that handles people medical records that I once worked for had all the servers open to people handling customer service (OUTSOURCED to a company that handled Nextel customer support... Yes that's right customer support for a wireless phone company had access to medical records of one of the largest medical insurance providers out there.
To make a long story, short, a bored NEXTEL rep, accessed the voice records, for the customer support (stored them on thumb drive and walked away). They fired him but who knows what he did with all that information.
This Hannaford is much more complicated, so I'd say it was a member of their own IT (unless they outsourced that to some techs form India) this time.
Unbelievable....Shame, shame where are the internal controls people!!!!!!
Definitely an inside job.
Iam currently contracted to do software development / testing for one of the largest convenience store chains in the world with 30,000+ stores worldwide. Every one of the servers runs the same card processing software and same credit card processor.
I estimate it would take about 6 hours to push out a small piece of software to EVERY store, capturing track 1/track 2 data as well as customer PIN information before it is encrypted. The customer card / PIN terminals send unencrypted information from the Point Of Sale (POS) terminal to the in-store server where it is then encrypted in a matter of milliseconds and sent over the network. It's very easy to capture the data before being encrypted, giving you full access to PIN and track1/track2 data. (With exception to transactions made at petrol pumping stations as they use hardware encryption before being sent to the server.)
We're talking at least 250,000 cards a day here with full track/PIN data. A $200 magnetic stripe reader/writer, some blank cards (usually about .50c apiece), and a few trips to the ATM ... Let's just say it would mean retirement before anyone figured out what was going on.
It, however, would not be possible to send that data to a source outside of the firewall as the routes to the card processing company, administrator access, and the frame relay network ISP are strictly controlled. This would have to be done internally through someone with access to the trusted network.
The most-likely suspect would be the person in charge of the firewall/routing as they would have access to every IP in the trusted network as well as the ability to route traffic outside the network. Or as in this case, an "unidentified offshore ISP".
It takes thousands of people and millions of dollars to design the system but only one determined person to take it all apart.
That magnetic strip was always asking to be hacked. Shear arrogance of the designers in thinking that it was too difficult for people to hack!
Chip and Pin takes more effort but why tout it as uncrackable unless you are laying down a challenge.
In this case they don't even bother with Chip'n'Pin.
A target this big is obviously going to attract challengers. The bigger your organization the better defended it needs to be. Windows has to be better written than Linux because it's a bigger target. If you wanted to make yourself a smaller target then you would use Linux. It might help but would not totally solve the problem. The other thing might be to split the organization into Franchises or a federation. The world seems to be going the other way with organizations and countries growing bigger and more integrated. It give the people at the top massive power. This makes the internal problems bigger and harder to fix.
Inside and/or Windoze
The article implies the systems are Microsoft based (comments from Sophos and regarding anti-virus). That would explain why the servers got compromised.
As per previous comments, no matter what O/S, it does look like an inside job.
Hahahaha. There's no such thing as PCI compliant. They change their rules every 1.34 seconds, and no one on the planet can truly keep up with them.
Personally I think they do this so that, when your system is breached, they can say, well "we see you were trying, but you weren't in full compliance; therefore we are forced to pass the costs of dealing with the event on to you"
Unless they were very careful with their security or have a shit-hot IDS firewall access would not be a definite requirement for this hack. The data could have been smuggled out of the company using a technique like DNS tunnelling.
Terminal sends off a set of carefully crafted DNS queries that contain the data to be smuggled encoded into the hostname. The hostname isn't found in the local DNS cache so the resolver goes back to the authoritative DNS server for the domain, which stores the query for decoding. No reply is necessary so even if the company have used something like DNS resolving on the proxy for the public internet the data will still get through.
This happened in the US of A. They don't know what Chip'n'Pin is over there.
Some stores do have c&p capable readers, but the scene that follows when someone uses a European card in one that still has the c&p functions enabled is Pythonesque. If you're lucky, you walk out half an hour later with your purchases if the manager is willing/able to enter the card number by hand.
I work for a company that installs and services payment kiosks and other point of sale hardware. I've found it'd be unlikely for someone to be able to sniff the PIN coming from a POS terminal to the server, as every installation I've done with modern (<2002) hardware has featured encryption in the PIN entry device. The Ingenico 6550, which is what Wal-Mart and most other retailers are switching to, encrypts the PIN inside the device, before even the host terminal sees it. Older terminals, like the eN-Touch 1000, which I also commonly see, ship from Ingenico configured for in-unit encryption, but it can be disabled, unlike the newer units. That does nothing to protect those poor Visa / MC / Amex / Discover users whose stripe data is still there in the open...
