Skip to comments.A First Look at the Target Intrusion, Malware
Posted on 01/16/2014 8:40:12 AM PST by BlueMondaySkipper
Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.
(Excerpt) Read more at krebsonsecurity.com ...
You’d be foolish to omit network vulnerabilities as part of the issue. As a server administrator and network engineer, I can tell you that everything from your ISP modem to your iPhone are scanned on a regular basis from points all around the world for port and protocol vulnerabilities every day, every hour, every minute.
I run a VM server and host several gaming clan sites and voice services from my home, and my logs are flooded with requests from all over the globe: Romania, France, Sweden, Russia, China, Vietnam, the Phillipines, Venezuela, Brazil, you name it. I’ve set up filters on my proxies to prevent IPs from Russia and China, specifically, but my firewall logs are constantly hammered. They’re scanning every possible port from lowly SSH (22) up through the higher random ports most Windows systems use (1024-65K). If they find something, they’ll get in.
This is where I tell everyone who is using Windows XP to STOP USING WINDOWS XP! I don’t care if you’re in your 60s and XP “just works,” for us younger whippersnappers, there’s nothing more laborious or frustrating than getting a call from our elders about computer problems and coming to find out you’re running XP. Would you still be driving around an Edsel if you could? C’mon! XP is a giant vulnerability matrix. You’re on your own VERY soon, as MS no longer supports the OS in any way.
Many POS systems are running XP or some screwy Windows variant. There are plenty of FREE Linux distros for POS. Most large businesses like Target don’t want to invest the money for the right people to do a large-scale implementation, but we do exist.
Smart. I love wing dings.
“You guys are forgetting that other data sources have your info without you doing any online transactions. Consider the IRS records, local county tax records, real estate records, credit report companies, etc. You may not enter or place your info online, but somebody else does.”
One of the most vulnerable places is our health care system even before Obozo Care.
Medicare, Medicaid and most insurance companies use one # for patients, our Social Security #.
Then, they have our DOB, sometimes POB, address, phone #, Cell phone # and email sites.
Many medical providers do a credit check so they have that number/data.
Many providers seem to prefer being paid by credit card, if so they have that number.
If you pay by check, they have all of your banking numbers.
Often the lowest paid people in a medical office have full access to all of the above, plus your medical history.
Last summer, our FP/s retired or went to a big HMO.
So we had to fill out all of the data above to be seen. The local group’s site was not verified and brought up warnings from my internet provider and services like Norton. I told our new FP, and he laughed until I showed him the warnings. He made a couple of quick calls, and the patient side of their site was shut down until a new site was opened up. Their current site is verified and seems okay now.
Another site a surgical specialty site has yet to get its act together. We pay our bills with electronic checks or cash.
Another specialty medical site had a similar problem, and that seems to be okay since they merged with the local hospital, which is part of a big California hospital organization. This organization has a lot of employee unrest and union battles which is not a reassurance.
Last but not least are the Store discount cards which market/mine our private data. The one such card I have, I am St Nick, born on the 4th of July in 1918. In five years, only one clerk has picked up on my fantasy ID, and she just laughed.
I'll say! Actually I do. Devices that are targets for this kind of attack shouldn't be able to be remotely flashed with new software. It's convenient for the people who manage them, but so what, it's not their money to be putting at risk.
Barring doing the safest thing (not allowing remote flashing of code) they should at minimum have monitoring that alerts when code is added or changed.
I’m not even saying flashing shouldn’t be “allowed”. I’m saying it should be impossible. Whatever code the devices run should be in hardware, requiring physical contact to reload. If it’s a permission thing, there might be some way for them to end run it.
Agreed. Perhaps the only saving grace is that greed may overtake the hackers to the extent that large sums of money are detected as moving from place to place and catches the eye of Law Enforcement. If they stay small, they likely will never be caught. There are simply too many sources from which to piece together a user profile and then raid their accounts. Especially when governments support this type of behavior.
