Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target, Neiman Marcus Malware Creators Identified
Newest First  |  Oldest First  |  Threaded View
Stevemartin
50%
50%
Stevemartin,
User Rank: Apprentice
5/28/2014 | 7:22:44 AM
Re: Did this malware target some particular POS platform?
Here it is good information provided here about malwares. Didn't know about the facts. Appreciable post.

http://www.vpnmag.co.uk/
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/23/2014 | 5:11:25 AM
Re: Did this malware target some particular POS platform?
That would be a strong "no." Historically, at least, Russian authorities have looked the other way, so long as hackers inside the border don't attack other Russians. The lack of an extradition treaty with the US probably seals the (no) deal. 

Yet one more good reason for the IT department to be watching network traffic for any connections to Russian-based FTP servers. Especially from their payment processing system. 
micjustin33
50%
50%
micjustin33,
User Rank: Apprentice
1/22/2014 | 9:09:17 AM
Re: Did this malware target some particular POS platform?
BlackPoS's malware developer ree4 has been identified as Shabayev, aged 23 from Russia. He has already admitted having been the mastermind behind the malware's development last year.. http://www.bestvpnservice.com/blog/malware-and-its-russian-coder-behind-target-data-breach-identified
rradina
50%
50%
rradina,
User Rank: Apprentice
1/22/2014 | 8:31:18 AM
Re: Did this malware target some particular POS platform?
Many POSs and ATMs use Windows and that's all the similarity this kind of malware needs.  When a card is swiped by a pin pad, the data is sent to the POS system.  Pin Pads are just like any other peripheral in that they need a physical interface through which they speak to the POS.  It could be USB, serial port, Ethernet or wireless.  If the data is not encrypted before it's sent to the POS, the clear text information can be found in the OS interface buffer or the peripheral device driver buffer.  If it's encrypted, the POS software will eventually decrypt it to create an authorization packet and forward it to the payment processor.  The POS may encrypt the packet again but by that time it's too late.  At first it might seem incredible to hijack temporary data that might be actively referenced by the POS software for less than a second.  However, the techniques used to allocate RAM have similarities to file systems on fixed disks.  Most folks know that a deleted file doesn't mean the data it contained is truly gone.  Memory use by applications can be similar.  Programs are constantly allocating temporary buffers (i.e. a sequence of characters to hold credit card data) and then releasing them.  Temporary buffers are just like file data -- it doesn't cease to exist just because it has been "released" (like a file being deleted).  It might hang around in memory for a long time before that memory is needed again.  An application can be written to make it tougher for RAM-scraping malware to work by clearing the buffer before releasing it but if the data was decrypted, this technique must be thorough.  That means any code that comes into contact with the decrypted data has to overwrite sensitive data contained in buffers before releasing them.  Application developers generally don't recreate existing wheels.  Decryption of data is likely going to be done outside of the POS application by using some kind of library -- possibly one provided by the OS or a third party.  This means careful handling of buffers would need to extend into the decryption/encryption routines.

If memory scraping malware cannot be eliminated or foiled, the only choice is to remove the POS from the authorization equation and do it in the pin pad.  Modern pin pads are tiny computers.  They could complete the authorization transaction on their own and only provide the POS with truncated data.  POS-based memory scraping malware would disappear since it would no longer have access to valuable information.  Most POS systems allow the cashier to enter the credit card when the mag-stripe is damaged but this would represent a far smaller cache of data and may not be a large enough target for thieves.

Of course criminals adapt and if the POS no longer contains valuable information, they'll move their assault to the pin pad.  Some pin pads are designed to self-destruct if they are opened.  Obviously the inventive criminal might be able to drill a hole in the case like crooks did with a recent ATM attack.  However, physical access to thousands of devices now becomes a formidable barrier and I suspect there could be additional tamper prevention techniques employed to thwart holes being drilled (i.e. A plastic bag embedded with a fine coated-wire conductive loop mesh that surrounds the pin pad circuit board.  The loop could be connected to the pin pad and like the classic window security foil, if the conductive loop is broken, the device self-destructs.  They could also dip the entire circuit board in something that dries rock hard, is opaque and impervious to solvents.  Attempts to access the circuit board destroys it.)
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
1/21/2014 | 8:51:06 PM
Can it Happen Again?
The real worry is that other retailers, using the same POS terminals will be attacked next.

Isn't it time to look for a solution, before this happens?

For instance, why do you have to give your credit card details to the retailer, to pass to the credit card company? Obviously, so they can know who you are, and that it's really your card. Okay, then, why not use an authentication system based on your ID, instead? Then, the credit card need only contain your user ID, which they could check, and tie in with the card details, which they already know. That way, the retailer would have nothing worth stealing. Of course, the authentication system would need to be fraudproof, and I believe there's a description of such a system at www.designsim.com.au/What_is_SteelPlatez.ppsx.
 I guess the other benefit of doing something like this, is that the credit card companies wouldn't have the expense of changing to EMV cards, or resorting to something unpleasant, like biometrics.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/21/2014 | 4:39:10 PM
Re: Did this malware target some particular POS platform?
I'm more interested in finding out whether retailers in the U.S. will be more proactive about moving to a smart-card system, which is much harder to hack, than our current magnet stripe cards. The WSJ reported yesterday that Target 10 years ago halted the rollout of a chip-based payment system because execs in store operations and merchandising "worried that the technology slowed checkout speeds and didn't offer enough marketing benefits." 

Hindsight is always 20-20, isn't it?

 

Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
1/21/2014 | 4:09:47 PM
Re: Did this malware target some particular POS platform?
Are Russian authorities likely to do anything about this guy?
David F. Carr
50%
50%
David F. Carr,
User Rank: Strategist
1/21/2014 | 12:41:12 PM
Did this malware target some particular POS platform?
Do we know whether this malware was targeted at a specific POS platform? Or are POS systems so similar, regardless of who makes them, that the software was able to target a range of environments?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37625
PUBLISHED: 2021-08-05
Skytable is an open source NoSQL database. In versions prior to 0.6.4 an incorrect check of return value of the accept function in the run-loop for a TCP socket/TLS socket/TCP+TLS multi-socket causes an early exit from the run loop that should continue infinitely unless terminated by a local user, e...
CVE-2020-22732
PUBLISHED: 2021-08-05
CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker..
CVE-2021-37604
PUBLISHED: 2021-08-05
In the Microchip MiWi v6.5 software stack, there is a possibility of frame counters being validated/updated prior to message authentication.
CVE-2021-37605
PUBLISHED: 2021-08-05
In the Microchip MiWi v6.5 software stack, there is a possibility of frame counters being being validated / updated prior to message authentication.
CVE-2021-38138
PUBLISHED: 2021-08-05
OneNav beta 0.9.12 allows XSS via the Add Link feature. NOTE: the vendor's position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.