Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target, Neiman Marcus Malware Creators Identified
Newest First  |  Oldest First  |  Threaded View
Stevemartin
50%
50%
Stevemartin,
User Rank: Apprentice
5/28/2014 | 7:22:44 AM
Re: Did this malware target some particular POS platform?
Here it is good information provided here about malwares. Didn't know about the facts. Appreciable post.

http://www.vpnmag.co.uk/
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/23/2014 | 5:11:25 AM
Re: Did this malware target some particular POS platform?
That would be a strong "no." Historically, at least, Russian authorities have looked the other way, so long as hackers inside the border don't attack other Russians. The lack of an extradition treaty with the US probably seals the (no) deal. 

Yet one more good reason for the IT department to be watching network traffic for any connections to Russian-based FTP servers. Especially from their payment processing system. 
micjustin33
50%
50%
micjustin33,
User Rank: Apprentice
1/22/2014 | 9:09:17 AM
Re: Did this malware target some particular POS platform?
BlackPoS's malware developer ree4 has been identified as Shabayev, aged 23 from Russia. He has already admitted having been the mastermind behind the malware's development last year.. http://www.bestvpnservice.com/blog/malware-and-its-russian-coder-behind-target-data-breach-identified
rradina
50%
50%
rradina,
User Rank: Apprentice
1/22/2014 | 8:31:18 AM
Re: Did this malware target some particular POS platform?
Many POSs and ATMs use Windows and that's all the similarity this kind of malware needs.  When a card is swiped by a pin pad, the data is sent to the POS system.  Pin Pads are just like any other peripheral in that they need a physical interface through which they speak to the POS.  It could be USB, serial port, Ethernet or wireless.  If the data is not encrypted before it's sent to the POS, the clear text information can be found in the OS interface buffer or the peripheral device driver buffer.  If it's encrypted, the POS software will eventually decrypt it to create an authorization packet and forward it to the payment processor.  The POS may encrypt the packet again but by that time it's too late.  At first it might seem incredible to hijack temporary data that might be actively referenced by the POS software for less than a second.  However, the techniques used to allocate RAM have similarities to file systems on fixed disks.  Most folks know that a deleted file doesn't mean the data it contained is truly gone.  Memory use by applications can be similar.  Programs are constantly allocating temporary buffers (i.e. a sequence of characters to hold credit card data) and then releasing them.  Temporary buffers are just like file data -- it doesn't cease to exist just because it has been "released" (like a file being deleted).  It might hang around in memory for a long time before that memory is needed again.  An application can be written to make it tougher for RAM-scraping malware to work by clearing the buffer before releasing it but if the data was decrypted, this technique must be thorough.  That means any code that comes into contact with the decrypted data has to overwrite sensitive data contained in buffers before releasing them.  Application developers generally don't recreate existing wheels.  Decryption of data is likely going to be done outside of the POS application by using some kind of library -- possibly one provided by the OS or a third party.  This means careful handling of buffers would need to extend into the decryption/encryption routines.

If memory scraping malware cannot be eliminated or foiled, the only choice is to remove the POS from the authorization equation and do it in the pin pad.  Modern pin pads are tiny computers.  They could complete the authorization transaction on their own and only provide the POS with truncated data.  POS-based memory scraping malware would disappear since it would no longer have access to valuable information.  Most POS systems allow the cashier to enter the credit card when the mag-stripe is damaged but this would represent a far smaller cache of data and may not be a large enough target for thieves.

Of course criminals adapt and if the POS no longer contains valuable information, they'll move their assault to the pin pad.  Some pin pads are designed to self-destruct if they are opened.  Obviously the inventive criminal might be able to drill a hole in the case like crooks did with a recent ATM attack.  However, physical access to thousands of devices now becomes a formidable barrier and I suspect there could be additional tamper prevention techniques employed to thwart holes being drilled (i.e. A plastic bag embedded with a fine coated-wire conductive loop mesh that surrounds the pin pad circuit board.  The loop could be connected to the pin pad and like the classic window security foil, if the conductive loop is broken, the device self-destructs.  They could also dip the entire circuit board in something that dries rock hard, is opaque and impervious to solvents.  Attempts to access the circuit board destroys it.)
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
1/21/2014 | 8:51:06 PM
Can it Happen Again?
The real worry is that other retailers, using the same POS terminals will be attacked next.

Isn't it time to look for a solution, before this happens?

For instance, why do you have to give your credit card details to the retailer, to pass to the credit card company? Obviously, so they can know who you are, and that it's really your card. Okay, then, why not use an authentication system based on your ID, instead? Then, the credit card need only contain your user ID, which they could check, and tie in with the card details, which they already know. That way, the retailer would have nothing worth stealing. Of course, the authentication system would need to be fraudproof, and I believe there's a description of such a system at www.designsim.com.au/What_is_SteelPlatez.ppsx.
 I guess the other benefit of doing something like this, is that the credit card companies wouldn't have the expense of changing to EMV cards, or resorting to something unpleasant, like biometrics.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/21/2014 | 4:39:10 PM
Re: Did this malware target some particular POS platform?
I'm more interested in finding out whether retailers in the U.S. will be more proactive about moving to a smart-card system, which is much harder to hack, than our current magnet stripe cards. The WSJ reported yesterday that Target 10 years ago halted the rollout of a chip-based payment system because execs in store operations and merchandising "worried that the technology slowed checkout speeds and didn't offer enough marketing benefits." 

Hindsight is always 20-20, isn't it?

 

Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
1/21/2014 | 4:09:47 PM
Re: Did this malware target some particular POS platform?
Are Russian authorities likely to do anything about this guy?
David F. Carr
50%
50%
David F. Carr,
User Rank: Strategist
1/21/2014 | 12:41:12 PM
Did this malware target some particular POS platform?
Do we know whether this malware was targeted at a specific POS platform? Or are POS systems so similar, regardless of who makes them, that the software was able to target a range of environments?


Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20538
PUBLISHED: 2021-05-10
IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 could allow a user to obtain sensitive information or perform actions they should not have access to due to incorrect authorization mechanisms. IBM X-Force ID: 198919.
CVE-2021-20559
PUBLISHED: 2021-05-10
IBM Control Desk 7.6.1.2 and 7.6.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199228.
CVE-2021-20577
PUBLISHED: 2021-05-10
IBM Cloud Pak for Security (CP4S) 1.5.0.0 and 1.5.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force I...
CVE-2021-29501
PUBLISHED: 2021-05-10
Ticketer is a command based ticket system cog (plugin) for the red discord bot. A vulnerability allowing discord users to expose sensitive information has been found in the Ticketer cog. Please upgrade to version 1.0.1 as soon as possible. As a workaround users may unload the ticketer cog to disable...
CVE-2020-13529
PUBLISHED: 2021-05-10
An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.