BreachExchange mailing list archives
Worried About the Target Breach? Add This Term to Your Vocabulary
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 14 Jan 2014 17:15:45 -0700
http://www.businessweek.com/articles/2014-01-14/worried-about-the-target-breach-add-this-term-to-your-vocabulary When Target (TGT) announced a breach of customer data in December, tens of millions of people who shop there had to worry that hackers had stolen their financial information. When the company’s chief executive officer admitted on Monday that the problem was malware in its credit-card reading system, businesses had even more cause to worry.
From the smallest corner store to the biggest big-box retailer, pretty much
anyone selling anything has to have what’s called a “point-of-sale” system for reading and processing customers’ credit and debit cards in our increasingly cashless economy. As a merchant, you’d better make sure shoppers trust that they’re not exposing themselves to identity theft and credit-card fraud every time they swipe. Even Target, a huge company with big bucks to spend on security, hasn’t managed to assure such certainty. Here’s where “RAM Scraping” comes in, and it’s not, as it might sound, something disgusting that happens at the dentist. Broadly speaking, there are two ways to compromise point-of-sale systems. In some cases, thieves attach a physical device to the system to collect card data, which is called “skimming,” according to the U.S. Computer Emergency Readiness Team (U.S.-CERT), a cyber watchdog that’s part of the Department of Homeland Security. The second method is for hackers to infect the system with a malicious program that scans for anything that looks like credit-card information as it passes through, data that the hackers then collect remotely. Common types of such malicious code, with names such as Dexter and Stardust, according to U.S.-CERT, are doing the “RAM-scraping,” which refers to the process of scanning a computer server’s system memory—RAM for “random access memory”—for the right kind of information. What about encryption? Well, as the tech news site Re/code puts it, think of the data as a package being delivered with a lock on it. To see what it contains, you have to unlock it, even if only for a fraction of a second. That’s when the malware hits. The Target hack highlights just how hard it is to safeguard consumer data. Target hasn’t disclosed—if it even knows—how the malware got into the system. It could have been just one employee clicking on an innocent-looking but malware-infected e-mail, which then downloaded itself to Target’s corporate network. Or maybe there were unpatched software vulnerabilities in Target’s system. In its Security Threat Report 2014 released in December, the software company Sophos highlighted point-of-sale systems as a growing problem. Many such systems run on Windows; starting in April 2014, no new patches will be available for Windows XP or Office 2003, the report says. “Despite industry standards that require rapid application of security patches, some of these systems are updated inconsistently, especially in smaller retail environments without sophisticated IT organizations,” the Sophos report says. Sounds prescient now, though it’s obviously not just mom-and-pop shops that are going to have problems.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Worried About the Target Breach? Add This Term to Your Vocabulary Audrey McNeil (Jan 17)