Easy to stop thumb drives
I was told by an Exec owner in a commodity trading house that he was tired of "stuff" leaving the building and to sort it out so no one could use Thumb drives and such like.
I was told I had the weekend to do it and tripple bubble for my trouble.
I used a glue gun and glued up the Serial and USB ports and any USB device that was ment to be there I solderd in to the socket. We didnt have Cd RWs in any desktops so that wasnt an issue.
There after anyone caught in the building with any type of data storage device was obliged to leave it with security. Failure to do so was a P45 offence.
"was caused by a sophisticated piece of malware" : too bad they only protected themselves against "stupid pieces of malware".
@ Windows has to be better written than Linux because it's a bigger target
Bit of a logical leap there, and unix is quite widespread out there, last time I looked at the servers running this planet.
I would actually say the reverse is true as well, crackers probably rate the larger organization as more of a threat if discovered. It is a riskier proposition to break into a large organization than it is a smaller business. It may very well be easier to target 4 smaller business that are a 1/3rd of the size of the one large business.
The argument that windows because of supposed larger user base is more of target only goes so far, it is not a template to stick onto everything. It is just a way to realise that security cannot be measured in sheer volume of intrusions. Windows security when looked at objectively is still pretty far down the totem poll. And if your market share is say 10% (and unix server deployment is probably closer to about 40 - 60%) you are still a substantial target. Sure there is more diversity in the various unix styles - but there is enough crossover as well.
The federation idea is an interesting one - but yeah it is economies of scale that have allowed these companies to get so large they can monopolise the market place.
The big problem with credit cards, is where the liability ends and the buck stops, and that is with the merchant - banks and credit card companies simply shift the burden of fraud onto the merchant, and that needn't be the place where the information was taken, instead it is where the information was used to obtain goods. Move the liability onto the banks, and watch the security go through the roof. As it stands at the moment, the bigger merchants will pay an insurance premium limiting their exposure in instances of fraud, and it is the insurance companies who will be going after the Hannaford CC thieves. Well along with the FBI.
@anonymous coward, wielder of the solder iron
If you commodity house contact ran a Windows shop, this would have been very easy for you to implement without ever opening a toolkit... Browse the web for a Group Policy ADM template to disable USB Block Storage Devices (Vista has a similar feature built-in). Apply policy, hit the pub, return after a significant amount of time had elapsed to collect your quid.
@Chip and PIN
I doubt anyone would ever be as arrogant as to think mag strip is unbreakable.
At the time it was introduced (at least 30 years back) it was seen to be - and probably is - far more secure than the previous technology (ie. signatures or nothing at all).
Ultimately there is always a compromise between cost (cards & system) vs convenience vs security. Since maximising transactions has always been a priority, security has always been less important than convenience & security.
This ould appear to be an inside job. Making any system robust to inside jobs is pretty hard.
Focus on Perimeter
This is not suprising. Most "IT Decision Makers" focus on perimeter securtiy and just assume their interior network is secure. In the meantime bored employees spend time on myspace firing off uncountable application layer exploits. Most IT depts can patch Windoze, but they fail to fix the Flash Plugin vunerability of the month
To make the story richer most 3rd party security auditing is done by entry level people who have little technical traning and are struggling to grasp basic network architecture issues. That has been my experience in New England.
To the AC who soldered USB plugs and sockets together: It would have been better and easier to disable USB mass storage in the OS. This is easy to do for both Windoze and Linux. On Windows, you could have pushed the registry update out via Active directory.
> To the AC who soldered USB plugs and sockets together: It would have been better and easier to disable USB mass storage in the OS.
And, gosh, nobody would ever have been able nefariously to change it back again!
(I really hope you don't work in any job that requires logical thought...!)
@ PCI and the Judgement of Solomon
I'm not so sure about PCI being updated every 1.34 seconds....
But the problem with compliance with PCI (which I quite like - its a very pragmatic Standard) or any other Standard is that you can only safely say that you're compliant at the date of last audit.There's no guarantee that you're compliant 24 hrs later.....
Standards compliance tends to make people complacent, I think..
Anyway, all credit to Hannafords for actually achieving the degree of compliance that they did. Unfortunately the indications are that they subsequently took their eyes off the ball called 'Vulnerability Management'....
No way were they compliant!
Two of the core sections (1.3.5 and 1.3.7) of PCI clearly state that there must be outbound filters and policies in firewalls to prevent this sort of data leakage. There is ABSOLUTELY no way that they were compliant at the time of the attack if these sorts of batch files could be transmitted to an arbitrary location outside of the company.