Worried About the Target Breach? Add This Term to Your Vocabulary

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessweek.com/articles/2014-01-14/worried-about-the-target-breach-add-this-term-to-your-vocabulary

When Target (TGT) announced a breach of customer data in December, tens of
millions of people who shop there had to worry that hackers had stolen
their financial information. When the company’s chief executive officer
admitted on Monday that the problem was malware in its credit-card reading
system, businesses had even more cause to worry.

> From the smallest corner store to the biggest big-box retailer, pretty much
anyone selling anything has to have what’s called a “point-of-sale” system
for reading and processing customers’ credit and debit cards in our
increasingly cashless economy.

As a merchant, you’d better make sure shoppers trust that they’re not
exposing themselves to identity theft and credit-card fraud every time they
swipe. Even Target, a huge company with big bucks to spend on security,
hasn’t managed to assure such certainty.

Here’s where “RAM Scraping” comes in, and it’s not, as it might sound,
something disgusting that happens at the dentist. Broadly speaking, there
are two ways to compromise point-of-sale systems. In some cases, thieves
attach a physical device to the system to collect card data, which is
called “skimming,” according to the U.S. Computer Emergency Readiness Team
(U.S.-CERT), a cyber watchdog that’s part of the Department of Homeland
Security.

The second method is for hackers to infect the system with a malicious
program that scans for anything that looks like credit-card information as
it passes through, data that the hackers then collect remotely. Common
types of such malicious code, with names such as Dexter and Stardust,
according to U.S.-CERT, are doing the “RAM-scraping,” which refers to the
process of scanning a computer server’s system memory—RAM for “random
access memory”—for the right kind of information.

What about encryption? Well, as the tech news site Re/code puts it, think
of the data as a package being delivered with a lock on it. To see what it
contains, you have to unlock it, even if only for a fraction of a second.
That’s when the malware hits.

The Target hack highlights just how hard it is to safeguard consumer data.
Target hasn’t disclosed—if it even knows—how the malware got into the
system. It could have been just one employee clicking on an
innocent-looking but malware-infected e-mail, which then downloaded itself
to Target’s corporate network. Or maybe there were unpatched software
vulnerabilities in Target’s system.

In its Security Threat Report 2014 released in December, the software
company Sophos highlighted point-of-sale systems as a growing problem. Many
such systems run on Windows; starting in April 2014, no new patches will be
available for Windows XP or Office 2003, the report says.

“Despite industry standards that require rapid application of security
patches, some of these systems are updated inconsistently, especially in
smaller retail environments without sophisticated IT organizations,” the
Sophos report says.

Sounds prescient now, though it’s obviously not just mom-and-pop shops that
are going to have problems.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.