Monday, January 20, 2014

Preventing POS data breach


Espresso? Sure why not!
With so many people talking about Point of Sale (POS) data breaches and so many of them happening over the known history of computer crime you have likely been lead to believe that POS is a hard thing to secure and that sophisticated crooks are chasing POS systems every day.  Welllllll like most things in life they are not always like what you think they are.  For those of you that have ever had to do Pen Testing or worked on a major incident you know that everything you read and see if the press and from Hollywood is just pure hokum.  The POS incidents are no different.  Bear in mind I'm not on the inside at the most recent one, but as per my previous post it's most likely yet another RAM dumper (YARD is my new acronym.  God knows the IT industry needs another acronym).  I hope this acronym demonstrates the lack of surprise I have when dealing with this type of malware.

I remember when I first saw this type of malware and thought "wow how the hell do you stop someone from stealing plain text data in memory".  After a bit of contemplation you realise the answers are pretty simple because I was asking the wrong question.  Firstly, like every piece of sensitive data, if you don't need it, don't store, process or transmit it.  Yep as I said - simple but not always achievable.  If your business is not able to live by the "golden rule", then you must live by the "silver rule" which is "keep the bad guys out of your sensitive data". This is all common sense really, but common sense is not often applied practice and business large and small get caught out every day.

The moment of realisation

Merchants that become a victim os POS data breach typically as at least one of the following statements:

  1. We didn't know they had any sensitive data
  2. My vendor told me there was nothing to worry about
  3. It's been working for years why now?
  4. Why would someone from <Eastern-Eurpoean-country-here> login to my computer in <anywhere>?
  5. How did they find my computer/network in <anywhere> and how did they know where to look?
  6. I didn't tell anyone so how did they know my password?
From this list of statements you can see the general understanding of most merchants is pretty low and they don't have much capacity to look for problems they didn't know existed.

Preventing and stopping RAM dumpers

In the previous blog entry I talked about RAM dumpers and scrapers. Given the US POS environment it is necessary for the card data to be in the RAM of the POS system in plain text, so we have to protect the system from having bad guys on it. Follow the PCI-DSS and you're almost certain to be good.  The PCI-DSS is a very large document and will take a lot of time to digest and even more to implement.  A more abridged list to maximise effectiveness of  controls is:

  1. Do not use vendor default passwords especially for remote access (Yes this REALLY happens still today). This means use unique passwords for vendors as well.  In days gone past (I hope) support vendors used to use their company name as the password for the hundreds or thousands of POS devices.  What could possibly go wrong hey?
  2. Run the POS systems as an unprivileged user. Seriously why in the world would a POS need to run as admin?  There's only three answers - stupidity, laziness and really bad software.  Neither are acceptable.  
  3. Really restrict access to the payment network.  Most POS are protected by a single credential and a large proportion of POS have unfiltered outbound Internet access.
  4. Remove Internet access from the POS network.  Why does a POS need Internet access?  If you are using Internet based payments, filter access to the necessary addresses/ports and nothing else.   I've seen POS' send data and alerts to drop servers via email, FTP and HTTP.  There is simply no need to provide a direct outbound path for malware to send data.
  5. Any connections in/out of the POS network must be authenticated.  
  6. Monitor your POS devices for new services and processes.  Most POS malware must remain memory resident and will be installed as a service or as an auto-start application.  A new service or auto-start application on a POS is a big red flag and must be investigated. If you have least privilege on  your POS this should not happen anyway.
Of course there are ways to circumvent many of these controls, but realistically very few bad guys want to put in a whole lot of effort when there is so much low hanging fruit out there.  It's back to the old saying, "when you are being chased by a bear you only have to out run one of your mates to be safe".  It's similar in cyber-crime, but the analogy does not hold true for ever so we have to continuously improve our defences and detection of events.


Post a Comment