I am 100% behind you, but it's not going to happen. The buggy software that we squeeze out now days needs to be patched too often. IMHO we are on the precipice of a software crisis where our systems are too big and too convoluted for anyone to understand. They are poorly designed and hurriedly slapped together with little or no QA. They are riddled with security flaws. If we could not continuously push out bug fixes, nothing would work. And now, this is all catching up with us. God help us.
It’s a credit card terminal. How complicated could it possibly be or hard to get it right? Why is it even running on an OS in the first place instead of bare metal?
That is complete BS. First Windows XP is no longer in regular support and is going to be completely unsupported in April.
Try getting a version of Linux from when XP was launched that is still secure today.
I know they are two separate words. Cramming them together is reminiscent of a (now) very old SNL skit.
It'd be pretty hard to find a better description of healthcare.gov, eh? Today I was watching the news coverage of one of the Dem. Reps (in Lamar Smith's committee, I think?) The Rep. was accusing the Pubs of trying to "scare" people away from signing up for ObamaCare, with security concerns. This from an old fool who could not run a lemonade stand, or learn in 2 years how to write a 6 line program in Basic. (See, there I am dating myself!) The gratifying thing was the interviews of young people asked if they were concerned / would sign up, and were saying "no way!"
The Dems of course had their own "expert" saying, essentially, that healthcare.gov was not as attractive a target as other sites. Obviously this guy doesn't understand all hackers or their motivations. Most Everest climbers don't do it solely for the money...
Then of course there was that Pub bill the other day, that would supposedly require the Administration to report any thefts of information from the healthcare.gov within 2 days of the occurrence. (Paraphrasal.) Yeah, that'll help. Shouting at the horse that's already galloped 500 ft. out the barn door helps too.
Because, if you're running on bare metal, you'll have to invent the OS.
Then where are you? You will now have an ad hoc, informally specified, bug-ridden semblance of an OS. Congratulations!
The bad guys will get a hold of a sample of your custom brainchild OS, reverse engineer it, and fashion a suitable attack. Then all they have to do is get on your network and deploy their code with a script, similar to the ones you use to update your system.
If the door's ajar, they'll get in!
How do you pay your bills?
I have a B of A account. When my Amex bill arrives, I log onto my B of A account and schedule a payment of the full amount on the due date several weeks into the future. Just keystrokes and clicks. Works every time. Puts the USPS out of business (or reduces them to littering my mailbox with ValuePaks).
What's the use of a bank account if not to make payments?
No, it's your problem if your checks bounce.
My solution is always to use my Amex card.
I remember when "check cards" were introduced. My new ATM card came with a MasterCard logo and a brochure touting the new charge card "feature".
I called the 800 number and asked if that meant charges could be made without entering the PIN. They said yes, it's more convenient you can use it anywhere a credit card can be used. I told them to close my account. They said, hold on, we'll send you a new card. And they did. In the next day's mail no stinkin' MC logo and a new account number not in the MC range.
ATM card should be used only at ATMs. All other payments should be using charge cards!
If the POS is running on top of a vulnerable Windows OS, all too easy. All it takes is one compromised machine on a network, and it can be used as an attack platform to target other machines that can be exploited. Pretty soon, the attacker 'owns' the place.
Businessweek has an article that saying that 95% of ATMs worldwide are still using XP. Support for embedded XP ends in 2016, instead of this year for regular XP. It wouldn't be surprising if POS systems have similar ratios.
Because they can. Because it's cool. To be fair, embedding something like Linux in an electric meter gives you access to protocol stacks and other platform software that work pretty well. But putting stuff like this under so much automation opens us up to remote attacks and we can't anticipate all of them. Was it really so bad having a 90 IQ guy drive around and read meters instead of sitting at home watching Jerry Springer?
Embedded operating systems often have customized kernels to accommodate the lower-end hardware in most POS and ATM devices. That being said, it’s still a Windows XP kernel which is a well-known vector and capable of exploitation if not patched properly, which I can personally attest they usually aren’t.